The OTHER problem with Netgear WGT624 (and probably others)

Works fine here (and everywhere else I've used it):

You may have something wrong in your configuration.

On 29 Jul 2006 17:32:26 GMT, snipped-for-privacy@ipal.net wrote in :

On Sun, 30 Jul 2006 18:51:11 GMT John Navas wrote: | Works fine here (and everywhere else I've used it): | | >nslookup routerlogin.com | | Non-authoritative answer: | Name: routerlogin.com | Address: 192.168.1.1 | | You may have something wrong in your configuration.

Nope.

Here is a trace dependent on nothing but the root hint file, which is configured correctly:

============================================================================= phil@hadar:/home/phil 1173> dig +trace a routerlogin.com

; DiG 9.2.3 +trace a routerlogin.com ;; global options: printcmd . 36021 IN NS G.ROOT-SERVERS.NET. . 36021 IN NS H.ROOT-SERVERS.NET. . 36021 IN NS I.ROOT-SERVERS.NET. . 36021 IN NS J.ROOT-SERVERS.NET. . 36021 IN NS K.ROOT-SERVERS.NET. . 36021 IN NS L.ROOT-SERVERS.NET. . 36021 IN NS M.ROOT-SERVERS.NET. . 36021 IN NS A.ROOT-SERVERS.NET. . 36021 IN NS B.ROOT-SERVERS.NET. . 36021 IN NS C.ROOT-SERVERS.NET. . 36021 IN NS D.ROOT-SERVERS.NET. . 36021 IN NS E.ROOT-SERVERS.NET. . 36021 IN NS F.ROOT-SERVERS.NET. ;; Received 244 bytes from 209.102.192.85#53(209.102.192.85) in 10 ms

com. 172800 IN NS F.GTLD-SERVERS.NET. com. 172800 IN NS G.GTLD-SERVERS.NET. com. 172800 IN NS H.GTLD-SERVERS.NET. com. 172800 IN NS I.GTLD-SERVERS.NET. com. 172800 IN NS J.GTLD-SERVERS.NET. com. 172800 IN NS K.GTLD-SERVERS.NET. com. 172800 IN NS L.GTLD-SERVERS.NET. com. 172800 IN NS M.GTLD-SERVERS.NET. com. 172800 IN NS A.GTLD-SERVERS.NET. com. 172800 IN NS B.GTLD-SERVERS.NET. com. 172800 IN NS C.GTLD-SERVERS.NET. com. 172800 IN NS D.GTLD-SERVERS.NET. com. 172800 IN NS E.GTLD-SERVERS.NET. ;; Received 505 bytes from 192.112.36.4#53(G.ROOT-SERVERS.NET) in 43 ms

routerlogin.com. 172800 IN NS park17.secureserver.net. routerlogin.com. 172800 IN NS park18.secureserver.net. ;; Received 123 bytes from 192.35.51.30#53(F.GTLD-SERVERS.NET) in 61 ms

routerlogin.com. 3600 IN A 64.202.189.170 routerlogin.com. 3600 IN NS PARK17.SECURESERVER.NET. routerlogin.com. 3600 IN NS PARK18.SECURESERVER.NET. ;; Received 107 bytes from 64.202.165.120#53(park17.secureserver.net) in 38 ms

phil@hadar:/home/phil 1174> dig +trace a routerlogin.net

; DiG 9.2.3 +trace a routerlogin.net ;; global options: printcmd . 35942 IN NS A.ROOT-SERVERS.NET. . 35942 IN NS B.ROOT-SERVERS.NET. . 35942 IN NS C.ROOT-SERVERS.NET. . 35942 IN NS D.ROOT-SERVERS.NET. . 35942 IN NS E.ROOT-SERVERS.NET. . 35942 IN NS F.ROOT-SERVERS.NET. . 35942 IN NS G.ROOT-SERVERS.NET. . 35942 IN NS H.ROOT-SERVERS.NET. . 35942 IN NS I.ROOT-SERVERS.NET. . 35942 IN NS J.ROOT-SERVERS.NET. . 35942 IN NS K.ROOT-SERVERS.NET. . 35942 IN NS L.ROOT-SERVERS.NET. . 35942 IN NS M.ROOT-SERVERS.NET. ;; Received 260 bytes from 209.102.192.85#53(209.102.192.85) in 10 ms

net. 172800 IN NS A.GTLD-SERVERS.net. net. 172800 IN NS G.GTLD-SERVERS.net. net. 172800 IN NS H.GTLD-SERVERS.net. net. 172800 IN NS C.GTLD-SERVERS.net. net. 172800 IN NS I.GTLD-SERVERS.net. net. 172800 IN NS B.GTLD-SERVERS.net. net. 172800 IN NS D.GTLD-SERVERS.net. net. 172800 IN NS L.GTLD-SERVERS.net. net. 172800 IN NS F.GTLD-SERVERS.net. net. 172800 IN NS J.GTLD-SERVERS.net. net. 172800 IN NS K.GTLD-SERVERS.net. net. 172800 IN NS E.GTLD-SERVERS.net. net. 172800 IN NS M.GTLD-SERVERS.net. ;; Received 502 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 48 ms

