_I am running pihole on a rasperry pi4
and left the WAN setting as "Auto".
I expected the query log to show requests from clients, which it does.
_Query log requests from minint-ep8e0cd.localdomain out number all other clients. Rate limit reached 192.168.1.4 (which is my desktop computer).
_https://tricorder.pi-hole.net/vnhuGqc8/
jfb
March 9, 2023, 3:14pm
2
Let's take a look at the query statistics. From the Pi terminal, paste (or type) these commands and post the output. Actual text is preferred, not screenshots of text output.
echo ">top-clients >quit" | nc localhost 4711
echo ">top-domains >quit" | nc localhost 4711
echo ">top-ads >quit" | nc localhost 4711
Thank you for your kind attention. The output from those commands follows:
pi@raspberrypi:~ $ echo ">top-clients >quit" | nc localhost 4711
0 539027 192.168.1.4 minint-ep8e0cd.localdomain
1 135592 192.168.1.163 DESKTOP-S1LD78P.localdomain
2 654 192.168.1.8 unifi
3 558 172.16.0.42
4 417 192.168.1.21 amazon-902232deb.localdomain
5 278 192.168.1.11 amazon-8aa68aea3.localdomain
6 275 192.168.1.9 amazon-8eb333782.localdomain
7 211 192.168.1.207 COM-MID1.localdomain
8 169 172.16.0.13
9 160 192.168.1.154 pi.hole
pi@raspberrypi:~ $ echo ">top-domains >quit" | nc localhost 4711
0 3105 www.msftncsi.com
1 1036 www.iv6cc99f.com
2 350 www.i0rp1l2j.com
3 310 www.gstatic.com
4 205 d3p8zr0ffa9t17.cloudfront.net
5 160 static.ui.com
6 116 ping.ui.com
7 114 wpad.localdomain
8 102 tabletcaptiveportal.com
9 99 firetvcaptiveportal.com
pi@raspberrypi:~ $ echo ">top-ads >quit" | nc localhost 4711
0 1815 v7event.stats.avast.com
1 1492 analytics.ff.avast.com
2 391 ncc.avast.com
3 213 device-metrics-us-2.amazon.com
4 146 device-metrics-us.amazon.com
5 146 telemetry.malwarebytes.com
6 62 trace.svc.ui.com
7 43 browser.pipe.aria.microsoft.com
8 40 sanalytics.disneyplus.com
9 35 aax-eu.amazon-adsystem.com
jfb
March 9, 2023, 9:11pm
4
What is the output of this command, which will show the queries for that specific client in the past 24 hours:
pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT domain FROM queries WHERE client='192.168.1.4' AND timestamp>='$(($(date +%s) - 86400))'" | sort | uniq -c | sort -n -r
Here is the response:
pi@raspberrypi:~ $ pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT domain FROM queries WHERE client='192.168.1.4' AND timestamp>='$(($(date +%s) - 86400))'" | sort | uniq -c | sort -n -r
8529 www.msftncsi.com
2835 www.iv6cc99f.com
1010 v7event.stats.avast.com
1004 analytics.ff.avast.com
945 www.i0rp1l2j.com
330 telemetry.malwarebytes.com
191 nas-server.localdomain
164 wpad.localdomain
132 _kerberos._tcp.dc._msdcs.microsoftaccount.localdomain
126 v10.events.data.microsoft.com
98 ctldl.windowsupdate.com
64 settings-win.data.microsoft.com
61 browser.pipe.aria.microsoft.com
51 ncc.avast.com
50 events.launchdarkly.com
50 content-autofill.googleapis.com
48 safebrowsing.googleapis.com
48 paris.remotepc.com
46 sirius.mwbsys.com
44 zurich.remotepc.com
44 www1.remotepc.com
44 westpalm.remotepc.com
44 warsaw.remotepc.com
44 toronto.remotepc.com
44 tokyo.remotepc.com
44 telaviv.remotepc.com
44 tampa.remotepc.com
44 sydney.remotepc.com
44 stockholm.remotepc.com
