Here is a screenshot of what I am able to see.. Within the last 15 minutes I've manually added the ibkc.int domain to my block list and the # of accepted queries has stopped and now the block #s are growing.
Now that the problem has been blocked, could there have been any vulnerability/stolen data or rather are these just attempts?
The pihole is running with an ASUS router (router is the DHCP server) with maybe ~50 devices on my network.
Here's a screenshot of what I can see in the dashboard.
Do you have conditional forwarding enabled? Which client is making all these queries?
I do not believe so, attached is a photo of the settings page within the admin portal.
Also, all I can see in the dashboard is the router and it's ip (also screenshot attached below). I will go through the logs now and see if I can get get any additional details.
Thank you!
This is what the logs look like, there are about ~4-5 million of these 6 lines total within the last 24 hours
May 23 06:11:15 dnsmasq[26109]: cached _ldap._tcp.dc._msdcs.ibkc.int is NXDOMAIN
May 23 06:11:15 dnsmasq[26109]: query[SRV] _ldap._tcp.d34ced7d-13c0-43ac-9a98-6b140556fef0.domains._msdcs.ibkc.int from 192.168.1.1
May 23 06:11:15 dnsmasq[26109]: cached _ldap._tcp.d34ced7d-13c0-43ac-9a98-6b140556fef0.domains._msdcs.ibkc.int is NXDOMAIN
May 23 06:11:15 dnsmasq[26109]: query[SRV] _ldap._tcp.999-IBDC1._sites.dc._msdcs.ibkc.int from 192.168.1.1
May 23 06:11:15 dnsmasq[26109]: cached _ldap._tcp.999-IBDC1._sites.dc._msdcs.ibkc.int is NXDOMAIN
May 23 06:11:15 dnsmasq[26109]: query[SRV] _ldap._tcp.dc._msdcs.ibkc.int from 192.168.1.1
May 23 06:11:15 dnsmasq[26109]: cached _ldap._tcp.dc._msdcs.ibkc.int is NXDOMAIN
May 23 06:11:15 dnsmasq[26109]: query[SRV] _ldap._tcp.d34ced7d-13c0-43ac-9a98-6b140556fef0.domains._msdcs.ibkc.int from 192.168.1.1
May 23 06:11:15 dnsmasq[26109]: cached _ldap._tcp.d34ced7d-13c0-43ac-9a98-6b140556fef0.domains._msdcs.ibkc.int is NXDOMAIN
May 23 06:11:15 dnsmasq[26109]: query[SRV] _ldap._tcp.999-IBDC1._sites.dc._msdcs.ibkc.int from 192.168.1.1
May 23 06:11:15 dnsmasq[26109]: cached _ldap._tcp.999-IBDC1._sites.dc._msdcs.ibkc.int is NXDOMAIN
May 23 06:11:15 dnsmasq[26109]: query[SRV] _ldap._tcp.dc._msdcs.ibkc.int from 192.168.1.1
May 23 06:11:15 dnsmasq[26109]: cached _ldap._tcp.dc._msdcs.ibkc.int is NXDOMAIN
May 23 06:11:15 dnsmasq[26109]: query[SRV] _ldap._tcp.d34ced7d-13c0-43ac-9a98-6b140556fef0.domains._msdcs.ibkc.int from 192.168.1.1
May 23 06:11:15 dnsmasq[26109]: cached _ldap._tcp.d34ced7d-13c0-43ac-9a98-6b140556fef0.domains._msdcs.ibkc.int is NXDOMAIN
May 23 06:11:15 dnsmasq[26109]: query[SRV] _ldap._tcp.999-IBDC1._sites.dc._msdcs.ibkc.int from 192.168.1.1
May 23 06:11:15 dnsmasq[26109]: cached _ldap._tcp.999-IBDC1._sites.dc._msdcs.ibkc.int is NXDOMAIN
May 23 06:11:15 dnsmasq[26109]: query[SRV] _ldap._tcp.dc._msdcs.ibkc.int from 192.168.1.1
May 23 06:11:15 dnsmasq[26109]: cached _ldap._tcp.dc._msdcs.ibkc.int is NXDOMAIN
It seems this requests come from an microsoft domain controller for the domain ibkc.int
I would suggest to provide pihole's IP as DNS-Server via DHCP to your clients in your LAN so you can figure out which device is generating these requests. Currently it seems that you only set your Pihole as upstream DNS-Server for your router. So each client first asks your router which in turn will ask your pihole. This is why you only see two Clients in your network table.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.