Need help figuring out of control microsoft cname domain

Why do I only see my router's IP address instead of individual devices in the Top Clients section and Query Log?

This is not a problem for my usage. I have local dns records of devices set within the web interface to tell my traffic apart, and already know which of them are set to automatically use pihole through client -> router -> pihole and which are manually configured use unbound/pihole through device settings.

Most are configured manually, this mainly for people visiting and using the wifi, i would like them to use pihole as well. When i say "it's coming from my router" that doesn't mean it's coming from either of 5 different devices in my case, because i don't have it set up like that currently. I know (x) IP means this traffic is from my phone and (y) is from my computer, ect. This is not the issue. I can still guess to know from what device it's coming from by deduction.

Besides, I have already narrowed it down to it phone and router by shutting everything else off, it keeps going. Where is this query coming from?

You should see all connected devices in your router's web interface as well, to find the person in the wall. Last idea, as you ruled out everything else, is that it's the router itself, using some MS service like time sync (that would be and should be much less frequently) or so.

It would seem to be one of those then. Either an OS or service running natively on the device, if one is a Microsoft branded device, or an app or app-related service running on one of those devices regardless of manufacturer.

Can you try just shutting the phone fully off for a few hours and observing the Query Log from a non-implicated device? That should confirm or rule out the router, leaving the phone, or vice versa.

Longer term are you able to change the layout so that your router uses an external upstream (ISP, Quad9, etc) but is essentially unused because you switch to using the Pi-hole as the DHCP provider with its Unbound upstream. That will be a simpler layout and give you more granularity and control over addressing and identification.

It seems to be something else. God knows what its doing with how it needs to contact any of these domains this often, but i dont like it. Funny you should reply, im actually using dietpi for my installation as well.

That’s an idea. However lm not so sure how to disable dhcp with this phone app solution that they have. Considering everything else seems to work well, using my current router seems to be the easiest. I would rather just try to ignore it until an option to hide a domain from the query list is implemented at some point.

There's an open feature request for this.

What is your router make and model?

Some routers may be configured to test internet connectivity by resolving a specific domain in regular intervals, or for diagnostic purposes. I may not recall correctly, but I believe some TP-Link models to feature related options.

It’s a mesh wifi system called omni duo by jensen of scandinavia, rented from my isp. That sounds like what it could be doing, its already made about 22k queries alone this far. I usuallly dont have much experience with these mesh networks but it seemed fine.

At this stage, that is just a guess.
I've never heard of Jensen routers before, so you'd have to consult your router's documentation and support channels with regards to its configuration.

If you have access to another router, you could try to switch routers to verify whether those unexpected requests for would cease.

But you also shouldn't discard other devices yet, as your debug log shows your router to distribute its own IP as local DNS server via DHCP:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   * Received 300 bytes from eth0:
     Offered IP address:
     DHCP options:
      Message type: DHCPOFFER (2)
      --- end of options ---

This would mean that any device that you haven't pointed manually to use Pi-hole would send its DNS requests to your router, which may be configured to use Pi-hole as its upstream DNS and hence forward those requests to your Pi-hole.
So any device that obtains its DNS information through your router's DHCP server could also be sending those requests.

Isn't that normal behavior by setting pihole's address in the router as dns entry? i thought that was the whole point to automatically make devices on the network use it, or is that problem in terms of it's not supposed to be like that.

I am 100% sure it's my router doing it at this point. and are my dietpi/pihole and router addresses respectively. Everything else is manually set or offline tested.

This is dependent on the router. My routers (Apple models) distribute the IP of Pi-hole and all the network clients use those IPs directly, without going through the router. Pi-hole sees every client as an individual client, as opposed to all the clients appearing to come through the router.

Thank you.

There are some confusing settings within the app, but I'll have a look. Considering my pi is a lot more prone to crashing than my router, I'm a little afraid of switching, if it's even possible like i mentioned earlier. Just of getting put in a situation where i will in some event not be able to access the pihole and lose my network.

At any rate with my current setup, it will continue to fill up the query log. It would be immensely useful if there was a feature implemented like @chrislph mentioned earlier to combat routers who behave like this, i'm not sure how prevalent they are. I'll weigh in on that request thread.

This is something you should address. Given adequate and continuous power, a Pi should very (very) rarely crash.

Mine routinely run months, and would likely run much longer unless I reboot them for kernel updates.