44 stlouis.remotepc.com
44 spideroak.com
44 southcarolina.remotepc.com
44 sofia.remotepc.com
44 secaucus.remotepc.com
44 seattle.remotepc.com
44 seattle3.remotepc.com
44 seattle2.remotepc.com
44 saopaulo.remotepc.com
44 saopaulo1.remotepc.com
44 santiago.remotepc.com
44 sanjose.remotepc.com
44 sanjose2.remotepc.com
44 sandiego.remotepc.com
44 sanantonio.remotepc.com
44 saltlakecity.remotepc.com
44 saintasaph.remotepc.com
44 sacramento.remotepc.com
44 riyadh.remotepc.com
44 riverside.remotepc.com
44 rantoul.remotepc.com
44 raleigh.remotepc.com
44 quebeccity.remotepc.com
44 portland.remotepc.com
44 pittsburgh.remotepc.com
44 phoenix2.remotepc.com
44 palermo.remotepc.com
44 oslo.remotepc.com
44 osaka.remotepc.com
44 orlando.remotepc.com
44 oregon.remotepc.com
44 oklahomacity.remotepc.com
44 nuremberg.remotepc.com
44 newyork.remotepc.com
44 newyork3.remotepc.com
44 newyork2.remotepc.com
44 nechicago.remotepc.com
44 nashville.remotepc.com
44 naperville.remotepc.com
44 munich.remotepc.com
44 mumbai.remotepc.com
44 monticello.remotepc.com
44 modesto.remotepc.com
44 milwaukee.remotepc.com
44 milan.remotepc.com
44 miami.remotepc.com
44 miami4.remotepc.com
44 miami3.remotepc.com
44 mexicocity.remotepc.com
44 memphis.remotepc.com
44 melbourne.remotepc.com
44 medellin.remotepc.com
44 mcallen.remotepc.com
44 marseille.remotepc.com
44 manchester.remotepc.com
44 manassas.remotepc.com
44 maidenhead.remotepc.com
44 madrid.remotepc.com
44 luxembourg.remotepc.com
44 london.remotepc.com
44 london8.remotepc.com
44 london6.remotepc.com
44 london5.remotepc.com
44 london4.remotepc.com
44 london3.remotepc.com
44 london2.remotepc.com
44 ljubljana.remotepc.com
44 lissabon.remotepc.com
44 lisbon.remotepc.com
44 lima.remotepc.com
44 lax.remotepc.com
44 la.remotepc.com
44 lansing.remotepc.com
44 la9.remotepc.com
44 la8.remotepc.com
44 la4.remotepc.com
44 la3.remotepc.com
44 la2.remotepc.com
44 la12.remotepc.com
44 la10.remotepc.com
44 knoxville.remotepc.com
44 klagenfurt.remotepc.com
44 kiev.remotepc.com
44 kansascity.remotepc.com
44 johannesburg.remotepc.com
44 istanbul.remotepc.com
44 irvine.remotepc.com
44 iowa.remotepc.com
44 indianapolis.remotepc.com
44 idnewyork1.remotepc.com
44 idlondon.remotepc.com
44 iddetroit.remotepc.com
44 iddenver.remotepc.com
44 iddallas1.remotepc.com
44 idchicago1.remotepc.com
44 idamsdm.remotepc.com
44 idahofalls.remotepc.com
44 hongkong.remotepc.com
44 herndon.remotepc.com
44 hawaii.remotepc.com
44 hanoi.remotepc.com
44 hamina.remotepc.com
44 guadalajara.remotepc.com
44 gosport.remotepc.com
44 fremont.remotepc.com
44 frankfurt.remotepc.com
44 fortworth.remotepc.com
44 flushing.remotepc.com
44 fitchburg.remotepc.com
44 europe.remotepc.com
44 dublin.remotepc.com
44 dubai.remotepc.com
44 dosfo2.remotepc.com
44 dosfo1.remotepc.com
44 donewyork3.remotepc.com
44 donewyork2.remotepc.com
44 donewyork1.remotepc.com
44 desmoines.remotepc.com
44 denver.remotepc.com
44 dallas.remotepc.com
44 dallas4.remotepc.com
44 dallas3.remotepc.com
44 dallas2.remotepc.com
44 copenhagen.remotepc.com
44 columbus.remotepc.com
44 cleveland.remotepc.com
44 chicago.remotepc.com
44 cheyenne.remotepc.com
44 chennai.remotepc.com
44 charlotte.remotepc.com
