Need help figuring out of control microsoft cname domain

Im experiencing an issue with this particular www.microsoft.com domain thats completely dominating my top list of domains. I would like to figure out what is going on with it and where its coming from, and how to get it to not do what its doing. It is constantly getting contacted, even when my computer is in hibernation, but seems to be coming from my router’s local address.

Debug Token:

https://tricorder.pi-hole.net/0yNtnnD6/

Pi-hole just reports the requests it sees so it's unlikely to be a Pi-hole problem. That said, there may be something in your overall network config which reveals something misconfigured which can be fixed. However it's more likely to be a case of identifying and dealing with the device that's causing the requests.

Considering i have tied my devices to local dns records it should not be hard to narrow down what device its coming from. I have set DNS at router level, and currently the only active device not set individually to use the pihole dns that is in use at this moment is our chromecast. Looking at my router devices right now.

Like i said it appears in the log as tied to my router client, but that should definitely not be contacting microsoft every minute of the night.

Does it continue when the suspect computer is completely powered off? If not, then the queries are coming from that computer and you should focus your investigation on that computer.

If that computer is a Windows device, you can map that domain to the NULL IP in the hosts file on that computer, and it will never leave the computer and get to Pi-hole.

The only windows device currently powered on my network is my personal computer, which is set to manually use pihole's DNS anyway, thus it would show up with a different ipv4 adress in the tail log. So it cant be this.

I have tested with my computer off, chromecast off, with only my iphone and router and pi housing pihole powered on so i can watch the tail log update.

Jan 9 00:55:13: query[A] www.microsoft.com from 192.168.39.1
Jan 9 00:55:13: cached www.microsoft.com is
Jan 9 00:55:13: cached www.microsoft.com-c-3.edgekey.net is
Jan 9 00:55:13: cached www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net is
Jan 9 00:55:13: cached e13678.dscb.akamaiedge.net is 2.18.173.151

Here's the culprit that's going every 5 seconds or so. This local address is from my router, which is not a windows device but a mesh network router with a dedicated app, which i am using on my iphone, again with manually set DNS to pihole. So if was this app and if it had anything to do with microsoft these queries would be going through my iphone's address, but it's from my router. Correct?

Maybe i have a person living in my walls who somehow got access to my network, or some ghost device on my network constantly trying to resolve microsoft.com.

Need to mention I've set unbound as my dns server, router is as mentioned pointing to pihole for upstream. I have relatively few devices connected in my home network that's always on. It's an issue in the sense that it's just really spamming the web log interface and very detrimental to the experience. I don't really understand it.

I was hoping to get an answer if there would be something in the debug log that could point to the problem.

Why do I only see my router's IP address instead of individual devices in the Top Clients section and Query Log?

This is not a problem for my usage. I have local dns records of devices set within the web interface to tell my traffic apart, and already know which of them are set to automatically use pihole through client -> router -> pihole and which are manually configured use unbound/pihole through device settings.

Most are configured manually, this mainly for people visiting and using the wifi, i would like them to use pihole as well. When i say "it's coming from my router" that doesn't mean it's coming from either of 5 different devices in my case, because i don't have it set up like that currently. I know (x) IP means this traffic is from my phone and (y) is from my computer, ect. This is not the issue. I can still guess to know from what device it's coming from by deduction.

Besides, I have already narrowed it down to it phone and router by shutting everything else off, it keeps going. Where is this www.microsoft.com query coming from?

You should see all connected devices in your router's web interface as well, to find the person in the wall. Last idea, as you ruled out everything else, is that it's the router itself, using some MS service like time sync (that would be time.microsift.com and should be much less frequently) or so.

It would seem to be one of those then. Either an OS or service running natively on the device, if one is a Microsoft branded device, or an app or app-related service running on one of those devices regardless of manufacturer.

Can you try just shutting the phone fully off for a few hours and observing the Query Log from a non-implicated device? That should confirm or rule out the router, leaving the phone, or vice versa.

Longer term are you able to change the layout so that your router uses an external upstream (ISP, Quad9, etc) but is essentially unused because you switch to using the Pi-hole as the DHCP provider with its Unbound upstream. That will be a simpler layout and give you more granularity and control over addressing and identification.

It seems to be something else. God knows what its doing with how it needs to contact any of these domains this often, but i dont like it. Funny you should reply, im actually using dietpi for my installation as well.

That’s an idea. However lm not so sure how to disable dhcp with this phone app solution that they have. Considering everything else seems to work well, using my current router seems to be the easiest. I would rather just try to ignore it until an option to hide a domain from the query list is implemented at some point.

There's an open feature request for this.

What is your router make and model?

Some routers may be configured to test internet connectivity by resolving a specific domain in regular intervals, or for diagnostic purposes. I may not recall correctly, but I believe some TP-Link models to feature related options.

It’s a mesh wifi system called omni duo by jensen of scandinavia, rented from my isp. That sounds like what it could be doing, its already made about 22k queries alone this far. I usuallly dont have much experience with these mesh networks but it seemed fine.

At this stage, that is just a guess.
I've never heard of Jensen routers before, so you'd have to consult your router's documentation and support channels with regards to its configuration.

If you have access to another router, you could try to switch routers to verify whether those unexpected requests for www.microsoft.com would cease.

But you also shouldn't discard other devices yet, as your debug log shows your router to distribute its own IP as local DNS server via DHCP:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   
   * Received 300 bytes from eth0:192.168.39.1
     Offered IP address: 192.168.39.153
     DHCP options:
      Message type: DHCPOFFER (2)
      router: 192.168.39.1
      dns-server: 192.168.39.1
      --- end of options ---

This would mean that any device that you haven't pointed manually to use Pi-hole would send its DNS requests to your router, which may be configured to use Pi-hole as its upstream DNS and hence forward those requests to your Pi-hole.
So any device that obtains its DNS information through your router's DHCP server could also be sending those requests.

Isn't that normal behavior by setting pihole's address in the router as dns entry? i thought that was the whole point to automatically make devices on the network use it, or is that problem in terms of it's not supposed to be like that.

I am 100% sure it's my router doing it at this point. 192.168.39.153 and 192.169.39.1 are my dietpi/pihole and router addresses respectively. Everything else is manually set or offline tested.

This is dependent on the router. My routers (Apple models) distribute the IP of Pi-hole and all the network clients use those IPs directly, without going through the router. Pi-hole sees every client as an individual client, as opposed to all the clients appearing to come through the router.

Thank you.

There are some confusing settings within the app, but I'll have a look. Considering my pi is a lot more prone to crashing than my router, I'm a little afraid of switching, if it's even possible like i mentioned earlier. Just of getting put in a situation where i will in some event not be able to access the pihole and lose my network.

At any rate with my current setup, it will continue to fill up the query log. It would be immensely useful if there was a feature implemented like @chrislph mentioned earlier to combat routers who behave like this, i'm not sure how prevalent they are. I'll weigh in on that request thread.

This is something you should address. Given adequate and continuous power, a Pi should very (very) rarely crash.

Mine routinely run months, and would likely run much longer unless I reboot them for kernel updates.

I'm running various other software alongside pihole with dietpi, even though it's probably not a great idea, it's kind of the only pi i have at the moment with the current prices.

I noticed most of the time it will show up as cache in the log, and other times it will be answered by unbound, but it's the same type of microsoft request, could this mean there's a different domain?