routerlogin.net. 172800 IN NS park17.secureserver.net. routerlogin.net. 172800 IN NS park18.secureserver.net. ;; Received 120 bytes from 192.5.6.30#53(A.GTLD-SERVERS.net) in 50 ms

routerlogin.net. 3600 IN A 64.202.189.170 routerlogin.net. 3600 IN NS PARK17.SECURESERVER.net. routerlogin.net. 3600 IN NS PARK18.SECURESERVER.net. ;; Received 104 bytes from 64.202.165.120#53(park17.secureserver.net) in 37 ms

phil@hadar:/home/phil 1175> dig +trace ptr -x 64.202.189.170

; DiG 9.2.3 +trace ptr -x 64.202.189.170 ;; global options: printcmd . 35866 IN NS B.ROOT-SERVERS.NET. . 35866 IN NS C.ROOT-SERVERS.NET. . 35866 IN NS D.ROOT-SERVERS.NET. . 35866 IN NS E.ROOT-SERVERS.NET. . 35866 IN NS F.ROOT-SERVERS.NET. . 35866 IN NS G.ROOT-SERVERS.NET. . 35866 IN NS H.ROOT-SERVERS.NET. . 35866 IN NS I.ROOT-SERVERS.NET. . 35866 IN NS J.ROOT-SERVERS.NET. . 35866 IN NS K.ROOT-SERVERS.NET. . 35866 IN NS L.ROOT-SERVERS.NET. . 35866 IN NS M.ROOT-SERVERS.NET. . 35866 IN NS A.ROOT-SERVERS.NET. ;; Received 276 bytes from 209.102.192.85#53(209.102.192.85) in 10 ms

64.in-addr.arpa. 86400 IN NS chia.ARIN.NET. 64.in-addr.arpa. 86400 IN NS dill.ARIN.NET. 64.in-addr.arpa. 86400 IN NS BASIL.ARIN.NET. 64.in-addr.arpa. 86400 IN NS henna.ARIN.NET. 64.in-addr.arpa. 86400 IN NS indigo.ARIN.NET. 64.in-addr.arpa. 86400 IN NS epazote.ARIN.NET. 64.in-addr.arpa. 86400 IN NS figwort.ARIN.NET. ;; Received 196 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET) in 62 ms

189.202.64.in-addr.arpa. 86400 IN NS cns1.secureserver.net.

189.202.64.in-addr.arpa. 86400 IN NS cns2.secureserver.net. ;; Received 99 bytes from 192.5.6.32#53(chia.ARIN.NET) in 41 ms

170.189.202.64.in-addr.arpa. 3600 IN PTR pwfwd-v01.prod.mesa1.secureserver.net.

189.202.64.in-addr.arpa. 3600 IN NS cns1.secureserver.net. 189.202.64.in-addr.arpa. 3600 IN NS cns2.secureserver.net. ;; Received 166 bytes from 64.202.167.31#53(cns1.secureserver.net) in 34 ms

phil@hadar:/home/phil 1176>

=============================================================================

Now notice their really weird ... STATEFUL ... redirect:

============================================================================= phil@hadar:/home/phil 1176> lynx -mime_header

302 Moved Temporarily Content-Length: 0 Location: /?ABCDEFGH

phil@hadar:/home/phil 1177> lynx -mime_header

302 Moved Temporarily Content-Length: 0 Location: /?ABCDEFGH

phil@hadar:/home/phil 1178> lynx -mime_header '

'HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: /

phil@hadar:/home/phil 1179> lynx -mime_header

302 Found Connection: close Date: Mon, 31 Jul 2006 02:01:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: private Content-Type: text/html; charset=utf-8 Content-Length: 139

Object moved Object moved to here.

phil@hadar:/home/phil 1180>

=============================================================================

As you can see, when the direct goes from

to and back to THEN it gets a redirect to (missing / is theirs). On a couple other machines I have gone to the site many many times in a row and it keeps giving that "/?ABCDEFGH" redirect _until_ I go to where it redirected then come back and finally get a different redirect. It apparently remembers the IP address. But what for? No obvious reason.

You can check this at other sites, too:

?name=routerlogin.net&type=ALLhttp://www.dnsreport.com/tools/dnsreport.ch?domain=routerlogin.comhttp://www.dnsreport.com/tools/dnsreport.ch?domain=routerlogin.net So ... nothing wrong with my configuration. I wonder where YOUR DNS lookup is getting the address 192.168.1.1. It's definitely NOT from the authoritative DNS servers. Can you trace it down to where?

snipped-for-privacy@ipal.net hath wroth:

It's a bit messy. Think of it as something like a wireless hot spot splash page. No matter where you point your browser, it goes to the setup wizard.