44 cardiff.remotepc.com
44 capetown.remotepc.com
44 canberra.remotepc.com
44 canada.remotepc.com
44 california.remotepc.com
44 california2.remotepc.com
44 buenosaires.remotepc.com
44 budapest.remotepc.com
44 bucharest.remotepc.com
44 bucharest1.remotepc.com
44 bsprings.remotepc.com
44 brunswick.remotepc.com
44 brisbane.remotepc.com
44 bratislava.remotepc.com
44 boston.remotepc.com
44 boston2.remotepc.com
44 belgrad.remotepc.com
44 belgium.remotepc.com
44 bangkok.remotepc.com
44 bangalore4.remotepc.com
44 bangalore3.remotepc.com
44 bangalore2.remotepc.com
44 baltimore.remotepc.com
44 bahrain.remotepc.com
44 azchicago.remotepc.com
44 azchicago2.remotepc.com
44 atlanta.remotepc.com
44 atlanta4.remotepc.com
44 asia.remotepc.com
44 asheville.remotepc.com
44 ankara.remotepc.com
44 amsterdam.remotepc.com
43 x1.c.lencr.org
43 taipei.remotepc.com
43 seoul.remotepc.com
43 sandiegodc.remotepc.com
43 phoenix.remotepc.com
43 pasadena.remotepc.com
43 montreal.remotepc.com
43 la11.remotepc.com
43 idmadrid.remotepc.com
43 greenville.remotepc.com
43 dallas5.remotepc.com
43 czechrepublic.remotepc.com
43 croatia.remotepc.com
43 bluffdale.remotepc.com
43 bend.remotepc.com
43 auckland.remotepc.com
43 atlanta3.remotepc.com
42 manila.remotepc.com
38 duckduckgo.com
36 s-iavs9x.avcdn.net
33 api.msn.com
32 v7.stats.avast.com
32 orangeburg.remotepc.com
32 chicago2.remotepc.com
30 s-vps18.avcdn.net
27 nexusrules.officeapps.live.com
26 staticcdn.duckduckgo.com
26 clientservices.googleapis.com
24 login.microsoftonline.com
24 j0294597.vps18.u.avcdn.net
23 login.live.com
23 emupdate.avcdn.net
23 crl.verisign.com
20 update.googleapis.com
20 officeclient.microsoft.com
19 ocsp.digicert.com
18 y8002308.iavs9x.u.avast.com
18 n4291289.iavs9x.u.avast.com
18 j0294597.iavs9x.u.avast.com
18 ip-info.ff.avast.com
17 webmail.sure.com
17 outlook.office365.com
17 assets.msn.com
17 arc.msn.com
16 roaming.officeapps.live.com
16 checkappexec.microsoft.com
15 www.bing.com
15 discourse-cdn.pi-hole.net
14 graph.microsoft.com
14 apps.identrust.com
14 11.tlu.dl.delivery.mp.microsoft.com
13 secure.sure.com
13 cp601.prod.do.dsp.mp.microsoft.com
12 y9830512.vps18.u.avcdn.net
12 t1024579.vps18.u.avcdn.net
12 s1843811.vps18.u.avcdn.net
12 r6726306.vps18.u.avcdn.net
12 r4427608.vps18.u.avcdn.net
12 r4427608.iavs9x.u.avast.com
12 r3802239.iavs9x.u.avast.com
12 p9854759.vps18.u.avcdn.net
12 ovpxg4djmrsxe33bnnpwc5lun5ptcnrrgmytk.gig.spideroak.com
12 n8283613.iavs9x.u.avast.com
12 miami2.remotepc.com
12 links.duckduckgo.com
12 l4691727.vps18.u.avcdn.net
12 g1928587.vps18.u.avcdn.net
12 external-content.duckduckgo.com
12 eu-office.events.data.microsoft.com
12 ecs.office.com
12 d3176133.iavs9x.u.avast.com
12 b8003600.iavs9x.u.avast.com
12 b2discourse.pi-hole.net
12 atlanta2.remotepc.com
11 slscr.update.microsoft.com
11 fe3cr.delivery.mp.microsoft.com
11 9.tlu.dl.delivery.mp.microsoft.com
11 49fx750_series.localdomain
10 ping.avast.com
10 nas-server.local
10 events.gfe.nvidia.com
10 crl.comodoca.com
10 clients.config.office.net
10 alpha-rollout-service.ff.avast.com
10 accounts.google.com
9 activity.windows.com
8 web1.remotepc.com
8 watson.events.data.microsoft.com
8 support.content.office.net
