cancel
Showing results for 
Search instead for 
Did you mean: 

FQDN and Arris TG4482A / XB7 Modem

MitchellS
I'm Here A Lot

I have used the fixed fully-qualified domain name feature that only Rogers offers for many years so I can access devices in my home without having to use DDNS. But I recently changed from a Hitron cable modem to the Arris TG4482A / XB7 which has the ridiculous stupidity that you can only configure port forwarding using the App, and worse than that, instead of this working it would either give me an error message to try later, or would not let me specify the IP address of the internal destination device. And the unexplained "features" (prefer private connections, advanced security) and annoying App notifications are all . I didn't want to figure out or deal with.

 

So I figured I'd just set the Arris to Bridge mode and use my own Wi-Fi Access Point / Router to do the port forwarding. The bizarre problem is that when in Bridge mode the WAN-side IP address of the Arris modem gets assigned an incorrect FQDN. The FQDN is only correct when the Arris modem is in "normal" (not Bridge) mode, so I was back to having the problem that port forwarding doesn't work on the Arris modem.

 

So I set the WAN port of my internal Router to have a fixed IP address (such as 10.0.0.2 to be on the same sub-net as the 10.0.0.1 of the Arris modem) and enabled the Arris DMZ feature, specifying the DMZ host to have IP address 10.0.0.2. I also disabled Wi-Fi on the Arris box to be sure that nobody accesses it directly,  and I directly Ethernet-connected the Ethernet port of the Arris box to the WAN port of my internal router.

 

I can now use fixed domain names to access my home cameras without having to use DDNS, and I can use my internal Router's web-based interface to configure the port forwarding, and the speed is very fast (SpeedTest.net shows more than 600 Mbits/s download even though I'm on the 150 Mbit/s service).

 

*Added Labels*

 

7 REPLIES 7

Re: FQDN and Arris TG4482A / XB7 Modem

RogersZia
Moderator
Moderator

Hello @MitchellS,

 

Welcome to the Community!

 

Thank you for sharing your process of the set up with us. I am sure the Community would appreciate the insight and find it helpful!

 

 

 

RogersZia

Re: FQDN and Arris TG4482A / XB7 Modem

garynice2000
I've Been Here Awhile

Totally agreed! The fact that "port forwarding" can only be done on the App (instead of web interface), AND you cannot specify IP address is simply stupid!  Don't know what kind of 'beautiful mind' is behind that!  

Re: FQDN and Arris TG4482A / XB7 Modem

-G-
Resident Expert
Resident Expert

@MitchellS wrote:

So I figured I'd just set the Arris to Bridge mode and use my own Wi-Fi Access Point / Router to do the port forwarding. The bizarre problem is that when in Bridge mode the WAN-side IP address of the Arris modem gets assigned an incorrect FQDN. The FQDN is only correct when the Arris modem is in "normal" (not Bridge) mode, so I was back to having the problem that port forwarding doesn't work on the Arris modem.

When you enable Bridge Mode on the Ignite gateway and install your own router, your router will get its own public IPv4 and IPv6 addresses on its WAN interface.  For me, that IPv4 address has A and PTR resources records set up in DNS.  I can confirm this using https://ipv6-test.com/ and the usual DNS lookup tools.

 

Bridge Mode on the Ignite gateways is different from the Hitron modems; the Ignite gateway will still have services running on it and will still have its own public IPv4 and IPv6 addresses that are separate from the ones that your router would obtain.

Re: FQDN and Arris TG4482A / XB7 Modem


@garynice2000 wrote:

Totally agreed! The fact that "port forwarding" can only be done on the App (instead of web interface), AND you cannot specify IP address is simply stupid!  Don't know what kind of 'beautiful mind' is behind that!  


Blame Comcast for any stupid design decisions and limitations that you see with the Ignite hardware and its software.  It drives me absolutely bonkers sometimes.  Unfortunately, we're stuck with it for the foreseeable future, and there is not much (if anything) that Rogers can do to fix this other than to allow us to use hardware (including cable modems) of our own choosing.

 

Okay, I'm now done with my ranting.  🙂

 

I can understand WHY Comcast made the design decisions that they made.  It makes things simple and easy for the average, typical customer with average, typical, simple requirements for their home Internet service.

 

HOWEVER, Rogers also needs to be able to cater to the needs and requirements of advanced users.  Typically, they just want a simple Internet service... and find the value-added bells and whistles, that Ignite provides, to be an annoyance and a hinderance.

