14:41:26: query [A] BRWSCE99497F86F.myrouter.net from 192.168.1.10
14:41:26: query [A] HP3FF41E.myrouter.net from 192.168.1.10
Router IP=192.168.1.10
I have blocked BRWSCE99497F86F and HP3FF41E since. I have a Brother printer but the BRW.. does not match the node of the printer. The HP3.. resembles a HP product but I do not have and HP.
How can I prevent these 2 queries from sending out pings so often? What's the best solution?
You will need to find the software that is doing this, and stop it at the source. This is not something you can do with Pi-hole, although Pi-hole revealed the queries.
This will likely take some methodical troubleshooting on your part, and a visit to the forums for your router, etc.
I'm told wireshark could be the answer but not sure how to use it to resolve the issue I'm facing. Any more details you can provide?
My approach would be to turn off the suspect devices and see if the activity stops. If it does, you know what devices are the cause and can start troubleshooting those devices (such as search forums/knowledge base articles to mitigate the behavior by altering settings, etc.).
If turning the devices off doesn't stop the excessive pings, you'll know it's another device and can keep searching until you isolate it.
All Wireshark is going to tell you is what traffic the devices are sending, not how to stop it. You already know the devices are making DNS queries (otherwise Pihole wouldn't be logging them).
What make and model of router is it? This domain myrouter.net gives odd results depending on where it's queried. It seems like one of those domains that is used to track down your own router on a network, used by the likes of Netgear.
Try pinging the hostnames on your network and see if anything responds.
ping BRWSCE99497F86F
ping HP3FF41E
That's the thing I don't know the device. I am guessing BRWSCE99497F86F is the Brother printer.
It's a Netgear R7800 with dd-wrt on it. When I ping from the CMD prompt on my windows machine it says Ping request could not find host..
Might be mDNS/Bonjour bleeding over?
I have seen similar behaviour on a friend's network. IIRC they have a brother printer, and there is some bloatware on their PC (which gets installed when installing the driver package) that is very chatty and causes many lookups like this.
Is your router making those requests on behalf of a client, i.e. is it configured to use Pi-hole as upstream?
Or do you distribute Pi-hole as local DNS server via DHCP (which would then suggest that you are observing genuine router requests)?
Run from your Pi-hole machine, what's the output of:
sudo pihole-FTL dhcp-discover
Is your router making those requests on behalf of a client, i.e. is it configured to use Pi-hole as upstream?
Yes
* Received 316 bytes from eth0:192.168.1.10
Offered IP address: 192.168.1.79
Server IP address: 192.168.1.10
Relay-agent IP address: N/A
BOOTP server: (empty)
BOOTP file: (empty)
DHCP options:
Message type: DHCPOFFER (2)
server-identifier: 192.168.1.10
lease-time: 86400 ( 1d )
renewal-time: 43200 ( 12h )
rebinding-time: 75600 ( 21h )
netmask: 255.255.255.0
broadcast: 192.168.1.255
dns-server: 192.168.1.10
domain-name: "myrouter.net"
hostname: "Pi-Hole"
wpad-server: "\n"
router: 192.168.1.10
--- end of options ---
True. I am investigating and will uninstall. It's just that I was hoping there would be a straight forward solution.
Are you able to configure your router to distribute Pi-hole's IP as local DNS server via DHCP, instead of its own?
If you can't, you could consider to turn of your router's DHCP server altogether in favour of enabling Pi-hole's DHCP server.
Either way, that would make it easier to identfy the client that is actually making those requests.
Thanks. Not sure I want to do that just yet.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.