Hello, name's Gwen, and I am new here. Hope it's ok to ask. Running a freshly setup Pi-hole in a fairly standard configuration and need help interpreting a line in the logs that I can't seem to find help with elsewhere.
My Synology NAS occasionally turns up in the Pi-hole log not only querying their expected domain e.g.
update.synology.com
but also
update.synology.com.multi.box
What is the "multi.box" part, and what does it do?
Any DNS client can decide to append a resolution request for a given domain by the local/search domain, e.g. an nslookup may result in up to four DNS queries registering in Pi-hole's Query Log, requesting A and AAAA records for the given as well as for the expanded domain.
Likely, multi.box is your local/search domain, as usually distributed by your router, in which case your observation would be normal.
Right. Unfortunately multi.box seems to be a registered domain, and it isn't my local search domain either.
Thanks for the explanation! So not sure why the Synoloy affixes this, will have to investigate.
It does, and it looks crypto-currency related. It is possible that there may be crypto-mining or other malware running on your NAS.
It may be just a coincidence.
But in case you haven't already I would suggest ensuring that the NAS firmware is current (Download Center | Synology Inc.), and that your device is still supported (https://www.synology.com/en-us/products/status).
Yes, I think I traced it to an old entry in some resolv.conf or DHCP cache that lingered there from a previous router and never got reset.
Luckily the DNS queries with appendix didn't resolve, as far as I can tell. However, it's obviously theoretically possible that they could have resolved in the past.
System's up to date, of course, but it did try these DNS appendices for the last couple of years, so ... in theory someone could have mirrored an evil update server under these domains.
I take this to be rather unlikely... fingers crossed.