The way it worked on a WGR614 is that the internal DNS cache always redirects routerlogin.com to the setup wizard. I think (not sure) that pointing a web browser to any URL ends up at the initial setup wizard.

routerlogin.net always goes to the general setup web page.

192.168.1.1 goes to the setup wizard. Once the user has setup and saved the general page with a WAN connection, 192.168.1.1 now goes to the general setup web page.

The URL: http://192.168.1.1/basicsetting.htmbypasses the setup wizard and goes directly to the general setup page.

When you run nslookup, host, or dig to query the nameservers, you are bypassing the routers internal DNS cache and going to the internet to lookup the domain. That's fine, but that's not what your router is doing. A DNS server might resolve routerlogin.com to anything it wants, but if the local DNS cache redirects lookups to routerlogin.com to the setup wizard, it doesn't matter.

On Sun, 30 Jul 2006 23:01:58 -0700 Jeff Liebermann wrote: | snipped-for-privacy@ipal.net hath wroth: | |>So ... nothing wrong with my configuration. I wonder where YOUR DNS |>lookup is getting the address 192.168.1.1. It's definitely NOT from |>the authoritative DNS servers. Can you trace it down to where? | | It's a bit messy. Think of it as something like a wireless hot spot | splash page. No matter where you point your browser, it goes to the | setup wizard.

Only if the address being referenced actually goes to or through the device that is intercepting it. But before it is set up, that is not working.

| The way it worked on a WGR614 is that the internal DNS cache always | redirects routerlogin.com to the setup wizard. I think (not sure) | that pointing a web browser to any URL ends up at the initial setup | wizard.

Only if you already have the router set up.

| routerlogin.net always goes to the general setup web page.

It actually went to

| 192.168.1.1 goes to the setup wizard. Once the user has setup and | saved the general page with a WAN connection, 192.168.1.1 now goes to | the general setup web page.

192.168.1.1 redirected to routerlogin.net. routerlogin.net redirected in a round-about way to

| The URL: | http://192.168.1.1/basicsetting.htm| bypasses the setup wizard and goes directly to the general setup page. | | When you run nslookup, host, or dig to query the nameservers, you are | bypassing the routers internal DNS cache and going to the internet to | lookup the domain. That's fine, but that's not what your router is | doing. A DNS server might resolve routerlogin.com to anything it | wants, but if the local DNS cache redirects lookups to routerlogin.com | to the setup wizard, it doesn't matter.

The router wasn't serving internet access. It was being set up to serve a printer, a laptop, and a hop to my brother's house. Internet traffic would not go to it or through it.

So, did some Netgear engineer ASS-U-ME that everyone would always be putting it in a network where all internet traffic would go through the router?

It would have been a workable scheme IF:

1. They did NOT redirect http://192.168.1.1/ to
   formatting link
   They DID put in an A-record for routerlogin.net with 192.168.1.1.

Under such a scheme, a lookup that did go to the real internet for the A-record of routerlogin.net would get 192.168.1.1 and the HTTP request under the hostname routerlogin.net would go to the router as long as the router had its default configuration and 192.168.1.0/24 was a local net (as it would have to be for any other router that uses 192.168.1.1 in the normal way). Had the cutsie URL

somehow failed, there would at least be the fallback of using http://192.168.1.1/to get to the setup page.

Any other manufacturers doing this nonsense? Note that I am NOT referring to merely having a hostname in place of 192.168.1.1 as the nonsense. What I am referring to as the nonsense is BREAKING that scheme with the redirect from 192.168.1.1 to the hostname AND the bogus A-record in DNS.

snipped-for-privacy@ipal.net hath wroth:

Ummm... try again:

nslookup routerlogin.net Server: uranus.cruzio.com Address: 63.249.95.9

Non-authoritative answer: Name: routerlogin.net Address: 64.202.189.170

Whois shows it owned by GoDaddy.com. RDNS shows it as: 64.202.189.170 PTR record: pwfwd-v01.prod.mesa1.secureserver.net. [TTL 3600s]

If you try: http://64.202.189.170You get: This website is temporarily unavailable, please try again later.

I'm on a Linksys router which does not have the internal DNS cache redirect routerlogin.com and routerlogin.net to who knows where.

See above. routerlogin.com resolves to the same IP as routerlogin.net.

Yep. That's exactly what they're doing. Products must be user friendly and beginning users should have a favorable out of box experience. Never mind the hackers.

Not that I know of. Personally, I think it's a good idea that was only half way implimented. What I want is for the wireless part of the router to be turned off until the owner sets the SSID, encryption key, and router password. I call it "secure by default". While only

2wire.com is doing this, it sorta looks like Netgear started on the same path, but got fouled up trying to setup internet access automagically. I agree with you that it was badly done and it could have been done better. Someone has to be first.

I hate to tell you this, but you're going to be running into this manner of nonsense almost continuously. You're going to find static routes that don't work, DHCP renewal oddities, limited routeing, insipid firewall rule sets, lack of monitoring, etc with commodity wireless routers. I suggest you obtain a WRT54G or similar Broadcom router, install one of the numerous alternative Linux firmware replacements, and deal with your creative topology and personal preferences from either the command line or the source code.

