My Pi Hole is saying my Android phone is causing over 3000 DNS requests for google ad services each day, I've uninstalled just about every app I can think of since it started but the problem persists
Is there any way to find out which app is causing the requests? I don't think Pi Hole could do it, but was wondering if anyone could think of any other method?
It doesn't seem to be causing any network issues, but battery life has definitely taken a hit lately, not sure if this is the cause
Click on 192.168.1.120. It should bring you to a filtered query log with requests only from that device. From there, look and see what's there. If you still don't know, post some of the queries here.
Thanks yea that's what I mean, it only shows
ssl.google-analytics.com <<< main culprit
www.googleadservices.com <<< next worst
Which could be from any app
Thanks for the firewall app suggestion, I`ll install that today and see what it logs
Unfortunately not, the firewall app didn't show anything helpful, pihole tail log shows a lot of requests to amazonaws and samsung cloud, but still no closer to working out what is causing it
Samsung cloud has always been enabled to backup / sync certain data I selected and has never caused this, so not sure it's that causing it (Galaxy S7)
Aug 11 17:15:38 dnsmasq[27281]: query[A] okee79p5ag.execute-api.us-west-2.amazonaws.com from 192.168.1.120
Aug 11 17:15:38 dnsmasq[27281]: forwarded okee79p5ag.execute-api.us-west-2.amazonaws.com to 4.2.2.2
Aug 11 17:15:38 dnsmasq[27281]: forwarded okee79p5ag.execute-api.us-west-2.amazonaws.com to 4.2.2.1
Aug 11 17:15:38 dnsmasq[27281]: forwarded okee79p5ag.execute-api.us-west-2.amazonaws.com to 208.67.220.220
Aug 11 17:15:38 dnsmasq[27281]: forwarded okee79p5ag.execute-api.us-west-2.amazonaws.com to 208.67.222.222
Aug 11 17:15:38 dnsmasq[27281]: forwarded okee79p5ag.execute-api.us-west-2.amazonaws.com to 8.8.4.4
Aug 11 17:15:38 dnsmasq[27281]: forwarded okee79p5ag.execute-api.us-west-2.amazonaws.com to 8.8.8.8
Aug 11 17:15:38 dnsmasq[27281]: reply okee79p5ag.execute-api.us-west-2.amazonaws.com is 54.230.79.178
Aug 11 17:15:38 dnsmasq[27281]: reply okee79p5ag.execute-api.us-west-2.amazonaws.com is 54.230.79.46
Aug 11 17:15:38 dnsmasq[27281]: reply okee79p5ag.execute-api.us-west-2.amazonaws.com is 54.230.79.251
Aug 11 17:15:38 dnsmasq[27281]: reply okee79p5ag.execute-api.us-west-2.amazonaws.com is 54.230.79.14
Aug 11 17:15:38 dnsmasq[27281]: reply okee79p5ag.execute-api.us-west-2.amazonaws.com is 54.230.79.140
Aug 11 17:15:38 dnsmasq[27281]: reply okee79p5ag.execute-api.us-west-2.amazonaws.com is 54.230.79.56
Aug 11 17:15:38 dnsmasq[27281]: reply okee79p5ag.execute-api.us-west-2.amazonaws.com is 54.230.79.202
Aug 11 17:15:38 dnsmasq[27281]: reply okee79p5ag.execute-api.us-west-2.amazonaws.com is 54.230.79.183
Aug 11 17:15:40 dnsmasq[27281]: query[A] stock.todayweather.co from 192.168.1.120
Aug 11 17:15:40 dnsmasq[27281]: forwarded stock.todayweather.co to 4.2.2.2
Aug 11 17:15:40 dnsmasq[27281]: reply stock.todayweather.co is 104.236.89.221
Aug 11 17:15:44 dnsmasq[27281]: query[A] api.samsungcloud.com from 192.168.1.120
Aug 11 17:15:44 dnsmasq[27281]: cached api.samsungcloud.com is <CNAME>
Aug 11 17:15:44 dnsmasq[27281]: forwarded api.samsungcloud.com to 4.2.2.2
Aug 11 17:15:44 dnsmasq[27281]: reply api.samsungcloud.com is <CNAME>
Aug 11 17:15:44 dnsmasq[27281]: reply scloud-p2ew1-ext.elb.samsungcloud.com is 52.211.49.4
Aug 11 17:15:44 dnsmasq[27281]: reply scloud-p2ew1-ext.elb.samsungcloud.com is 52.213.189.48
Aug 11 17:15:44 dnsmasq[27281]: reply scloud-p2ew1-ext.elb.samsungcloud.com is 52.211.222.35
Aug 11 17:15:44 dnsmasq[27281]: reply scloud-p2ew1-ext.elb.samsungcloud.com is 52.213.36.61
Aug 11 17:15:44 dnsmasq[27281]: reply scloud-p2ew1-ext.elb.samsungcloud.com is 52.211.4.15
Aug 11 17:15:44 dnsmasq[27281]: reply scloud-p2ew1-ext.elb.samsungcloud.com is 52.211.2.124
Aug 11 17:15:44 dnsmasq[27281]: reply scloud-p2ew1-ext.elb.samsungcloud.com is 52.211.164.168
Aug 11 17:15:44 dnsmasq[27281]: reply scloud-p2ew1-ext.elb.samsungcloud.com is 54.171.255.0
hey, I blocked all traffic (including all system apps) on my Android phone using Netguard.
Still, every second a request is made (and blocked) to ssl.google-analytics.com
I am sure this is my phone, because the requests stop when I disable WiFi on the phone or turn it off completely.
Anyone another idea how I can figure out what is causing this insane amount of requests?
Some hints on google search
partly disabling google services (like playstore and music) can cause this huge amount of quesries to ssl.google-analytics.com
That does not help much, but try to disable (some) blocklists for a while ans see if it gets any better.
Also interested in this
I have many queries from an Android device to profile.localytics.com
And I'm struggling to find the app making the requests with any monitor type app
ah. I have LineageOS with only a very minimal amount of google services installed.
Still would be interesting to find what process exactly is making these calls (and kill it with fire)
In my last post I mentioned “partly disabling”.
With this I ment blocking by pihole.
From what I read on a Google search:
Blocking Google services might cause these requests to analytics.
With pihole disabled (pihole settings) can anyone verify if these queries become less?
It looks like the requests are less...
Still, this is only half satisfying of course:
Agree, but my knowledge of android is limited.
Perhaps you can root is and play around with the host file?
Hi,
For a simple system engineer: You say you know the cause, Is there a solution we can implement on the pihole?
Hi msattet,
Thanks for this workaround.
The initial question seems unanswered though.
Or are you indicating that blocking on netguatd will stop the massive amount of DNS requests?
I also had an app that was contacting Localytics every minute. I used the Exodus app to look through each of my apps to find out what trackers they were using. Turns out the culprit was the MyRogers app which is provided by my mobile service provider to track my data and airtime usage. It was pretty useful but now I've disabled it.
