Getting a lot of hits (like 40 a second) from lavrov.in. Can't identify what or why. Any insight would be appreciated.
From this domain or requests for this domain?
On what do you base this conclusion?
Well it's a very new domain registered from Russia. It was just a gut feeling.
I blocked it to see if it broke anything. The screenshot has all the hits since I blocked it last night.
I looked up the WHOIS like you did drewski, but that was the limit of my sleuthing abilities.
What client on your network is making these repeated requests? That is where I would investigate.
The top entry is 185.236.232.114
[> https://www.ripe.net/membership/indices/data/sc.raspberry-jam.html](https://Raspberry Jam inc.)?
It looks like you are getting DNS queries from clients outside your network, which would indicate you are running an open resolver (port 53 on the router open to the internet).
That would be on my worry scale lower than running an open resolver.
I understand that and agree 100% 
Scary knowing the owner deals with hacking and whatnot. Which would definitely make me run a port scan and make sure 53 and other ports are closed.
Thank you both for your help.
I think when I last set up my network, I didn't change the default router password, and I think someone or something pwned my router. I checked port 53 and it appeared to be closed.
I wasn't able to change the password so I reset the router and now have a strong password.
Reseting the router seems to have dealt with the issue, but my Pihole API is very slow for some reason, and I have a hard time getting new statistics from it.
Update: I had to flush the logs because I couldn't get it to load statistics any longer.
Check this website GRC | Gibson Research Corporation Home Page
Click on services then "shields up"
After clicking proceed click on all service ports.
This will tell you for sure if you have open ports.
I have EXACTLY the same problem with my Online Running Pi-Hole.
I formated the hosted Server, setup a new ubuntu Version and installed PI-Hole from Sratch.
Bit now after a day running it started AGAIN!
IP adresses from the Range 185.236.232.* trying to resolve "lavrov.in" from my Client.
What going on here?
Have you confirmed that port 53 is closed?
As I said, what worked for me was resetting my router & password. I haven't had any hits since.
But my pi-hole is running online.... if I close port 53 how should I reach him than for Name resolving? 
Plus this is a total Pi-hole specific Problem. The „Attacker“ Whois >>
inetnum: 185.236.232.0 - 185.236.235.255
netname: SC-RASPBERRY-JAM-20171214
country: RU
org: ORG-RI42-RIPE
admin-c: MB45089-RIPE
tech-c: MB45089-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-by: sc-raspberry-jam-1-mnt
created: 2017-12-14T09:16:05Z
last-modified: 2017-12-14T09:16:05Z
source: RIPE
abuse-email: bayne@raspberry-jam.ru
abuse-c: AR43917-RIPE
abuse-org: ORG-RI42-RIPE
organisation: ORG-RI42-RIPE
org-name: Raspberry-jam Inc.
org-type: LIR
address: 309&310 Premier Building, Albert Street
address:
address: Victoria, Mahe
address: SEYCHELLES
e-mail: bayne@raspberry-jam.ru
admin-c: MB45089-RIPE
tech-c: MB45089-RIPE
abuse-c: AR43917-RIPE
mnt-ref: sc-raspberry-jam-1-mnt
mnt-by: RIPE-NCC-HM-MNT
mnt-by: sc-raspberry-jam-1-mnt
created: 2017-11-17T10:56:05Z
last-modified: 2017-12-19T09:59:21Z
source: RIPE
phone: +248 432 31 05
person: Misha Bayne
address: 309&310 Premier Building, Albert Street
address: Victoria, Mahe
address: SEYCHELLES
phone: +248 432 31 05
nic-hdl: MB45089-RIPE
mnt-by: sc-raspberry-jam-1-mnt
created: 2017-11-17T10:56:05Z
last-modified: 2017-12-19T10:00:01Z
You are running an open resolver, which is a very bad practice. We do not support open resolvers.
2 Likes
Found this thread searching "lavrov.in pihole" and it turns out port 53 was open on my router, leading to this same issue. Not sure why it was open, but it is no longer open; I'll continue to monitor it.
1 Like