Excessive requests for dns.msftncsi.com


I am seeing really high numbers of requests for dns.msftncsi.com coming from my router. I know this is the domain used by windows to check connectivity. I have disabled that check in the registry for all my windows machines. I have also powered down all my windows machines and these requests do not stop. So far today these requests have averaged 25 times a minute, at a time we are all sleeping and no one is using the internet. The query log shows these requests coming from my router.

I don’t know if these requests are coming from my router (ASUS RT-AC68W) itself or another device that is using my router as it’s DNS. I have the router configured to provide the Pi as the DNS server to clients. But to also use it as the WAN DNS.

Is there any way I can see what device is causing this? I tried seraching on the internet and I cannot find other devices that use this domain that are not running windows. I have eliminated all those devices. These requests make the dashboard unusable, but do not appear to have any affect on he function of the Pi-Hole.

What Really Happens On Your Network? Find Out With Pi-hole


This is happening for me as well. There’s a request every 5 seconds.


We provide the Top Clients List which should clearly indicate what the cause of the enormous amount of queries is after a night where you think that all of your devices are turned off. That might not be working if all requests always seem to come through your router (there are more routers than you would that behave this strangely).

This sounds very extreme - do you use the same router? How many Win devices do you use? Does it stop if you switch off all of them (I hope you have a non-MS device to access the web interface while all other devices are not running).


ASUS does use a phone home capability on their routers (aiCloud is one technology.) There are a few domains that most modern ASUS routers use to check for firmware updates, and to provide “added services” for purchasers. as DL6ER mentioned, you may be able to find the culprit via the web interface on the Pi-hole, depending on how you have the router configured for DNS.


Yes, it was a problem with the Asus router.

There’s nothing to configure in the Asus web interface, but telnetting into it gave an option to shut it off.

nvram show | grep dns_probe

Shows the offending addresses. I set them to null, saved, then rebooted.

nvram set dns_probe_content=
nvram set dns_probe_host=""
nvram commit

I flushed the logs, and now dns.msftncsi.com doesn’t show up every few seconds.

There’s some information about it here: http://www.snbforums.com/threads/constant-unwanted-traffic-to-dns-msftncsi-com-from-rt-ac66u.35367/


Thanks you this resolved it all for me.


For more information:
The domain dns.msftncsi.com is used by Microsoft Windows as part of it’s Network Connectivity Status Indicator tests. This helps Windows determine if the computer is connected to the internet and display the appropriate error icon if connectivity is unavailable.

OpenDNS globally whitelists this domain because it used by the underlying Windows Operating system.

When Windows looks up the IPv6 AAAA version of this record, it does however resolve to a local / private IPv6 address. This in turn triggers the OpenDNS ‘Suspicious Response’ protection. This will cause the Umbrella Dashboard to display a ‘Suspicious Response’ warning in the Reports:


This is normal Windows behavior and is no cause for concern. The domain is on our global whitelist and will not be blocked.

From: https://support.umbrella.com/hc/en-us/articles/230564127-dns-msftncsi-com-shows-in-Security-reports