The internal api address of my router (192.168.86.1) is issuing requests to api2.branch.io every two seconds.
I have the router (Google Wifi) set to use the PiHole for (1) DNS and (2) a DHCP server. The former set up using a custom DNS entry and the latter set up by limiting the DHCP pool to the PiHole's IP address.
This recently started happening and took the amount of requests that I usually see from ~200 over 10 min to well over 1000 over the same amount of time.
I've restarted my router multiple times, but the requests seem to come back after an hour exactly (tested multiple times).
I change my router's setting back to the default for both DNS and DHCP, then moved it back to the PiHole settings. This worked for about 3 hours, but again am now seeing these requests.
I doubt that my router is actually issuing all the requests to this URL as I've seen all the other posts about apps like Reddit doing this. All the devices on my network are using the PiHole for DNS. I've tried taking all the devices that have Reddit or something on it off with no luck. I've looked at the logs when it starts to do this and it seems to always be something to do with reddit. I've put this below, and after the gql.reddit.com request it always starts...
time
type
domain
client
status
reply
action
2022-11-12 17:53:37
A
api2.branch.io
192.168.86.1
Blocked (gravity)
IP (0.2ms)
Whitelist
2022-11-12 17:53:35
A
api2.branch.io
192.168.86.1
Blocked (gravity)
IP (0.1ms)
Whitelist
2022-11-12 17:53:34
A
www.googleapis.com
192.168.86.1
OK (cache)
INSECURE
IP (0.0ms)
Blacklist
2022-11-12 17:53:33
A
api2.branch.io
192.168.86.1
Blocked (gravity)
IP (0.1ms)
Whitelist
2022-11-12 17:53:31
A
api2.branch.io
192.168.86.1
Blocked (gravity)
IP (0.0ms)
Whitelist
2022-11-12 17:53:28
A
api2.branch.io
192.168.86.1
Blocked (gravity)
IP (0.2ms)
Whitelist
2022-11-12 17:53:27
A
oauth.reddit.com
192.168.86.1
OK (answered by one.one.one.one#53)
INSECURE
CNAME (9.0ms)
Blacklist
2022-11-12 17:53:27
A
accounts.reddit.com
192.168.86.1
OK (answered by one.one.one.one#53)
INSECURE
CNAME (9.0ms)
Blacklist
2022-11-12 17:53:26
A
gql.reddit.com
192.168.86.1
OK (answered by one.one.one.one#53)
INSECURE
CNAME (25.0ms)
I'm all out of ideas at this point. I've tried wireshark to sniff my network, but it doesn't see the router sending the requests. I have no idea whats going on and this is weird to me. I did get a new phone and it could be that, but i've verified multiple times that it has it's DNS pointing to the pihole
Expected Behaviour:
Expect router to not be issuing loads of requests to api2.branch.io every two seconds
Actual Behaviour:
Router is issuing loads of requests to api2.branch.io every two seconds
I don't quite follow the DHCP part of that. Can you clarify where the DHCP server sits and how the router and Pi-hole are configured for this?
If you're comfortable with Wireshark, and you're using Pi-hole for DHCP, then you can create a custom DNS entry for api2.branch.io and point it at a test linux machine on your network. Then whitelist api2.branch.io.
Now you can let the router, or whatever device is generating the requests, resolve them to your test machine and analyse what's being attempted.
On the Google Wifi, which all my devices connect to, I have the DNS entry set to the IP address of my PiHole (192.168.86.1). This should make it so the devices that connect to that network use this address to resolve DNS queries. This works fine it seems.
As for the DHCP set up, I have both the upper and lower bound of the DHCP address pool range on the Google Wifi set to the PiHole IP address (192.168.86.1). I read about this somewhere and it seems to work as the PiHole does act as a DHCP server and hands out IP addresses to devices.
Unfortunately I'm not, which is probably why I'm not finding anything
Could I technically do this without wireshark? I'd just need something on the linux machine to handle the requests and log them somewhere? Something like nginx maybe?
I've pointed the domain api2.branch.io to one of my Pi's using the Local DNS > DNS Records. I've set up a webapp that listens on port 80 of this device and logs out requests (tested by curling the device and using dig on the domain).
I've then whitelisted api2.branch.io. I can see these DNS queries successfully completing in the Query Log.
After doing all of this, even though I see the requests from my router (192.168.86.1) in PiHole's Query Log, I don't see my webapp that the domain is mapped to via DNS records receiving any requests.
This lead me to think that my router isn't set up correctly or something funky is going on. I've not changed anything in my router's settings (or I have but it amounts to disabling it, then re-enabling it with the previous settings). I'm at a bit of a loss for what's going on.
Note: Updated to the latest PiHole module versions today and there was no change.
I've also chatted to the Google Support people, who were able to look through the setup of the router. They confirmed the set up was correct and that their router will not issue any requests to this website.
This makes me think even more that something weird is going on and requests from somewhere are masquerading as the router itself.
Could this be due to a device potentially still using the router's DNS by accident (somehow hardcoding)?
You'd have to address that at the source.
Find the device and software that issues those requests, and only if it cannot be configured to stop spitting out excessive requests, try to mitigate them through other means.
Pi-hole just displays DNS requests as received, it's not inventing them - your clients decide which DNS requests they issue.
Pi-hole may only be involved here if it would happen to block a domain that a client would be desperate to reach (which may well be the case here).
If you think the requesting application has a legitimate reason to contact a blocked domain, you could consider to exempt that specific domain from blocking, even for a certain client only, if applicable (and provided your configuration would meet the necessary requirements, which it may not currently - you seem to see only your router as client).
Your router may well hide the original souce of those requests if it would only make use of Pi-hole as its upstream DNS server (as opposed to telling your clients (via DHCP) to use Pi-hole as local DNS server).
For that specific api2.branch.io domain, we've received reports from other users getting lucky with whitelisting it and returning an unused private address for it.
This is effectively what you've done:
As for trying to catch something on TCP port 80:
Software is not limited to use an IP only for HTTP communication. It may do anything with that IP address.
Do you have reason to assume that the application requesting resolution of api2.branch.io would communicate to that resolved IP via standard HTTP?
Thanks for the detailed explanation. I really appreciate you taking the time.
I searched for devices that could be doing this, and I ended up finding it on my guest network (google wifi). Still no idea why it's happening or if the requests are HTTP or not, but at least it was found.
I'll be investigating more, but, in general, the IP address of the DNS for the guest network is not the PiHole. This, in turn, will make requests to the IP address it has (the router's guest network), which will then show up as the router making request as it uses the PiHole's IP address for DNS.
So one of two things is happening. Google Wifi doesn't use the same DNS settings on the guest network as it does on the main network, or the device is set up incorrectly.
Yep, this is Spotify. I can't remember if you need it or not, try blocking it and see if the app / program still works. If it's this hard to narrow down what is causing this connection, you're either enjoying music a lot, or you desktop / laptop is auto-loading the program at startup.
