Since I running Pi-hole I watching the Dashboard page quiet often. Very interesting are the top permitted domains. There was this a.root-server.net on the top with about 2800 requests a day, every 30s one. The requests were coming from my 2nd router a TP-link. Googling didn't help much, some people knew about but no solutions. Blocking it may causes the device going nuts?, well I decided to flash firmware to DD-wrt and its over now, no requests anymore and the router works as good or better than before, so why is tp-link doing it? cheers
Was it root-server or root-servers.net ?
The a.root-servers.net is actually a root server, managed by VeriSign (real deal).
If your stock firmware was calling that domain, well, that was kind of a good thing.
Why ? Well because that is the "signature" of a DNS server that was actually querying the IP of the root servers (for some internal stuff like maybe a built in DNS server, a service monitoring thing, or maybe something else).
Having that request show up in your logs was not something that should be alarming. Might be a bad way to check for service status or whatever but by no means, alarming.
IF however the domain was without the s, then yeah, something very fishy was going on there ... (the root-server.net is owned by a company in Honduras and that is definitely not a valid root server).
3 Likes
Good morning @RamSet, thanks for your opinion.
it was a.root-servers.net , sorry for typo. Agree it was looking for some stuff, I set the DNS statically but it still was trying to contact for whatever reason. May it's checking for outside world connectivity every 30 sec? I'm not using any DDNS services either. Yes the requests were not alarming but it seems only tp-link router doing this as my other non tp-link routers are quiet. Personally I feel better with a quiet router but that's everyone's own decision. Next target my tvbox( [api.ibm.xtify.com]
cheers and have a nice day
1 Like
I had an issue with a TP Link device....a wifi extender that was making an obscenely high number of requests to ntp servers and a.root-servers.net
See this thread here
In the end I got rid of the TP-Link device.
Mine is quiet now not a pips, try other firmware, ddwrt, tomato ...........cheers
unfortunately the device I had had no capability to flash custom firmware / I couldn't find anything compatible.
i noticed the same thing , tons of queries made to www.tp-link.com - no ntp pointing there , even noip dyndns i switch off pointed to opendns instead , no remote access nor email notifications - I can only think of firmware upgrades but every minute seems well beyond any necessity .
I experienced the same behavior today, with two sites - www.tp-link.com and a.root-servers.net with more-less the same count of queries. Both of them did 20% of all queries and that was too much.
No investigation was needed, my TP Link AC1750 was too curios. What did it do with the results, I do not know. What to do now...
- let pi-hole as DNS for the box => unnecessary queries and traffic too, statistics will be distorted. No.
- let AC1750 use 8.8.8.8 as own DNS server and provide pi-hole as DNS for DHCP clients. No, I do not want to collect data for TP Link.
- let AC1750 use 0.0.0.0. No, it will not accept it.
- let AC1750 use some free IP on my LAN as own DNS server. Yes, I use it now. If the router will behave some strange way, I will look for other solution. DHCP still pushes pi-hole as DNS.
I know it's a old thread. But I think it's very important to understand how DNS is working. Especially all the people who are using Pi-hole.
The administration of the Domain Name System (DNS) is structured in a hierarchy using different managed areas or “zones”, with the root zone at the very top of that hierarchy. Root servers are DNS nameservers that operate in the root zone.
These servers can directly answer queries for records stored or cached within the root zone, and they can also refer other requests to the appropriate Top Level Domain (TLD) server. The TLD servers are the DNS server group one step below root servers in the DNS hierarchy, and they are an integral part of resolving DNS queries.
Letter 'A' root server is called a.root-servers.net, with IP 198.41.0.4 (and 2001:503:ba3e::2:30 in IPV6). This is a valid server and operated by Verisign from the US.
See also: Root name server - Wikipedia
Limitations in the original architecture of DNS require there to be a maximum of 13 server addresses in the root zone. In the early days of the Internet, there was only one server for each of the 13 IP addresses. So that is why you only see 13 root name servers displayed on that wiki page ('A' until the letter 'M'). Using anycasted there are more servers, but one way or another there are 13 IPs as root name servers. And most of them are in the US.
Since the DNS root zone is at the top of the DNS hierarchy, recursive resolvers cannot be directed to them in a DNS lookup. Because of this, every DNS resolver has a list of the 13 IP root server addresses built into its software.