On 31 Jul 2006 02:19:40 GMT, snipped-for-privacy@ipal.net wrote in :

Then why does it work for me and everyone else? ;)

I'd be willing to bet you do.

On Mon, 31 Jul 2006 09:57:01 -0700 Jeff Liebermann wrote: | snipped-for-privacy@ipal.net hath wroth: | |>| routerlogin.net always goes to the general setup web page. |>

|>It actually went to

| | Ummm... try again: | | nslookup routerlogin.net | Server: uranus.cruzio.com | Address: 63.249.95.9 | | Non-authoritative answer: | Name: routerlogin.net | Address: 64.202.189.170 | | Whois shows it owned by GoDaddy.com. | RDNS shows it as: | 64.202.189.170 PTR record: pwfwd-v01.prod.mesa1.secureserver.net. | [TTL 3600s] | | If you try: | http://64.202.189.170| You get: | This website is temporarily unavailable, please try again later.

However, if the virtual host "routerlogin.net" is used, it gets a different response from the server:

============================================================================= phil@canopus:/home/phil 816> lynx -mime_header 'http://64.202.189.170/'HTTP/1.1 200 OK Connection: close Date: Mon, 31 Jul 2006 21:21:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 228

This website is temporarily unavailable, please try again later.

phil@canopus:/home/phil 817> lynx -mime_header '

'HTTP/1.1 302 Found Connection: close Date: Mon, 31 Jul 2006 21:21:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: private Content-Type: text/html; charset=utf-8 Content-Length: 139

Object moved Object moved to here.

phil@canopus:/home/phil 818>

=============================================================================

| I'm on a Linksys router which does not have the internal DNS cache | redirect routerlogin.com and routerlogin.net to who knows where. | |>192.168.1.1 redirected to routerlogin.net. routerlogin.net redirected |>in a round-about way to

| | See above. routerlogin.com resolves to the same IP as | routerlogin.net.

I never said it didn't. Both always have resolved to 64.202.189.170.

============================================================================= phil@hadar:/home/phil 1208> dig +trace +noall +answer a routerlogin.com | fgrep routerlogin routerlogin.com. 3600 IN A 64.202.189.170 phil@hadar:/home/phil 1209> dig +trace +noall +answer a routerlogin.net | fgrep routerlogin routerlogin.net. 3600 IN A 64.202.189.170 phil@hadar:/home/phil 1210> dig +trace +noall +answer a

| fgrep routerlogin 3600 IN CNAME routerlogin.com. routerlogin.com. 3600 IN A 64.202.189.170 phil@hadar:/home/phil 1211> dig +trace +noall +answer a | fgrep routerlogin 3600 IN CNAME routerlogin.net. routerlogin.net. 3600 IN A 64.202.189.170 phil@hadar:/home/phil 1212>

=============================================================================

|>So, did some Netgear engineer ASS-U-ME that everyone would always be |>putting it in a network where all internet traffic would go through the |>router? | | Yep. That's exactly what they're doing. Products must be user | friendly and beginning users should have a favorable out of box | experience. Never mind the hackers.

Excuse me, but an assumption that is NOT true does NOT make user friendly. Tell me how you think that the CORRECT way that *I* suggested would be in any way LESS user friendly. The way I had suggested would work in at least more cases than the way they have it now, and not break in any cases that work their way.

Tell me how making an HTTP request for http://192.168.1.1/ to the router itself and getting a redirect to

enhancing friendliness when in some cases that will fail to go back to the router (because they didn't configured the DNS zone for routerlogin.net with 192.168.1.1 for an IP address).

|>Any other manufacturers doing this nonsense? Note that I am NOT referring |>to merely having a hostname in place of 192.168.1.1 as the nonsense. What |>I am referring to as the nonsense is BREAKING that scheme with the redirect |>from 192.168.1.1 to the hostname AND the bogus A-record in DNS. | | Not that I know of. Personally, I think it's a good idea that was | only half way implimented. What I want is for the wireless part of | the router to be turned off until the owner sets the SSID, encryption | key, and router password. I call it "secure by default". While only | 2wire.com is doing this, it sorta looks like Netgear started on the | same path, but got fouled up trying to setup internet access | automagically. I agree with you that it was badly done and it could | have been done better. Someone has to be first.

I agree that the wireless part should be off until proper configuration.

I don't see how what Netgear did is the same thing. What it appears to me that they tried to do was make something that is easier to remember and less prone to error that the user can type into their browser. For you and me, typing "192.168.1.1" isn't a problem. For the Average Joe it can be, at least if they have to remember it a few minutes later and would otherwise keep having to check the manual.

For MOST people, what they tried to do probably works. The scenario would probably be someone with a Windows computer (their software sets the Windows gateway to 192.168.1.1) and NOT currently on another means of internet access I did not test a certain aspect of it, that being a faked DNS reply from the router to give 192.168.1.1 for routerlogin.net. If that faked DNS reply was done, it would work in a lot of scenarios.

