Static DNS Servers?

From another thread is this true?

“as Sense now uses hard-coded DNS servers: 1.1.1.1, 8.8.8.8, and 208.67.222.222”

If it is, I have to say I’m quite opposed to it. Devices in my network should follow whatever setting I push via DHCP. I do not want Sense sending name queries to Google DNS. Forcing what dns servers it uses would be of grave concern in data privacy circles.

3 Likes

I’d like to know what Sense is using DNS for?
What queries are being made?

I assume they use a cloud provider for storage/processing and need to resolve the host names. As well as being able to check back home for updates and such.

I think you have shed some light on something at least very interesting. As did the user that posted the information originally.
I believe @RyanAtSense responded that he was going to take a look at the spec page about it.
I wouldn’t say I ha e any concerns, just interesting

My only concern is, potentially, not having control over what name resolution servers devices on my network wish to use.

I understand and agree.

Attached is a screenshot from a network packet capture I did of the sense network traffic against my internal router interface. It shows the different DNS requests I logged in a 120sec capture sample.

I also have whitelisted the following URLs in my web filter:
*sense.com
app.datadoghq.com
monitordata.s3.amazonaws.com
s3.amazonaws.com
sentry.io

I don’t see anything malicious in hardcoded DNS servers as they are just using Cloudflare, Google, and OpenDNS. Its just something to be aware of for us more technical SmartHome people. I was able to get my monitor working by whitelisting the Cloudflare DNS server (1.1.1.1).

Hardcoding the DNS servers probably resolved issues with smaller ISP DNS and other global DNS propagation issues causing downtime or outages for some Sense customers.

1 Like

Hello all,

DNS is used to turn internet host names into IP addresses. It’s step 1 in any connection to a server on the internet, and Sense is no exception. The list of domains we connect to is listed in a KB article, but the list from @arch above looks correct for today’s monitor firmware.

I added the static DNS assignments because there’s a significant number of misconfigured or broken DHCP-provided DNS servers out there.

In particular, services which live on Amazon Web Services (like Sense) are moved between public-facing IP addresses occasionally. This is generally outside our control, and a local DNS server which caches (remembers) the original IP address will cause a Sense service outage until it gives up the old answer and fetches a new one. Major router vendors get this wrong (I won’t name any names Asus oops), but we get the angry emails and knee-jerk 1 star reviews, sadly.

The intention with the change was to use the DHCP-provided DNS server as a fallback if the public DNS was blocked or unavailable. If this isn’t working, I will look into it.

I hope that helps,
Jonah

2 Likes

I agree with this statement. I work for a global service provider and poorly configure DNS servers or stale name cache are often the source of customer issues for us.

Regardless of agreeing, I am still personally opposed to forcing customers to use a specific DNS server set. I’m sure you can imagine and appreciate the public backlash if an operating system provider hard coded their OS to only use a certain set and you had no way to override it within the OS. :slight_smile: Especially Google’s 8.8.8.8, whom is going to use any/all queries for advertising and tracking purposes.

Please consider backing this out, or provide an option for the end user to to override this behavior and use the DNS server values provided via DHCP.

1 Like

Is blocking the undesirable DNS servers at your router an option for you?

It’s a bit of a non sequitur to me. Am I able to? Yes. Should it be a requirement for an end user to have better control over their privacy? No. Please don’t look at this on a case by case basis, but on a wider “what are we or our customers giving up in order to gain with this change?” scope. If you ever expand to the EU I’d suggest not including this configuration. They really look down on behavior such as this.

1 Like

Thanks for the info. If we expand our network configuration options in the future, I’ll see if we can add a DNS preference.

Looking forward to this also being backed out. :beers:

In the meantime I’ve blocked Sense from any of the following outbound traffic.

TCP/UDP 53 (DNS)
TCP/UDP 853 (DNS over TLS)
TCP/UDP 5353 (mDNS though probably not necessary)

3 Likes

I’ll second the request from @scorp508 here.

First, many routers allow for setting a network wide DNS server.

Second, the DNS provider has the option to collect any information about every site you visit and resell it. There is a growing community which are using private DNS servers to prevent this data collection.

  • Some of these servers are paid/free services.(OpenDNS)
  • Some are physical hardware installed inside the network (see https://pi-hole.net/.)

Hardcoding DNS IP Addresses into the product means your users have no choice but to sell our data to these 3rd parties (I’m looking at you 8.8.8.8). Simply make the request to the network DNS and allow the users to do the DNS lookup as they please.

Finally, if you need to control exactly where my data is going (especially when you are sending it to 3rd party data logging services) then send it from your own servers, not from within my network. This product should be transparent in where our data is being sent because it contains considerable personal data.

Personal Data Sense has about me:

  • A list of every electronic device in my home (including model number).
  • A description of where these devices are.
  • Exact frequency and and duration of use.
  • Which modes they are being used in.
  • When I am home/away (or at least which rooms I have lights on).

When you use a tactic like hardcoding DNS lookups in the software I have much less visibility into where you are sending my data and less control over whether I choose to share it.

I understand the pain of a user with a misconfigured network returning poor reviews, but you have pushed too far in the other direction here, and you are risking all of your data aware correctly configured network users giving 1 star reviews as well.

A second thanks to @scorp508 as well for posting the port rules to block sense DNS lookups in the meantime Static DNS Servers?

4 Likes

We hear you all about this. Privacy is important to us, and while DNS is a comparatively small part of the overall data privacy picture, I understand that it’s significant to you. If any of you would like me to reset this configuration change for your monitor specifically, please DM me your serial number or sense account email, and I can take care of that.

2 Likes

@JonahAtSense I can confirm that this is not working as intended since my monitor was stuck offline until I whitelisted 1.1.1.1. Please see ticket number: 127718

Would it be possible for Sense to include changes like these in the release announcements or in a more detailed blog/wiki page that can be referenced?

Thanks

1 Like

Thanks for that — I’ll have a look.

I think this change was included in the release notes.

@JonahAtSense

I checked the firmware release notes going back 6 months and didn’t see a mention of the DNS:
https://community.sense.com/c/news-announcements/firmware-updates

Looking on Zendesk, I only see Web App and Mobile App notes:
https://help.sense.com/hc/en-us/sections/360002441674-Release-Notes

Should I look somewhere else?

Thanks

Nope, you looked in exactly the right place. That change must have been dropped from the notes. Not intentionally so — just very busy people doing the best they can. Sorry about that.

All good. Thanks for acknowledging the change and looking into the issue with not using local DNS.

Really appreciate the quick response.