I'm running various other software alongside pihole with dietpi, even though it's probably not a great idea, it's kind of the only pi i have at the moment with the current prices.

I noticed most of the time it will show up as cache in the log, and other times it will be answered by unbound, but it's the same type of microsoft request, could this mean there's a different domain?

This shouldn't be happening if you have a decent power supply (eg the official one) and a good quality SD card. If you experiencing crashing then look at these and try to identify the cause.

For example a few years back a friend's Pi kept going offline and it turned out to be an interaction with his router sending malformed packets, and an older version of dhcpcd which crashed when it received them. That was fixed working with the dhcpcd author. These kind of interactions are quite unlikely and you shouldn't be seeing crashing.

I’ve gone through the router app settings, there doesnt appear to be any tick box option to directly turn off dhcp, but there are a few other settings for manually tuning. Im not sure if it will work for disabling.

Theres the issue with if i configure it wrong i will not be able to revert the settings, because i will completely lose access to the router in the app when i lose connection and have to reset router, naturally..

If anyone here wish to give me some guidance and help me configure or validate if changing any of these settings to use pihole as dhcp will work.

Theres an option for setting a static IP under internet settings from dhcp.

Then there’s the setting for dhcp server, but no off option here. I was thinking of pointing this to pihole’s address and in turn this would work of using that as the server instead, could this work?

If you could turn off the router's DHCP server and turn on the Pi-hole's DHCP server that would be the way I described. If you cannot turn off the router's DHCP server then the alternative approach is to tell the router's DHCP server to hand out the Pi-hole's address as DNS for the clients connecting.

The DHCP under Connection Type looks like the part related to the external IP address from your ISP. Don't change the Connection settings.

The later screenshot showing DHCP Server is your router handing out addresses on your network. That looks like the right section but there's nothing in there about the DNS to hand out so you can leave that as it is.

Is that it in the DNS section just below? What is in there?

This is the only setting where i can point the pihole’s dns, but as others have told me here my router does not respect this setting properly if not set manually on the device.

Would you suggest setting this setting to use a different dns and set piholes ip within the dhcp server setting maybe? I’ve done an attempt to set this already without changing the dns first, this like i mentioned earlier locked me out of the network, and i lost access to the admin panel to turn on pihole dhcp.

Yes that would be where you switch it to manual and put in the Pi-hole's address The screenshot already shows this, so I assume that this was you already changing it before posting? Because further up your debug log showed that the router was giving out (itself) as the DNS.

So after changing it, disconnect and reconnect a device from your network (toggle airplane mode, or its wifi off and on, or pull and reinsert the network cable). This will pick up its IP from the router's DHCP server again, but now it should get the Pi-hole's address as the DNS server because now the router is handing that out.

Then load a test site on the device, eg a local news site, and then look at the Pi-hole Query Log. You should be seeing that device's IP or even hostname appearing there directly now.

I'm assuming the Pi-hole itself is still running Unbound locally, as you mentioned yesterday, and that this is still working okay.

Couple of paragraphs from the user manual I found online, translated with Google Translate.

DHCP Server
Omni uses as the default IP range for distributing IP addresses etc. If you want to change to another IP address range, you can do this by pressing Manual. Then enter the desired IP address range and press Save.

Omni uses as standard DNS addresses it receives from the internet modem. If you wish to
use other DNS addresses, you can change this by pressing Manual, enter new DNS addresses and press Save.

If this is working, you can disconnect and reconnect all the other devices, and now you should be able to see where these microsoft queries are coming from too.

I'm sorry. No the "Preferred DNS server" setting you see here with with Pihole's adress has been set for a long time.

From the link a little above here.

I have been using the router's standard DHCP setting all this time. With this I'm trying to say I changed the DHCP server IP from (standard) to (manual), to try and tell it this will be the new DHCP server, while still having set in the DNS section on the other setting, so i was wondering if that was a mistake or if that is the right way to try to do it somehow. But i see now with the manual you found (that did not come with my router but i wish it did) that this is for setting local dhcp range, but there is no information about an endpoint to that range, so i don't understand.

Can i, or how can i, use these available settings switch to using pihole as dhcp server in the web interface? Another question i have is, how can i be sure these repeating queries even stop if i do that?

Can i set one range in the router's DHCP settings, and another in pihole's to not conflict somehow maybe? again I don't know what end range the router is, i only know the starting range.