But it would NOT work in some others where another means of internet access is active.

| I hate to tell you this, but you're going to be running into this | manner of nonsense almost continuously. You're going to find static | routes that don't work, DHCP renewal oddities, limited routeing, | insipid firewall rule sets, lack of monitoring, etc with commodity | wireless routers. I suggest you obtain a WRT54G or similar Broadcom | router, install one of the numerous alternative Linux firmware | replacements, and deal with your creative topology and personal | preferences from either the command line or the source code.

Yeah, this is actually somewhat typical nonsense. Oddly enough, it is also easily fixable, and without having to upgrade the firmware on the routers already in the field. That is to simply put an A-record in the DNS zones for routerlogin.{com,net} giving 192.168.1.1. It is TWO errors that caused this. Fixing ONE of them makes it work better. The DNS one is the easier to fix. Get me the phone number of the person who is in the position of authority to fix it, and I'll be glad to call him/her and explain in detail why they should change DNS. Then it will be up to them to choose to do things better or not.

In the mean time, yes, I will be hunting for good pricing for WRT54GL from a reputable dealer and soon buy 2 or 3 of those. So far the best price I have found is, oddly enough, at Dell.Com. They just have a 1-2 week ship.

FYI, I won't be stopping at loading an OpenWRT firmware. I'll be hacking on it eventually.

On Mon, 31 Jul 2006 19:29:57 GMT John Navas wrote: | On 31 Jul 2006 02:19:40 GMT, snipped-for-privacy@ipal.net wrote in | : | |>On Sun, 30 Jul 2006 18:51:11 GMT John Navas wrote: |>| Works fine here (and everywhere else I've used it): |>| |>| >nslookup routerlogin.com |>| |>| Non-authoritative answer: |>| Name: routerlogin.com |>| Address: 192.168.1.1 |>| |>| You may have something wrong in your configuration. |>

|>Nope. | | Then why does it work for me and everyone else? ;) | | I'd be willing to bet you do.

You'd lose this one. Enter "routerlogin.com" at any of the online DNS lookup sites and see what you get.

What's a virtual host?

I'm starting to get the picture. If I try: http://64.202.189.170/I get the "This site is temporarily...." message.

However, if I try:

get the Netgear web site as you point out using lynx.

Yet,

routerlogin.com, and routerlogin.net all point to 64.202.189.170. Weird.

Your suggestion as to how it should operate is certainly better than what has been implimented by Netgear. Neither method has much to do with "user friendly". All I think they were trying to do is point the web browser to the setup wizard if the router was NOT configured. Where they goofed is to point also point it to the general setup page after it was configured. That doesn't do anything useful.

If it works the way you suggest (internet nameserver redirects routerlogin.net to 192.168.1.1), then it will certainly fail if the user changes the router IP address. However, I haven't seen any evidence that this is done by an internet based DNS server. The redirection seems to be done by the DNS cache inside the router. If this is true, then a change to the router IP address would not cause the redirection to fail.

You're the first to agree with that.

They didn't. I think they tried to do it the "right way(tm)" but got muddled in the redirection to the setup wizard.

They could easily have set it up so that any URL or IP address would be redirected to the setup wizard. Once successfully setup and saved, things could return to normal. If they were serious about an easy way to get to the setup, then it should have been something like: http://setup The caching DNS server doesn't need a FQDN to do a lookup and can easily default to a local domain. However, if this is unpalateable, it could have been something like:

I think the GUM (great unwashed masses) could handle.

The greatest good for the greatest number. Geeks, hackers, you and I don't qualify.

Yep. Good idea, bad implimentation.

Only if you insist that the lookup go to the internet. It could easily be trapped in the local DNS cache in the router.

I don't have any way to get to the vendors directly. You might try writing a suitable bug report and posting it on the Netgear forums at:

on DSLReports at: Oh swell, the Netgear forums are now apparently dead.

"Thanks to all the NETGEAR customers who made the forum such a success! As a result of the popularity, NETGEAR has decided to reintroduce the forum in a new and improved format. While the changes are underway, we?ll be using our forum resources to make the conversion, and the existing forum will be unavailable.

In the meantime, questions that would have been directed to the forum can be sent to NETGEAR?s email support , where they will receive the personal attention of our agents. We hope to see you again when the forum reopens!"

What this PR announcement forgot to mention was that the user forums were being largely ignored by Netgear and that Netgear was only archiving the most recent 50 or so messages, which was about 1-2 days worth of postings. The only answers I ever received were erased before I could read them. Nice job Netgear.

