Excessive requests for dns.msftncsi.com


#1

I am seeing really high numbers of requests for dns.msftncsi.com coming from my router. I know this is the domain used by windows to check connectivity. I have disabled that check in the registry for all my windows machines. I have also powered down all my windows machines and these requests do not stop. So far today these requests have averaged 25 times a minute, at a time we are all sleeping and no one is using the internet. The query log shows these requests coming from my router.

I don’t know if these requests are coming from my router (ASUS RT-AC68W) itself or another device that is using my router as it’s DNS. I have the router configured to provide the Pi as the DNS server to clients. But to also use it as the WAN DNS.

Is there any way I can see what device is causing this? I tried seraching on the internet and I cannot find other devices that use this domain that are not running windows. I have eliminated all those devices. These requests make the dashboard unusable, but do not appear to have any affect on he function of the Pi-Hole.


What Really Happens On Your Network? Find Out With Pi-hole
#2


#3

This is happening for me as well. There’s a request every 5 seconds.


#4

We provide the Top Clients List which should clearly indicate what the cause of the enormous amount of queries is after a night where you think that all of your devices are turned off. That might not be working if all requests always seem to come through your router (there are more routers than you would that behave this strangely).

This sounds very extreme - do you use the same router? How many Win devices do you use? Does it stop if you switch off all of them (I hope you have a non-MS device to access the web interface while all other devices are not running).


#5

ASUS does use a phone home capability on their routers (aiCloud is one technology.) There are a few domains that most modern ASUS routers use to check for firmware updates, and to provide “added services” for purchasers. as DL6ER mentioned, you may be able to find the culprit via the web interface on the Pi-hole, depending on how you have the router configured for DNS.


#6

Yes, it was a problem with the Asus router.

There’s nothing to configure in the Asus web interface, but telnetting into it gave an option to shut it off.

nvram show | grep dns_probe

Shows the offending addresses. I set them to null, saved, then rebooted.

nvram set dns_probe_content=0.0.0.0
nvram set dns_probe_host=""
nvram commit
reboot

I flushed the logs, and now dns.msftncsi.com doesn’t show up every few seconds.

There’s some information about it here: http://www.snbforums.com/threads/constant-unwanted-traffic-to-dns-msftncsi-com-from-rt-ac66u.35367/


DNS requests random strings & excessive router DNS queries
#7

Thanks you this resolved it all for me.


#8

For more information:
The domain dns.msftncsi.com is used by Microsoft Windows as part of it’s Network Connectivity Status Indicator tests. This helps Windows determine if the computer is connected to the internet and display the appropriate error icon if connectivity is unavailable.

OpenDNS globally whitelists this domain because it used by the underlying Windows Operating system.

When Windows looks up the IPv6 AAAA version of this record, it does however resolve to a local / private IPv6 address. This in turn triggers the OpenDNS ‘Suspicious Response’ protection. This will cause the Umbrella Dashboard to display a ‘Suspicious Response’ warning in the Reports:

msftncsi.png

This is normal Windows behavior and is no cause for concern. The domain is on our global whitelist and will not be blocked.

From: https://support.umbrella.com/hc/en-us/articles/230564127-dns-msftncsi-com-shows-in-Security-reports


#9

hi all

i know this is an old thread but a recent change in pihole behaviour has triggered issues on my windows system and i felt it relevant and informative to update people of my discovery.

For a few days I’ve been getting messages stating I’m not connected to the internet (from my Win7 LAN connectivity systray notification icon and within the network map in the network and sharing center). I of course did have internet connectivity but was left scratching my head about this change in behaviour.

I also kept getting prompts about “Additional Logon Information May Be Required”.

I wasn’t aware about the network checks that windows performs, including trying to retrieve the text file at www.msftncsi.com

Anyway, it appears that www.msftncsi.com is now on one of the blocklists that pihole uses (https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts).

I don’t know when the domain was added to this list but pihole started blocking on sunday 25 march 2018, when it updated its lists and did its weekly update check. Prior to then the domain has been permitted.

I’ve since whitelisted www.msftncsi.com in pihole and this has pretty much dealt with the ‘not connected to internet’ messages.

Pihole is forwarding requests for www.msftncsi.com from my win7 client around every 35 seconds, which seems excessive to me (since connectivity has been established) but thankfully doesn’t match your dns.msftncsi.com experiences!

Anyway, hope this helps anyone getting this silly windows messages about non-connectivity.

regards,

Gary


#10

To our german readers, there is already a posting by @wd9895


#11

Could anyone corroborate the repeated dns requests for www.msftncsi.com that I’ve reported?

Though whitelisting www.msftncsi.com seems to deal with the windows ‘not connected to internet’ issues, I believe pihole is somehow triggering the repeated DNS requests.

I’ve concluded this by bypassing pihole and using alternative DNS services while tracking traffic using wireshark.

I also examined the long term logs for pihole and the incessant polling began exactly when pihole started blocking www.msftncsi.com. I’ve checked for other obvious system changes (i.e. software installations, windows updates, driver changes, etc) and nothing else coincides.

If I’m right, is there any way to stop this unnecessary polling (outside of non-options like not using pihole or disabling the Windows NCSI checks, etc)?

Regards,

Gary


#12

The reason it seems to be an exponetially growing number is when the domain is not reached it tries agin … and again… and again

you can use the audti log feature to remove it from your logging pages although that may be more superficial than what you are looking for


#13

thanks for the super quick reply.

I’m confused though - pihole is forwarding the request, so presumably is returning what windows is looking for (though the repeated requests would imply otherwise).

According to wireshark, my windows client is requesting resolution and pihole is then returning it (going on the source & destination IPs and the packet info).

The pihole admin console is also reporting that the DNS requests are being forwarded (status is “ok (forwarded)”)


#14

more than likely there is a interval somewhere in windows that was increased by not being able to reach that domain. i don’t know how to turn that back down


#15

But it can reach it (i thought), as it’s been whitelisted?

And it could reach it historically too, before the domain in question got onto the github block list - requests were of a normal frequency at that time.


#16

based on the status yes it can reach it but when it got added to the blocklists the interval increased i doubt MS has a method i place to decrease it … probably a registry value somewhere


#17

What happens after changing a value in the registry?

HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet -> EnableActiveProbing = 0


#18

hi

this stops the windows connectivity check process.

Basically, this results in windows reporting you are connected to the internet, even if you are not.

This would stop the repeated DNS requests but defeats the purpose of the LAN connectivity info.

What is annoying is that the connectivity check worked fine with pihole before www.msftncsi.com ended up on the block list.

Can the github domains blocklist be edited to remove entries? I’m a complete noob with linux but could probably follow instructions.

Having said this, I don’t understand why whitelisting doesn’t return behaviour to normal - could you query with the pihole devs?

regards,

Gary


#19

Just to update / bring things to close.

This was resolved by the URL in question being removed from the block list by the list provider.

Regards,

Gary


#20

I spent a couple months trying to resolve the “no internet” warning on my Windows 10 computer. I had blacklisted the URL because it was showing up so frequently in the Pi-hole log. I hadn’t considered the blacklisted URL was the problem. When I whitelisted the URL, the “no internet” warning disappeared.