Strange Queries from China

bakedpie · January 4, 2023, 4:42am

The issue I am facing:

Suddenly I see multiple oermitted queries like this:

http://192.168.1.160/admin/queries.php?domain=222.222.67.208.in-addr.arpa

222.222.67.208 appears to be in China. This has me worried. Should I be?

Should this I.p. address be blacklisted or is it tied to a valid DNS server?

Details about my system:

Pi- running on Raspberry Pimwithmstandard raspbian.

Pi-hole v5.14.2
FTL v5.20
Web Interface v5.18

What I have changed since installing Pi-hole:

Irrelevant except this seens to have apperared after latest update.

Thanks.

/Roger

jfb · January 4, 2023, 4:47am

This is a reverse IP lookup (PTR). The requesting client is asking "what is the name of the domain associated with the IP which is listed backwards". It is not a request from that IP.

In this case, it is likely Pi-hole finding out the name of the DNS server at IP 208.67.222.222.

dig -x 208.67.222.222

; <<>> DiG 9.16.33-Raspbian <<>> -x 208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26399
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;222.222.67.208.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
222.222.67.208.in-addr.arpa. 3562 IN	PTR	dns.umbrella.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 03 22:46:29 CST 2023
;; MSG SIZE  rcvd: 86

I suspect this is your upstream DNS server in Pi-hole. Pi-hole looks for this name so it can populate the name in the DNS server pie chart on the main page of the web admin GUI (the dashboard).

bakedpie · January 4, 2023, 5:08am

So, normal, right? I get lost in networking. Took many hours (!) for me to get Pi-hole up and running.

I did see some arguments that this I.p. Could be problematic - "port scans." But Cisco's site turned up nothing nefarious. Sanpme for blacklists. Nonetheless, the apparent location being China causes some chills to go up and down my spine.

Thanks for the quick feedback.

After thought: I'm on a comcast "business" hookup so I googled comcast 222.222.67.208.

Got this:
https://support.opendns.com/hc/en-us/community/posts/220009067-Can-openDNS-be-used-with-Xfinity-Comcast-Router-

Makes me wo der if there is a DNS servern "spoofing" using an I.p. with number order flipped.

(Paranoia pays if "they" are after you.)

jfb · January 4, 2023, 5:48am

The in-addr.arpa name is not an IP, it is a request for the domain name associated with an IP.

The apparent location isn't China. The requesting client is your Pi-hole, as explained previously.

Yes.

No.

Your paranoia in this case is not warranted.

system · January 25, 2023, 5:49am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.