From the internet using dnsstuff.com:

get 64.202.189.170

From my palatial office on pacbell.net through a WRT54G: Non-authoritative answer: Name: routerlogin.com Address: 64.202.189.170 Via PC Anywhere to a customer on surfnetusa.com with a Netgear WGR614v5 router, I get: Non-authoritative answer: Name: routerlogin.com Address: 192.168.1.1

Via VNC4 to a customer on sbcglobal.net with a WGR613V: Non-authoritative answer: Name: routerlogin.com Address: 192.168.1.1

Via VNC to my home PC on cruzio.com with a BEFW11S4: Non-authoritative answer: Name: routerlogin.com Address: 64.202.189.170

Via SSH to a customer on sonic.net with a WGR614v4 Non-authoritative answer: Name: routerlogin.com Address: 192.168.1.1

Conclusion: some models of Netgear router intercept DNS lookups to routerlogin.com and return the routers IP address instead. Where did you get the idea that the 192.168.1.1 was coming from a DNS server on the internet?

On Mon, 31 Jul 2006 23:28:31 GMT Jeff Liebermann wrote: | On 31 Jul 2006 21:49:03 GMT, snipped-for-privacy@ipal.net wrote: | |>However, if the virtual host "routerlogin.net" is used, it gets a |>different response from the server: | | What's a virtual host?

When multiple names are hosted at a single IP address, this generally uses a method called virtual hosting. The various hostnames are then configured as virtual hosts. Since a GET or POST request only provides the URI for the request, an additional HTTP header called "Host:" is used. In the following example, what I typed is just:

============================================================================= telnet 209.102.192.73 80 GET / HTTP/1.1 Host: ka9wgn.ham.org

telnet 209.102.192.73 80 GET / HTTP/1.1 Host: kb9ydn.ham.org

=============================================================================

The blank lines are an extra newline.

Now here is what the whole session looks like. These are virtual host redirects for URLs based on ham radio call sign:

============================================================================= phil@canopus:/home/phil 824> telnet 209.102.192.73 80 Trying 209.102.192.73... Connected to 209.102.192.73. Escape character is '^]'. GET / HTTP/1.1 Host: ka9wgn.ham.org

HTTP/1.1 301 Found Date: Tue, 01 Aug 2006 02:39:46 +0000 Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_ssl/2.8.22 OpenSSL/0.9.7d Location:

text/html; charset=iso-8859-1 Content-length: 416 Connection: close

301 KA9WGN foundKA9WGN Location: your browser does not automatically take you to theKA9WGN web site, try clicking on the URL shown. Connection closed by foreign host. phil@canopus:/home/phil 825> telnet 209.102.192.73 80 Trying 209.102.192.73... Connected to 209.102.192.73. Escape character is '^]'. GET / HTTP/1.1 Host: kb9ydn.ham.org

HTTP/1.1 301 Found Date: Tue, 01 Aug 2006 02:42:21 +0000 Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_ssl/2.8.22 OpenSSL/0.9.7d Location:

text/html; charset=iso-8859-1 Content-length: 428 Connection: close

301 KB9YDN foundKB9YDN Location: browser does not automatically take you to theKB9YDN web site, try clicking on the URL shown. Connection closed by foreign host. phil@canopus:/home/phil 826>

=============================================================================

| | I'm starting to get the picture. If I try: | http://64.202.189.170/| I get the "This site is temporarily...." message. | | However, if I try: |

| I get the Netgear web site as you point out using lynx. | | Yet, routerlogin.com, and routerlogin.net all | point to 64.202.189.170. Weird.

And that's the problem. They could fix it by setting the IP address to be 192.168.1.1.

|>Tell me how making an HTTP request for http://192.168.1.1/ to |>the router itself and getting a redirect to

|>is enhancing friendliness when in some cases that will fail to go |>back to the router (because they didn't configured the DNS zone for |>routerlogin.net with 192.168.1.1 for an IP address). | | If it works the way you suggest (internet nameserver redirects | routerlogin.net to 192.168.1.1), then it will certainly fail if the | user changes the router IP address. However, I haven't seen any | evidence that this is done by an internet based DNS server. The | redirection seems to be done by the DNS cache inside the router. If | this is true, then a change to the router IP address would not cause | the redirection to fail.

I did change the IP addresses of the routers I had. When I accessed the main address page of the routers ( http://169.254.175.166/ ) it would still do the redirect to

so if someone did change it on theirs, they might find they cannot get in. However, if they access it as then it works.

One option for Netgear is to make the web server their DNS points to for routerlogin.net do a web redirect to http://192.168.1.1/basicsetting.htmand that would work as long as the IP address remains the same.

A nice goal would be to make there be a way to always access the router no matter how it has been configured, without necessarily erasing NVRAM with a long reset. I'd have to put some thought into that. But it seems like a solution is to employ IP aliasing where the router would have the original IP address plus whatever new one it is set to. That can cause problems because the change of IP may be motivated to keep

192.168.1.1 open for other equipment to be configured by plugging into a switch rather than pulling connections out of the existing LAN. This might be done with a link local address (link local is 169.254.0.0/16).

Personally, I think they should have stuck with http://192.168.1.1/ and let cool names like "routerlogin.net" just have that IP address.

|>I agree that the wireless part should be off until proper configuration. | | You're the first to agree with that.

