Re: [PLUG] Strange subdomain on running apt

Hi,

First off, I can assure you that from a precursory look, I don’t see any cause for alarm.

But some things to point out first… Ubuntu and Debian using HTTP and FTP for updates is generally regarded as an okay thing depending on your threat model - all package updates are signed using PGP keys from trusted Debian/Ubuntu developers/maintainers and that keychain gets shipped/installed on the first install - updates to that keyring are also signed, ensuring that there’s a chain of trust as things are updated. These keys are stored (depending on distro) usually at /etc/apt/keyrings.

Secondly, that subdomain appears trustworthy to me - if an attacker managed to compromise and make custom subdomains under ubuntu.com - you’d hear about it. Ubuntu and Debian use a bunch of different mirrors for packages (sometimes run by volunteers!) - https://launchpad.net/ubuntu/+archivemirrors and https://wiki.ubuntu.com/Mirrors - I know this is how Arch operates generally - it helps balance the load for packages across a bunch of different mirrors as to not overwhelm one. With that said, DNS does a lot of heavy lifting here… there are a bunch of different subdomains geographically that you can get routed to (in your case, you’re using the US mirror, which is great for latency!) - but there are also “normal” mirrors this might DNS load balance you based on your geography and the load of a given mirror (the wiki page goes into detail)…

Now with that’s said, some of the mirrors that I shared on the first link do support HTTPS, you can hardcode those in /etc/apt/sources.list - https://unix.stackexchange.com/questions/194409/prevent-apt-get-from-using-a-specific-mirror - this can be useful if your threat model involves which packages you’re downloading being private from anyone sniffing your Internet traffic (say you wanna download Tor, but you don’t want the world to know)…

I hope this helps,

— Jonathan

On Mar 22, 2025, at 18:41, Michael Lazin via plug <plug@lists.phillylinux.org> wrote:

I realize that on default apt uses http and not https, there has been much discussion of this on the Debian lists, Debian still uses http and ftp for updates.

root@microlaser-IdeaPad-Slim-3-15IRU8:/home/microlaser# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=24.04
DISTRIB_CODENAME=noble
DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS"

This is what I am running. I do not trust this subdomain but when I block it, apt no longer works.

root@microlaser-IdeaPad-Slim-3-15IRU8:/home/microlaser# cat /etc/resolv.conf
nameserver 9.9.9.9

I hard coded quad9 into my resolv.conf with chattr+i, I realize this is unconventional but I have my reasons for doing this. I am using Cloudflare DOH in Firefox and it works as expected. Has anyone seen traffic like this when updating packages or just doing system updates? The subdomain in the photo looks weird to me and I am loath to allow it without verifying it is legit despite the fact the domain itself looks normal. Has anyone seen this subdomain when updating? I use Opensnitch because I think a zero trust attitude is healthy even when using Linux at home.

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

<Screenshot from 2025-03-18 15-19-16.png>
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug