I am seeing really high numbers of requests for dns.msftncsi.com coming from my router. I know this is the domain used by windows to check connectivity. I have disabled that check in the registry for all my windows machines. I have also powered down all my windows machines and these requests do not stop. So far today these requests have averaged 25 times a minute, at a time we are all sleeping and no one is using the internet. The query log shows these requests coming from my router.
I don't know if these requests are coming from my router (ASUS RT-AC68W) itself or another device that is using my router as it's DNS. I have the router configured to provide the Pi as the DNS server to clients. But to also use it as the WAN DNS.
Is there any way I can see what device is causing this? I tried seraching on the internet and I cannot find other devices that use this domain that are not running windows. I have eliminated all those devices. These requests make the dashboard unusable, but do not appear to have any affect on he function of the Pi-Hole.
We provide the Top Clients List which should clearly indicate what the cause of the enormous amount of queries is after a night where you think that all of your devices are turned off. That might not be working if all requests always seem to come through your router (there are more routers than you would that behave this strangely).
This sounds very extreme - do you use the same router? How many Win devices do you use? Does it stop if you switch off all of them (I hope you have a non-MS device to access the web interface while all other devices are not running).
ASUS does use a phone home capability on their routers (aiCloud is one technology.) There are a few domains that most modern ASUS routers use to check for firmware updates, and to provide "added services" for purchasers. as DL6ER mentioned, you may be able to find the culprit via the web interface on the Pi-hole, depending on how you have the router configured for DNS.
For more information:
The domain dns.msftncsi.com is used by Microsoft Windows as part of it's Network Connectivity Status Indicator tests. This helps Windows determine if the computer is connected to the internet and display the appropriate error icon if connectivity is unavailable.
OpenDNS globally whitelists this domain because it used by the underlying Windows Operating system.
When Windows looks up the IPv6 AAAA version of this record, it does however resolve to a local / private IPv6 address. This in turn triggers the OpenDNS 'Suspicious Response' protection. This will cause the Umbrella Dashboard to display a 'Suspicious Response' warning in the Reports:
msftncsi.png
This is normal Windows behavior and is no cause for concern. The domain is on our global whitelist and will not be blocked.
i know this is an old thread but a recent change in pihole behaviour has triggered issues on my windows system and i felt it relevant and informative to update people of my discovery.
For a few days I've been getting messages stating I'm not connected to the internet (from my Win7 LAN connectivity systray notification icon and within the network map in the network and sharing center). I of course did have internet connectivity but was left scratching my head about this change in behaviour.
I also kept getting prompts about "Additional Logon Information May Be Required".
I wasn't aware about the network checks that windows performs, including trying to retrieve the text file at www.msftncsi.com
I don't know when the domain was added to this list but pihole started blocking on sunday 25 march 2018, when it updated its lists and did its weekly update check. Prior to then the domain has been permitted.
I've since whitelisted www.msftncsi.com in pihole and this has pretty much dealt with the 'not connected to internet' messages.
Pihole is forwarding requests for www.msftncsi.com from my win7 client around every 35 seconds, which seems excessive to me (since connectivity has been established) but thankfully doesn't match your dns.msftncsi.com experiences!
Anyway, hope this helps anyone getting this silly windows messages about non-connectivity.
Could anyone corroborate the repeated dns requests for www.msftncsi.com that I've reported?
Though whitelisting www.msftncsi.com seems to deal with the windows 'not connected to internet' issues, I believe pihole is somehow triggering the repeated DNS requests.
I've concluded this by bypassing pihole and using alternative DNS services while tracking traffic using wireshark.
I also examined the long term logs for pihole and the incessant polling began exactly when pihole started blocking www.msftncsi.com. I've checked for other obvious system changes (i.e. software installations, windows updates, driver changes, etc) and nothing else coincides.
If I'm right, is there any way to stop this unnecessary polling (outside of non-options like not using pihole or disabling the Windows NCSI checks, etc)?
I'm confused though - pihole is forwarding the request, so presumably is returning what windows is looking for (though the repeated requests would imply otherwise).
According to wireshark, my windows client is requesting resolution and pihole is then returning it (going on the source & destination IPs and the packet info).
The pihole admin console is also reporting that the DNS requests are being forwarded (status is "ok (forwarded)")
more than likely there is a interval somewhere in windows that was increased by not being able to reach that domain. i don't know how to turn that back down
But it can reach it (i thought), as it's been whitelisted?
And it could reach it historically too, before the domain in question got onto the github block list - requests were of a normal frequency at that time.
based on the status yes it can reach it but when it got added to the blocklists the interval increased i doubt MS has a method i place to decrease it ... probably a registry value somewhere
I spent a couple months trying to resolve the "no internet" warning on my Windows 10 computer. I had blacklisted the URL because it was showing up so frequently in the Pi-hole log. I hadn't considered the blacklisted URL was the problem. When I whitelisted the URL, the "no internet" warning disappeared.