I'd make an exception with a "radio setup button" that can temporarily turn the radio on to allow configuring by radio for the very few users that don't have any ethernet (e.g. the router is connects to broadband and is an access point for a laptop that has wireless and no ethernet). The controlling machine would have to be told to run in "setup master" mode, which would start by doing a Diffie-Hellman key exchange to start some encryption. As long as there was no man-in-the-middle attack, it can then proceed to either auto-configure or allow access as 192.168.1.1 over the air. If nothing connected to this router within 1 minute, the "radio setup" mode would be abandoned. If something does connect, then nothing is would be allowed to (it would not do another DH key exchange unless the button is pressed again). Not perfect security, but perhaps adequate.

|>What it appears to |>me that they tried to do was make something that is easier to remember |>and less prone to error that the user can type into their browser. For |>you and me, typing "192.168.1.1" isn't a problem. For the Average Joe |>it can be, at least if they have to remember it a few minutes later and |>would otherwise keep having to check the manual. | | They could easily have set it up so that any URL or IP address would | be redirected to the setup wizard. Once successfully setup and saved, | things could return to normal. If they were serious about an easy way | to get to the setup, then it should have been something like: | http://setup | The caching DNS server doesn't need a FQDN to do a lookup and can | easily default to a local domain. However, if this is unpalateable, | it could have been something like: |

| which I think the GUM (great unwashed masses) could handle.

Either of those could work, though the "setup" alone method would need to have the DNS interception active, either in the router (this could miss those with other net connections) or in the Windows software they provide (potentially dangerous as it might leave permanent changes in the registry that could be wrong). I think the name they chose is OK. They just didn't deploy it well.

|>For MOST people, what they tried to do probably works. | | The greatest good for the greatest number. Geeks, hackers, you and I | don't qualify.

Right. But we at least should not have been interfered with. By that, the URL http://192.168.1.1/ should just work as expected, and not try to redirect to

unless routerlogin.net goes to IP address 192.168.1.1 in all points of view. Making both URLs work is not hard: just ignore the virtual host name (in which case ANY name that goes to 192.168.1.1 would work).

|>But it would NOT work in some others where another means of internet |>access is active. | | Only if you insist that the lookup go to the internet. It could | easily be trapped in the local DNS cache in the router.

If the internet path is in that direction, yes, it could. And it should for those with no current internet access at all. If the internet access goes some other way and DNS is not intercepted, then at least having 192.168.1.1 in the registered name server for that hostname would still get them accessing 192.168.1.1. Then it is a matter of making sure packets addressed to 192.168.1.1 get to the router.

|>Get me the phone number of the person who is in |>the position of authority to fix it, and I'll be glad to call him/her and |>explain in detail why they should change DNS. Then it will be up to them |>to choose to do things better or not. | | I don't have any way to get to the vendors directly. You might try | writing a suitable bug report and posting it on the Netgear forums at: |

| or on DSLReports at: | | | Oh swell, the Netgear forums are now apparently dead. | | "Thanks to all the NETGEAR customers who made the forum such a | success! As a result of the popularity, NETGEAR has decided to | reintroduce the forum in a new and improved format. While the | changes are underway, we?ll be using our forum resources to make | the conversion, and the existing forum will be unavailable. | | In the meantime, questions that would have been directed to the | forum can be sent to NETGEAR?s email support , where they will | receive the personal attention of our agents. We hope to see you | again when the forum reopens!"

Intel did that. I gave up trying to find their forums about a few months.

| What this PR announcement forgot to mention was that the user forums | were being largely ignored by Netgear and that Netgear was only | archiving the most recent 50 or so messages, which was about 1-2 days | worth of postings. The only answers I ever received were erased | before I could read them. Nice job Netgear.

Sounds like a need for independent forums. Too bad Netgear to not likely inform anyone where that would be. Might well be more than one, too.

On Mon, 31 Jul 2006 23:40:08 GMT Jeff Liebermann wrote: | On 31 Jul 2006 21:50:32 GMT, snipped-for-privacy@ipal.net wrote: | |>You'd lose this one. Enter "routerlogin.com" at any of the online DNS |>lookup sites and see what you get. | | From the internet using dnsstuff.com: |

| I get 64.202.189.170 | | From my palatial office on pacbell.net through a WRT54G: | Non-authoritative answer: | Name: routerlogin.com | Address: 64.202.189.170 | | Via PC Anywhere to a customer on surfnetusa.com with a Netgear | WGR614v5 router, I get: | Non-authoritative answer: | Name: routerlogin.com | Address: 192.168.1.1 | | Via VNC4 to a customer on sbcglobal.net with a WGR613V: | Non-authoritative answer: | Name: routerlogin.com | Address: 192.168.1.1 | | Via VNC to my home PC on cruzio.com with a BEFW11S4: | Non-authoritative answer: | Name: routerlogin.com | Address: 64.202.189.170 | | Via SSH to a customer on sonic.net with a WGR614v4 | Non-authoritative answer: | Name: routerlogin.com | Address: 192.168.1.1 | | Conclusion: some models of Netgear router intercept DNS lookups to | routerlogin.com and return the routers IP address instead. Where did | you get the idea that the 192.168.1.1 was coming from a DNS server on | the internet?

