Since I running Pi-hole I watching the Dashboard page quiet often. Very interesting are the top permitted domains. There was this a.root-server.net on the top with about 2800 requests a day, every 30s one. The requests were coming from my 2nd router a TP-link. Googling didn't help much, some people knew about but no solutions. Blocking it may causes the device going nuts?, well I decided to flash firmware to DD-wrt and its over now, no requests anymore and the router works as good or better than before, so why is tp-link doing it? cheers
Was it root-server or root-servers.net ?
The a.root-servers.net is actually a root server, managed by VeriSign (real deal).
If your stock firmware was calling that domain, well, that was kind of a good thing.
Why ? Well because that is the "signature" of a DNS server that was actually querying the IP of the root servers (for some internal stuff like maybe a built in DNS server, a service monitoring thing, or maybe something else).
Having that request show up in your logs was not something that should be alarming. Might be a bad way to check for service status or whatever but by no means, alarming.
IF however the domain was without the s, then yeah, something very fishy was going on there ... (the root-server.net is owned by a company in Honduras and that is definitely not a valid root server).
3 Likes
Good morning @RamSet, thanks for your opinion.
it was a.root-servers.net , sorry for typo. Agree it was looking for some stuff, I set the DNS statically but it still was trying to contact for whatever reason. May it's checking for outside world connectivity every 30 sec? I'm not using any DDNS services either. Yes the requests were not alarming but it seems only tp-link router doing this as my other non tp-link routers are quiet. Personally I feel better with a quiet router but that's everyone's own decision. Next target my tvbox( [api.ibm.xtify.com]
cheers and have a nice day
1 Like
I had an issue with a TP Link device....a wifi extender that was making an obscenely high number of requests to ntp servers and a.root-servers.net
See this thread here
In the end I got rid of the TP-Link device.
Mine is quiet now not a pips, try other firmware, ddwrt, tomato ...........cheers
unfortunately the device I had had no capability to flash custom firmware / I couldn't find anything compatible.
i noticed the same thing , tons of queries made to www.tp-link.com - no ntp pointing there , even noip dyndns i switch off pointed to opendns instead , no remote access nor email notifications - I can only think of firmware upgrades but every minute seems well beyond any necessity .
I experienced the same behavior today, with two sites - www.tp-link.com and a.root-servers.net with more-less the same count of queries. Both of them did 20% of all queries and that was too much.
No investigation was needed, my TP Link AC1750 was too curios. What did it do with the results, I do not know. What to do now...
- let pi-hole as DNS for the box => unnecessary queries and traffic too, statistics will be distorted. No.
- let AC1750 use 8.8.8.8 as own DNS server and provide pi-hole as DNS for DHCP clients. No, I do not want to collect data for TP Link.
- let AC1750 use 0.0.0.0. No, it will not accept it.
- let AC1750 use some free IP on my LAN as own DNS server. Yes, I use it now. If the router will behave some strange way, I will look for other solution. DHCP still pushes pi-hole as DNS.