8 static.emailsrvr.com
8 pi-hole-discourse.s3.amazonaws.com
8 outlook.office.com
8 ocws.officeapps.live.com
8 messaging.engagement.office.com
8 improving.duckduckgo.com
8 gbr01.dataservice.protection.outlook.com
8 dataservice.protection.outlook.com
8 crl3.digicert.com
8 beacons.gcp.gvt2.com
7 ccleaner.tools.avcdn.net
6 z4055813.vps18.u.avcdn.net
6 uci.edog.cdn.office.net
6 t1024579.iavs9x.u.avast.com
6 substrate.office.com
6 smartscreen-prod.microsoft.com
6 r9319236.iavs9x.u.avast.com
6 r0965026.vps18.u.avcdn.net
6 r0965026.iavs9x.u.avast.com
6 passwordsleakcheck-pa.googleapis.com
6 p9854759.iavs9x.u.avast.com
6 p1043812.iavs9x.u.avast.com
6 nleditor.osi.office.net
6 nav.smartscreen.microsoft.com
6 n8283613.vps18.u.avcdn.net
6 n2833777.vps18.u.avcdn.net
6 n2833777.iavs9x.u.avast.com
6 mrodevicemgr.officeapps.live.com
6 m0658849.vps18.u.avcdn.net
6 l7814800.vps18.u.avcdn.net
6 l4691727.iavs9x.u.avast.com
6 l2983942.iavs9x.u.avast.com
6 inference.location.live.net
6 h4444966.vps18.u.avcdn.net
6 h4444966.iavs9x.u.avast.com
6 go.microsoft.com
6 geover.prod.do.dsp.mp.microsoft.com
6 g1928587.iavs9x.u.avast.com
6 fonts.gstatic.com
6 fonts.googleapis.com
6 fast.fonts.com
6 f3461309.vps18.u.avcdn.net
6 f3461309.iavs9x.u.avast.com
6 d3176133.vps18.u.avcdn.net
6 cs.dds.microsoft.com
6 b7210692.vps18.u.avcdn.net
6 augloop.office.com
6 armmf.adobe.com
6 3.tlu.dl.delivery.mp.microsoft.com
5 webmail.surecw.com
5 ipm-provider.ff.avast.com
5 docs.pi-hole.net
5 browser.events.data.msn.com
4 www.youtube.com
4 www.roseneathdental.com
4 www.microsoft.com
4 www.gravatar.com
4 www.google.com
4 tsfe.trafficshaping.dsp.mp.microsoft.com
4 th.bing.com
4 static.ubnt.com
4 sstats.adobe.com
4 services.gfe.nvidia.com
4 p13n.adobe.io
4 optimizationguide-pa.googleapis.com
4 odc.officeapps.live.com
4 msedge.api.cdp.microsoft.com
4 loki.delve.office.com
4 i.ytimg.com
4 images.emailsrvr.com
4 genuine.adobe.com
4 fp-afd-nocache.azureedge.net
4 filerep-replica.ff.avast.com
4 edgedl.me.gvt1.com
4 ecn-us.dev.virtualearth.net
4 driver-updater.ff.avast.com
4 discourse.pi-hole.net
4 config.edge.skype.com
4 clientstream.launchdarkly.com
4 cdn.sstatic.net
4 app.launchdarkly.com
4 android.clients.google.com
4 ajax.googleapis.com
4 3.pool.ntp.org
4 2.pool.ntp.org
4 1.pool.ntp.org
3 undefined.localdomain
3 teams-ring.msedge.net
3 ssl.google-analytics.com
3 iris.mwbsys.com
3 evoke-windowsservices-tas.msedge.net
3 4.tlu.dl.delivery.mp.microsoft.com
2 yt3.ggpht.com
2 youtube.com
2 xsts.auth.xboxlive.com
2 www.reddit.com
2 www.quppa.net
2 www.partitionwizard.com
2 www.nhs.uk
2 www.msn.com
2 www.howtogeek.com
2 www.gstatic.com
2 www.googleapis.com
2 www.cdc.gov
2 www.ccleaner.com
2 www2.bing.com
2 webshell.suite.office.com
2 wac-ring.msedge.net
2 vl.ff.avast.com
2 user.auth.xboxlive.com
2 uci.cdn.office.net
2 t-ring.msedge.net
2 t-ring-fdv2.msedge.net
2 t-ring-fallback.msedge.net
2 trace.svc.ui.com
2 title.mgt.xboxlive.com
2 title.auth.xboxlive.com
2 timmaclure-my.sharepoint.com
2 time.nist.gov
2 swupmf.adobe.com
2 submit.sb.avast.com
2 store-images.s-microsoft.com
2 store-images.microsoft.com
2 storecatalogrevocation.storequality.microsoft.com
2 static.ui.com