Because the router I was configuring had nothing to do with my access to the internet. I'm aware this can work for those who are sending their DNS traffic out to/through the router. My point is, for those that are not, they could have made it work by having the online server give the same answer.

I made it work on my end by adding a fake DNS zone for routerlogin.net into my own DNS server that was being used for resolving (which BTW is not the same as the authoritative-only servers used to answer queries for my domain names). I had to do what they should have done. THEN in the course of configuring, I noted the different URLs and found that those did NOT do the redirecting, AND worked even if the hostname used was "192.168.1.1". So at that point I added the main configuration URL as a link to a local page of favorite links, and removed the fake DNS zone.

On Mon, 31 Jul 2006 23:28:31 GMT, Jeff Liebermann wrote in :

Not really. Once you're resolved routerlogin.com to 64.202.189.170 (using something other than the DNS resolver in the router), that cached value will be used until the cache expires. That's not something that new customers are going to run into.

Which is why the Netgear method actually makes sense.

On 1 Aug 2006 03:29:49 GMT, snipped-for-privacy@ipal.net wrote in :

It's not a problem for computers behind the router, the expected case.

That would cause problems if the router is reconfigured for a different address.

On 31 Jul 2006 21:50:32 GMT, snipped-for-privacy@ipal.net wrote in :

Not so.

What's wrong is that you're resolving over a different Internet connection. Use the router as intended, and there's no problem.

snipped-for-privacy@ipal.net hath wroth:

I'll save you the trouble. I setup an A record to point to

192.168.1.1. Try: it won't work if you're using a different IP address for the router.

On Tue, 01 Aug 2006 09:15:12 -0700, Jeff Liebermann wrote in :

How does that help? No other setups in your domain?

Indeed.

On Tue, 01 Aug 2006 16:06:27 GMT John Navas wrote: | On 1 Aug 2006 03:29:49 GMT, snipped-for-privacy@ipal.net wrote in | : | |>On Mon, 31 Jul 2006 23:28:31 GMT Jeff Liebermann wrote: | |>| Yet,

routerlogin.com, and routerlogin.net all |>| point to 64.202.189.170. Weird. |>

|>And that's the problem. | | It's not a problem for computers behind the router, the expected case.

You mean, computers using the router to connect to the internet as the expected case ... not enabling laptops to connect to the LAN, since no business in their right mind would ever do anything as useless as that.

|>They could fix it by setting the IP address |>to be 192.168.1.1. | | That would cause problems if the router is reconfigured for a different | address.

There is no one perfect solution. But ... the IP address they have it configured as now would work only if someone configures their router to have 64.202.189.170. My money is on that being very rare. More often people leave their one router on 192.168.1.1. Those that change it will know where they changed it to. Those that need to configure many routers won't need "

" in place of "http://192.168.1.1/". It's just silly to break some cases in order to make other cases work when there is a way to do it that won't break any cases and still makes the intended ones work.

On Tue, 01 Aug 2006 16:03:58 GMT John Navas wrote: | On Mon, 31 Jul 2006 23:28:31 GMT, Jeff Liebermann | wrote in | : | |>On 31 Jul 2006 21:49:03 GMT, snipped-for-privacy@ipal.net wrote: |>

|>>However, if the virtual host "routerlogin.net" is used, it gets a |>>different response from the server: |>

|>What's a virtual host? | | | |>I'm starting to get the picture. If I try: |> http://64.202.189.170/|>I get the "This site is temporarily...." message. |>

|>However, if I try: |>

|>I get the Netgear web site as you point out using lynx. |>

|>Yet,

routerlogin.com, and routerlogin.net all |>point to 64.202.189.170. Weird. | | Not really. Once you're resolved routerlogin.com to 64.202.189.170 | (using something other than the DNS resolver in the router), that cached | value will be used until the cache expires. That's not something that | new customers are going to run into.

The caching is irrelevant. They do have the TTL set low, so it won't be much of an issue for other things, anyway.

|>>Tell me how making an HTTP request for http://192.168.1.1/ to |>>the router itself and getting a redirect to

|>>is enhancing friendliness when in some cases that will fail to go |>>back to the router (because they didn't configured the DNS zone for |>>routerlogin.net with 192.168.1.1 for an IP address). |>

|>If it works the way you suggest (internet nameserver redirects |>routerlogin.net to 192.168.1.1), then it will certainly fail if the |>user changes the router IP address. However, I haven't seen any |>evidence that this is done by an internet based DNS server. The |>redirection seems to be done by the DNS cache inside the router. If |>this is true, then a change to the router IP address would not cause |>the redirection to fail. | | Which is why the Netgear method actually makes sense.

My method makes more sense. What I suggested results in a proper superset of working cases compared to what they did.