Re: FQDN and Arris TG4482A / XB7 Modem

MitchellS
I'm Here A Lot

I agree that when the Arris TG4482A / XB7 is set to Bridge mode it gets a domain name (can also see this using nslookup), but it doesn't point to any IP address (confirmed with nslookup) and I don't see where the cm<MAC> and cpe<MAC> come from, they do not match any MAC addresses I have (nor are they close as routers usually have several consecutive MAC addresses).

Re: FQDN and Arris TG4482A / XB7 Modem

-G-
Resident Expert
Resident Expert

@MitchellS wrote:

I agree that when the Arris TG4482A / XB7 is set to Bridge mode it gets a domain name (can also see this using nslookup), but it doesn't point to any IP address (confirmed with nslookup) and I don't see where the cm<MAC> and cpe<MAC> come from, they do not match any MAC addresses I have (nor are they close as routers usually have several consecutive MAC addresses).


Rogers generates the A and PTR records based on the router's MAC address (cpe<MAC>) and the cable modem's MAC address (cm<MAC>)

 

[ At the Moderator's request, I have redacted the random IP address that I chose and the corresponding public DNS information. ]

 

Let's pick a random IP address (99.244.246.xxx) and see what we get:

 

$ nslookup

> set nodef

> server 8.8.8.8

Default server: 8.8.8.8

Address: 8.8.8.8#53

> set type=PTR

> xxx.246.244.99.in-addr.arpa.

Server: 8.8.8.8

Address: 8.8.8.8#53

 

Non-authoritative answer:

xxx.246.244.99.in-addr.arpa name = cpe[cpe MAC redacted]-cm[cm MAC redacted].cpe.net.cable.rogers.com.

 

Authoritative answers can be found from:

> set type=A

> cpe[cpe MAC redacted]-cm[cm MAC redacted].cpe.net.cable.rogers.com.

Server: 8.8.8.8

Address: 8.8.8.8#53

 

Non-authoritative answer:

Name: cpe[cpe MAC redacted]-cm[cm MAC redacted].cpe.net.cable.rogers.com

Address: 99.244.246.xxx

 

So... Rogers has populated their DNS with A and PTR records for this device.

 

Taking a closer look at cpe[cpe MAC redacted]-cm[cm MAC redacted].cpe.net.cable.rogers.com

In this case [cpe MAC redacted] is the MAC address of the device that got assigned 99.244.246.xxx

and [cm MAC redacted] would be the cable modem's MAC address.

 

An OUI lookup of "30:b7:d4" shows that this is registered to "Hitron Technologies. Inc"

Since the cpe MAC and cm MAC have the same OUI, we can also deduce that this user is running their Hitron modem in gateway mode, not bridge mode.

 

 

If you were to put your Ignite gateway into bridge mode and use your own router, cpe<MAC> would correspond to the MAC address of your router's WAN interface and cm<MAC> should correspond to the "CM MAC" that is shown in "Gateway > Connection > Rogers Network"

 

 

When you said that you did not see A and PTR records in DNS for your router, you probably just didn't wait long enough.  At some point, Rogers will create those resource records.

 

I really No DOT like how Rogers populates their DNS either because it leaks potentially-sensitive information.

 

It's kinda scary because if I use a WiFi sniffer and see the WiFi broadcasts that my neighbour's Ignite gateway makes, I'm pretty sure that I could use this to deduce the CPE and CM MAC addresses and, in turn use this to determine the IP address of the gateway.

 

Likewise, from the CPE MAC address, I can do an OUI lookup and determine the device vendor and then try to attack it by exploiting known vulnerabilities... and this could be done by any "bad guy" located on the other side of the planet.

 

It would be far better if Rogers populated their DNS with random values, a unique device ID, or perhaps a one-way hash of the (salted) cpeMAC-cmMAC pair.

Re: FQDN and Arris TG4482A / XB7 Modem

-G-
Resident Expert
Resident Expert

It's kinda scary because if I use a WiFi sniffer and see the WiFi broadcasts that my neighbour's Ignite gateway makes, I'm pretty sure that I could use this to deduce the CPE and CM MAC addresses and, in turn use this to determine the IP address of the gateway.

Yup... and you can also do this the other way around.  As I pointed out in my previous post, given a Rogers residential IP address, anybody can obtain the CM MAC address via DNS, and because of the order that the various MAC addresses are sequentially burned into the gateway, you can also use the CM MAC to determine the WiFi BSSIDs, and then use a WiFi geolocation service to (fairly precisely) pinpoint the physical address of the IP address and the gateway.  NOT good.

 

@CommunityHelps  Could you please advise your security team of this?  Putting sensitive information (that you asked ME to redact here) into DNS is a really, REALLY stupid thing to do!

Topic Stats
  • 7 replies
  • 1139 views
  • 1 Like
  • 4 in conversation