NAS DNS query for ipfs.adatools.io

[M_P_O]

Hello everybody,
I was checking my AdGuard Home DNS logs after getting back for my holidays and I noticed that my QNAP TS-832X queried the DNS for ipfs.adatools.io
Since it's linked to crypto I blocked the domain (on the DNS level).
No joy for a google search except a German forum with no answer, has anyone noticed such behaviour ?
My NAS is not open to the internet - I use the VPN on my ASUS router with ASUSWRT-Merlin.
No exotic software - only basic stuff, Plex, AdGuard, etc are docker containers on a RPi.
Malware remover brings up no concern.
Thank you for taking your time to read my first post.
Have a nice day !

[Froggy10]

Hi

I have freshly registered just to say that I have a QNAP TS251D which is also querying ipfs.adatools.io. Like yourself I noted the possible crypto link and have been blocking it via my NextDNS account. It is querying the site approx every minute. My external QNAPCloud is disabled and my NAS is a very basic config used for local backup and as a local DLNA media server. I confess to being a little concerned! Hopefully there is an entirely innocent explanation?

Could it be related to a QVPN vulnerability? I was using a VPN connection to the NAS until very recently. viewtopic.php?f=45&t=164173

[canas2022]

I have the same issue with a TS453D. No many services running (DLNA Media Service, Qsync, Rsync, SQL Server, Werb Server, Proxy) and whatever else QNAP add. QuFirewall reports several events blocked from (source) 185.165.190.17, however my NAS is not directly expose to the Internet. Any ideas?

[Barungar]

I have the same issue with a TS-h886 ... it started 28.12.2021. The same day I upgraded to Fw 5.0.0.1892
My NAS also doesn't present any open ports to the internet. So I'm searching and wondering what that might be.

Of course I thought of malware, but there aren't any high CPU, RAM or disk usages.

Just those DNS requests for ipfs.adatools.io

[Froggy10]

Hi

All mine are DNS calls.... I can detect no additional CPU usage or any other unusual DNS requests. I am tempted to completely rebuild the NAS because of it - particularly as , at present, there is no certain cause as to the "infection", and whether there may be more to it. I notice that today there are no DNS requests to ipfs.adatools.io at all. I have done nothing to stop them which adds to the mystery!

[FSC830]

Referring to a post in German forum: disable QuFirewall and DNS queries will be stopped!
Enable it again and DNS queries continue...!
Send a ticket to QNAP support and ask, what the hell they are doing...

Regards

[Barungar]

Now, I know the source. garderobier gave me the nudge.

It is QNAP Firewall 2.2.0 guys! You can verify it by simply stopping the firewall, the DNS requests will stop. And if you restart the firewall the DNS requests will resume!

[canas2022]

In my case when disabling QuFirewall Version 2.2.0 (2021/12/16), form the QuFirewall console (switch to OFF) the DNS requests continue. If I STOP the service completely using the App Center the DNS requests stop.

[Froggy10]

I can confirm, in my case, that QuFirewall is indeed the culprit. The DNS calls started again this morning so after the news re the QuFirewall connection I removed and then restarted the app. The DNS calls to ipfs.adatools.io stopped and then started again on reinstallation. Either uninstalling or stopping the app stops the DNS calls. Now awaiting a QNAP official response. Using FW 5.0.0.1891

I have noticed that I am now making calls exactly every 11 seconds to ipfs.adatools.io as per Adguard Home (hosted on my Asus RT-AX58U and not on the NAS).

[M_P_O]

Thanks for the findings!
I'm with QNAP support via ticket (fast response must I say)
I'll update It now.

[M_P_O]

Thanks for the findings!
I'm with QNAP support via ticket (fast response must I say)
I'll update It now.

QNAP support just got back, again, they are really fast this time (I'm with French support)
I told him that is was QuFireWall. I consented to give them my dump to further the analysis.
I translate his answer (not english):
"It's crazy ... I'll immediatly ask R&D to check the problem and I'll put your ticket on the higest priority"

Now let's see what happens.

I forgot to mention :
QuFireWall : Version 1.5.0 (2021/12/28)
QTS : 5.0.0.1891

[irishj]

Same issue here, blocked it with PiHole and was wondering where they were originating from, thanks for the insight.

Please let us know what QNAP support advise in relation to this strange behaviour.

[nsl.alan]

Thanks for the findings!
I'm with QNAP support via ticket (fast response must I say)
I'll update It now.

QNAP support just got back, again, they are really fast this time (I'm with French support)
I told him that is was QuFireWall. I consented to give them my dump to further the analysis.
I translate his answer (not english):
"It's crazy ... I'll immediatly ask R&D to check the problem and I'll put your ticket on the higest priority"

Now let's see what happens.

I forgot to mention :
QuFireWall : Version 1.5.0 (2021/12/28)
QTS : 5.0.0.1891

Any update from QNAP?

[cybercyclone]

Hi everyone, I'm the maintainer of adatools.io which is a Cardano Blockchain Explorer. The domain ipfs.adatools.io is a IPFS node that I run to pin NFTs (Non-fungible tokens). For those that don't know what IPFS is, it's a decentralised / peer-to-peer file network.

I'm really baffled as to why QNAP services would be doing queries to it other then it's trying to retrieve files from the network and my node has that file. If there is something on QNAP servers trying to retrieve a file from the network, blocking adatools.io won't help as it will just find another node / domain that's running a IPFS node.

So it would be good to find out what is actually causing the queries rather than just blocking / turning things off.

I know I was running an IPFS node on my QNAP at one point (or I still could be) via a Docker image, but I don't see how that would have any impact unless QNAP has an internal "chat" protocol and they're somehow communicating with each other?

[cybercyclone]

QNAP have released an update to QuFirewall that apparently resolves the issue.

We have fixed an issue where QuFirewall would constantly perform DNS lookup of ipfs.adatools.io because the IP address of the domain name would expire.

- https://www.qnap.com/en-us/app_releasen ... qufirewall

They don't mention why it was doing DNS lookups in the first place, or even why it was doing it on ipfs.adatools.io and not other IPFS node URLs.

Even though it has been resolved, it's still interesting since the domain was pointed to my QNAP NAS at some point and then suddenly a number of other QNAP servers are doing lookups. It's like my QNAP is talking to other QNAPs for whatever reason.

It would be good to get an official comment from QNAP as to what triggered this in the first place as most QNAP owners have reported that they are not running any IPFS nodes so their NAS had no reason to do a DNS lookup to ipfs.adatools.io.