I recently noticed an excessive number of dns queries to dns.msftncsi.com originating from my asus router. A quick google search revealed that this domain is used by Microsoft to check connectivity. Ok, cool, but I would expect the queries to be originating from my Win 10 laptop, not my router. Even with my laptop powered down last night, over 1,200 dns queries originated from my router while I slept. Now I'm both perplexed and concerned. This doesn't seem normal.
Any suggestions or help figuring out why this is happening and how to stop it short of blocking the domain would be super appreciated. Thank you.
Do all queries show as coming from your router? That domain is often used by non-microsoft devices for the same purpose, and routers are known for slamming a domain when they don't get the response they wanted (and sometimes even when they get the expected response).
Update. Solved. My Asus router has been flashed with Merlin firmware. Apparently the firmware has some DNS probing built in. Fortunately the newest update 380.66 has a new option to turn it off.
From the Change log notes for 380.66:
- NEW: Option to disable Wanduck's constant DNS probing
for WAN state (Tools -> Other Settings)
Here is the actual setting: Wan: Use DNS probes to determine if WAN is up (default: Yes)
I set it to "No" and it stopped the dns queries to dns.msftncsi.com.
I found a post on snbforums about it. According to hggomes, Very Senior Member, "From what I've understood that's to test for a working WAN connection on QiS, so if removed it will not work." As I don't use QiS, I can safely turn it off.
1 Like
Just another example of how awesome the pihole system is as a network monitor. Without pihole, I would have been unaware of the probing. Thanks again to the awesome dev team for creating this amazing piece of software that runs on a $5 raspberry pi zero and with the new FTL engine is super fast and snappy.
2 Likes
ASUS still has same "design flaw" in their new ZenWiFi AX TX8 mesh routers... 
The problem is that You have to disable the probing on each node, one by one to get rid of the problem.
Here is how:
https://www.snbforums.com/threads/constant-unwanted-traffic-to-dns-msftncsi-com-from-rt-ac66u.35367/
Or in short:
- 1 - Enable SSH (or telnet).
- 2 - SSH into your router and each node one by one
(login & pw is the the same as your web interface)
- 3 - We're going to change the NVRAM settings but its worth having a look at the default first so do a:
nvram show | sort | more
- 4 - Look for: the dns_probe_content and dns_probe_host entries. These have the addresses that were giving me the problem
- 5 - Set dns_probe_content using:
nvram set dns_probe_content=127.0.0.1
- 6 - Set dns_probe_host using:
nvram set dns_probe_host="" (note "" = null, ie blank, ie not even a space)
- 7 - Save these entries:
nvram commit
- 8 - reboot the router/node:
reboot