2 static.nvidiagrid.net
2 static-ecst.licdn.com
2 stackoverflow.com
2 s.symcd.com
2 s-ring.msedge.net
2 spov-ring-fallback.msedge.net
2 s-overseer.avcdn.net
2 software-cleanup.ff.avast.com
2 shredder-eu.osi.office.net
2 shepherd.ff.avast.com
2 serverfault.com
2 self.events.data.microsoft.com
2 secure.gravatar.com
2 rss.msn.com
2 rr5---sn-5hne6n6l.googlevideo.com
2 rr3---sn-25ge7nzr.googlevideo.com
2 rr1---sn-n0gxpou-bjpe.googlevideo.com
2 res.cdn.office.net
2 res-1.cdn.office.net
2 r.bing.com
2 r4.res.office365.com
2 r3.o.lencr.org
2 quantcast.mgr.consensu.org
2 qa.sockets.stackexchange.com
2 pi-hole.github.io
2 ow1.res.office365.com
2 omt.garmin.com
2 ols.officeapps.live.com
2 na01.safelinks.protection.outlook.com
2 my-win.avast.com
2 mucp.api.account.microsoft.com
2 mtalk.google.com
2 metadata.templates.cdn.office.net
2 messaging.lifecycle.office.com
2 mcusercontent.com
2 malware-filter.pages.dev
2 lic-iris-content-prod.mwbsys.com
2 licensing.mp.microsoft.com
2 kv601.prod.do.dsp.mp.microsoft.com
2 keystone.mwbsys.com
2 jnn-pa.googleapis.com
2 i.stack.imgur.com
2 imagestore.sure.com
2 identity.nel.measure.office.net
2 hb-c.services.vnc.com
2 github.githubassets.com
2 gfwsl.geforce.com
2 gfe.nvidia.com
2 geo.prod.do.dsp.mp.microsoft.com
2 gallery.mailchimp.com
2 fs.microsoft.com
2 freyr.futurecdn.net
2 fp-vs.azureedge.net
2 fp-vp-nocache.azureedge.net
2 fp-vp.azureedge.net
2 fp.msedge.net
2 fp-afd.azureedge.us
2 firefox.settings.services.mozilla.com
2 fe2cr.update.microsoft.com
2 f.c2r.ts.cdn.office.net
2 fa000000043.resources.office.net
2 exo.nel.measure.office.net
2 e3a7da09747c53d91229832dc7ca685b.nrb.footprintdns.com
2 e2c54.gcp.gvt2.com
2 dual-s-ring.msedge.net
2 download.gfe.nvidia.com
2 dl.delivery.mp.microsoft.com
2 dlassets-ssl.xboxlive.com
2 device.auth.xboxlive.com
2 deanhouse.gg
2 d4c1afe1021e0fecf6d5-63021f83acb5d78746695af4728f170c.ssl.cf1.rackcdn.com
2 csp.microsoft.com
2 crl4.digicert.com
2 consent.youtube.com
2 clients2.google.com
2 champagne.futurecdn.net
2 cdn.odc.officeapps.live.com
2 cdn-images.mailchimp.com
2 cdn11.bigcommerce.com
2 c051c95d3aea1a7289184036d579c13c.clo.footprintdns.com
2 builds.cdn.getgo.com
2 broker12.remotepc.com
2 b-ring.msedge.net
2 beacons.gvt2.com
2 beacons4.gvt2.com
2 beacons3.gvt2.com
2 avatars.githubusercontent.com
2 autodiscover-s.outlook.com
2 autodiscover.deanhouse.gg
2 assets.nhs.uk
2 a-ring.msedge.net
2 a-ring-fallback.msedge.net
2 api.github.com
2 amcdn.msftauth.net
2 2.tlu.dl.delivery.mp.microsoft.com
2 2503f56d1ff30f121f26d1b1c8432e58.clo.footprintdns.com
2 0.pool.ntp.org
1 windows.msn.com
1 tracking.minitool.com
1 pti.store.microsoft.com
1 prod.rewardsplatform.microsoft.com
1 incoming.telemetry.mozilla.org
1 img-s-msn-com.akamaized.net
1 c-ring.msedge.net
Further research online suggests that the large number of queries to www.msftncsi.com is from Windows 10 checking the internet connection. Can anyone confirm? If so, can anything be done to reduce the number of queries?
jfb
March 16, 2023, 9:12pm
7
Block the domain in the hosts file on the PC. The domain request will never leave the PC.
system
April 7, 2023, 8:16am
9
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
