Paranoid - 200,000 queries in 3 hours - Synology RT1900

Hi all, forum newbie here.

Just wanted some expert opinion on what in the world is happening with my network.

My Synology router (bought it brand new earlier this month) is sending out an obscene amount of DNS queries; I actually had no idea until I installed Pi-Hole (which still is a bit slow even in v4.0).

The Query Log shows random, random sites like:
epdg.epc.mnc260.mcc310.pub.3gppnetwork.org
pool.ntp.org

But we're talking about 50 of the same queries in less than a minute. My query counter is jumping by the hundreds every few minutes, so I know something is amiss.

I disconnected all connections to my router (desktop/wifi devices), so only the router has connectivity but the PiHole counter keeps on jumping.

Would anyone know why this is the case? I've never had a problem with my old Netgear until I upgraded to Synology and it's just been headaches.

Many thanks all.


PiHole Query Log

|2018-11-12 17:43:28|A|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:43:28|A|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:43:22|AAAA|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:43:22|AAAA|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:43:22|AAAA|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:43:22|AAAA|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:43:22|A|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:43:22|AAAA|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:43:22|AAAA|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:43:22|AAAA|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:43:22|AAAA|pool.ntp.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|

|2018-11-12 17:36:26|A|epdg.epc.mnc260.mcc310.pub.3gppnetwork.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:36:26|A|epdg.epc.mnc260.mcc310.pub.3gppnetwork.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:36:26|A|epdg.epc.mnc260.mcc310.pub.3gppnetwork.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|
|2018-11-12 17:36:26|A|epdg.epc.mnc260.mcc310.pub.3gppnetwork.org|192.168.1.1|OK (forwarded)|N/A| Blacklist|

This is most likely your cell phone. This network is used for wifi calling

This is probably your router itself or another network device. ntp.org runs the Network Time Protocol servers we can use to sync time across the Internet. The ntp.org entries are multi-homed, so one request will return many answers, I suspect the other domain may be the same. I don't see anything to be concerned about here.

Cheers.

Thanks Brock for the prompt response.

But I do find this odd, as if there's something wrong with the Synology specifically.

I had 400K DNS queries in half a day, vs a thousand a day on my old Netgear; there's something going on within the Synology that I can't exactly pinpoint.

The interesting part is that I actually planned to replace the Synology with a Pepwave router and once I did, the query volume on the admin console dropped significantly and pages actually loaded faster.

Does this imply that something's off with the Synology?

Maybe not wrong as in broken but wrong in design with far too many "call home" attempts designed in.

Sometimes these things are good net citizens as long as they can connect to their intended destination but panic and misbehave if they miss one or more connections.

Sometimes you can block them but also spoof the response they are looking for locally to keep them dumb and happy. My IP cameras fall into that group.

1 Like

I don't believe 3gppnetwork.org is related to the Synology, I could be wrong. As best I can find, it is related to WiFi calling from cell phones with weak cell signals. Do you run the Synology Cloud ID Connection?
The Synology may be requesting ntp.org DNS more often than perhaps necessary, but I don't see anything wrong in the logs you posted. pool.ntp will have 4 or more answers, it would appear your logs show all answers for each query, thus increasing your log output.

Syncing time is not "calling home". NTP is actually quite chatty, especially when you are syncing to multiple servers, as you should.

It is likely poorly programmed. Calling ntp servers at that frequency is not necessary. An Apple router, by comparison, checks time once per hour using an Apple time server.

Is the Synology being allowed to contact the NTP servers, or it is being blocked? If it is being blocked, it would make sense the calls are being made more often. Some routers run a full NTP daemon, some routers run a cron job and call ntpdate or similar. The full daemon will make more constant connections. Either way, it is legitimate traffic to pool.ntp.org, there is no reason to block it.

Cheers.

The log output shows it was not being blocked.

2018-11-12 17:43:28|A|pool.ntp.org|192.168.1.1|OK (forwarded)

I meant the actual NTP traffic, does the Synology "sync"?

@tacos10 Please run this command from the Pi terminal and post a representative sample of the results so we can see both the queries and replies from the DNS server for the ntp domains. Pihole.log is today's log, pihole.log.1 is yesterday's log, thus the two commands.

sudo grep 'pool.ntp.org' /var/log/pihole.log

sudo grep 'pool.ntp.org' /var/log/pihole.log.1

Syncing time to hard coded, unchangeable dedicated company owned servers in China or controlled from China is calling home as far as I am concerned. It provides device tracking information to the company from analyses of their NTP server logs that I do not care to give them. I have several devices that do this which is why I mentioned it.

Syncing to hard coded servers is less than good, if they are public pool servers it is not supposed to be done but probably won't bite the end user. Syncing to pool servers in vendor pools is apparently acceptable. pool.ntp.org: The NTP Pool for vendors

Syncing to the public pool network or to systems not under the direct control of the manufacturer isn't calling home and that is what the Synology seems to be doing. Using the pool.ntp.org as a default is frowned upon in the above link though.

Good points, but regardless of where the time sync comes from, it doesn't need to happen 200K times in 3 hours. That's just bad programming.

This is similar to TP-Link banging the a.rootservers.net incessantly to check for connectivity, or Amazon devices going to example.com, example.net and example.org for the same reason.

I suspect the Synology is not syncing, and that is the reason we are seeing the lookups that often. NTP is very chatty, especially on startup.

Cheers