Strange behavior from Netflix on Roku Devices

Dan_Sage · January 2, 2021, 11:30pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

I'm running PiHole on a QNAP server that is running Ubuntu 20.04.1 in an LXC. The PiHole is running as expected (as far as I can tell). My network consists of Ubiquity's UDM as my router and have the network setup with multiple VLANs (personal devices, generic IoT, and streaming IoT). I have my TCL Roku TV and Roku Premiere device on the streaming and generic IoT respectively with IP's of x.x.20.5 and x.x.21.22 respectively.

Actual Behaviour:

For some reason netflix.com was blacklisted initially (I'm using the pihole-updatelists gibhub repository for my adlists), and I noticed that there were hundreds of calls for netflix.com. It didn't appear to prevent me from accessing the service, but I found it strange that it was happening so frequently (like every 5 mins). Any idea why this is happening and if this is something I should be concerned about?

Debug Token:

https://tricorder.pi-hole.net/gf14omks2t

DanSchaper · January 3, 2021, 12:07am

DanSchaper · January 3, 2021, 12:11am

As to the flood of queries, it seems netflix.com has a TTL of 60 seconds. So the records will only stay in cache for 1 minute and then they will need to be resolved by the upstream.

dig netflix.com

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> netflix.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65532
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com.                   IN      A

;; ANSWER SECTION:
netflix.com.            60      IN      A       52.11.104.17
netflix.com.            60      IN      A       52.24.197.182
netflix.com.            60      IN      A       52.25.212.16
netflix.com.            60      IN      A       52.36.238.206
netflix.com.            60      IN      A       52.39.26.2
netflix.com.            60      IN      A       54.149.160.164
netflix.com.            60      IN      A       34.209.106.197
netflix.com.            60      IN      A       35.160.251.36

;; Query time: 19 msec

jfb · January 3, 2021, 12:18am

Are you running any sort of firewall to block outgoing DNS traffic?

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] gethacknow.com is 0.0.0.0 via localhost (127.0.0.1)
[✓] gethacknow.com is 0.0.0.0 via Pi-hole (192.168.1.3)
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Operating system
[i] dig return code:  9
[i] dig response:  ;; connection timed out; no servers could be reached
[✗] Distro:  Ubuntu

Does your DHCP server actually have a lease duration of 2 minutes?

     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.1
      lease-time: 120 ( 2m )
      renewal-time: 60 ( 1m )
      rebinding-time: 105 ( 1m 45s )
      netmask: 255.255.255.240
      broadcast: 192.168.1.15
      domain-name: "network-devices"
      dns-server: 192.168.1.3
      router: 192.168.1.1

Dan_Sage · January 3, 2021, 12:27am

I do have some firewall rules to block all non-pihole DNS traffic:

And my networks are set to 86400 seconds for the DHCP lease duration.

Dan_Sage · January 3, 2021, 12:30am

I'll try updating the list. Thanks.

Dan_Sage · January 3, 2021, 12:32am

Why would this happen even when I'm not watching Netflix or when the TV isn't even on?

jfb · January 3, 2021, 12:35am

Smart TV's are never OFF (the display might be powered down, but the crappy computer inside continues to run). There is no way to tell what the device is programmed to do, but frequent queries to content provider domains are common even when the device is not in use. Roku's are cheap because they mine your data.

Dan_Sage · January 3, 2021, 12:43am

@jfb Thanks for pointing this out. I noticed that there were some things in setupVars.conf that were not set properly. I updated the DHCP info to reflect what the network has for its values.

jfb · January 3, 2021, 12:47am

This is what you had previously. What did you change? Note that your DHCP server in Pi-hole was inactive:

*** [ DIAGNOSING ]: Setup variables
    BLOCKING_ENABLED=true
    ADMIN_EMAIL=redacted
    WEBUIBOXEDLAYOUT=boxed
    WEBTHEME=default-light
    DHCP_START=192.168.10.1
    DHCP_END=192.168.10.14
    DHCP_ROUTER=192.168.10.1
    DHCP_LEASETIME=744
    PIHOLE_DOMAIN=personal-devices
    DHCP_IPv6=true
    DHCP_rapid_commit=true
    DHCP_ACTIVE=false
    DNSMASQ_LISTENING=single
    DNS_FQDN_REQUIRED=true
    DNS_BOGUS_PRIV=true
    DNSSEC=false
    REV_SERVER=false
    PIHOLE_INTERFACE=eth0
    IPV4_ADDRESS=192.168.1.3/28
    IPV6_ADDRESS=redacted/64
    PIHOLE_DNS_1=127.0.0.1#5353
    PIHOLE_DNS_2=
    QUERY_LOGGING=true
    INSTALL_WEB_SERVER=true
    INSTALL_WEB_INTERFACE=true
    LIGHTTPD_ENABLED=true
    CACHE_SIZE=10000
    API_EXCLUDE_DOMAINS=
    API_EXCLUDE_CLIENTS=
    API_QUERY_LOG_SHOW=all
    API_PRIVACY_MODE=false

Dan_Sage · January 3, 2021, 3:29am

I changed this, and yes, I wasn't planning on using the DHCP server on the PiHole. Sorry, I'm still learning about all of this. So I apologize if this was a stupid comment, but I was just looking to see if there was anything in the log that I sent you that would specify such a short lease time because everything on my Unifi network is set to 86400 seconds for the DHCP lease time, and most of my devices are using static ip's anyway.

system · January 24, 2021, 3:29am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.