DNS requests random strings & excessive router DNS queries

craigim · September 8, 2018, 2:45pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

Local devices should resolve to known names

Actual Behaviour:

I'm getting a lot of lines in the log that look like:

Sep  8 10:29:58 dnsmasq[22976]: 1958978 10.0.0.1/5991 query[A] fqjeeyzltvf.kahless from 10.0.0.1
Sep  8 10:29:58 dnsmasq[22976]: 1958978 10.0.0.1/5991 forwarded fqjeeyzltvf.kahless to 10.0.0.1
Sep  8 10:29:58 dnsmasq[22976]: 1958979 10.0.0.1/61339 query[A] miqkbgvre.kahless from 10.0.0.1
Sep  8 10:29:58 dnsmasq[22976]: 1958979 10.0.0.1/61339 forwarded miqkbgvre.kahless to 10.0.0.1
Sep  8 10:29:58 dnsmasq[22976]: 1958980 10.0.0.1/5823 query[A] jivehrko.kahless from 10.0.0.1
Sep  8 10:29:58 dnsmasq[22976]: 1958980 10.0.0.1/5823 forwarded jivehrko.kahless to 10.0.0.1

10.0.0.1 is my Asus RT-88U router and my network is named Kahless. I am running the stock firmware version 3.0.0.4.384_32738. I have disabled dns probing as described here: Excessive requests for dns.msftncsi.com - #6 by THX2112.

I've got a Windows 10 workstation, two Samsung phones, 2 Rokus, a stereo, a dvd player, and 3 raspberry pis (including the pihole) on my network. All of them are resolvable on my network and none of them have given me problems in the past.

Maybe related, maybe burying the lede, but in the past 24 hours something on my network has been blocked 1.5 million times.

Debug Token:

ggjpth41yh

jfb · September 8, 2018, 3:04pm

Are you using Google Chrome on any of these clients? Chrome makes similar DNS requests, but typically in groups of six or so when you start it up.

craigim · September 8, 2018, 3:07pm

I am. I just shut down/disconnected everything on my network except the pi and the computer I'm typing on right now (using Chrome). I only have 3 tabs open: this one, my pihole admin console, and the router config.

When I tail the log, I am no longer seeing the random character string URLs, though I am still seeing hundreds of queries per second, so maybe I need to edit the title of the post.

jfb · September 8, 2018, 3:26pm

Are the queries you are seeing following the same pattern?

A tool that can be helpful is Wireshark packet sniffer - it will show you all your packets from the computer, not just DNS.

craigim · September 8, 2018, 3:55pm

It's hard to say, they're flying by pretty quickly. I've noticed queries to Facebook, although I don't use Facebook (my wife does so I don't block it). My assumption is that there is a Facebook icon or something here on the Discourse page.

I installed Wireshark, but I'm not quite sure how to interpret the results.

For patterns on the pihole:

Lots of request from wpad coming from the router with different CIDR netmask numbers (45180, 61241, 8754, 25339, 12141 are on my screen at the moment)
Lots of Maximum number of concurrent DNS queries reached (max: 150)

craigim · September 8, 2018, 4:45pm

I replaced the stock ASUS firmware with Asuswrt-Merlin and the flood stopped. We'll see if it comes back, but it looks like it was the router itself.

system · September 29, 2018, 4:45pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.