Thousand of A.ROOT-SERVERS.NET domain in my queries

I have a lot of calls on my recent queries list and it is the top domain with more of 4000 hits after 2 days.
I am using Pi-Hole installed on a vps and I am pointing my router (tp-link) dns primary address to the vps and as secondary address

Is it normal or I am missing something, I remember when I used a raspberry pi with PI Hole I was seeing all the dns domains calls and not this

Figure out who it is ?

grep -e '^.*query\[A\].**$' /var/log/pihole.log | awk '{print $8}' | sort | uniq -c | sort -n -r | head -10

Or click on the link:


Thanks for your help, with the grep I am getting 2 ips one is the ip assigned to me from the provider in my office and the other one is from my home adsl, both router (home and office) are with the vps pihole dns.

Sounds like you've got a mobile device traveling between home and office.
I know you cant check logs because they will show both routers IP's instead of the client devices, but cant you figure out which device somehow ?
If its so many log entries/queries, switch off some mobile devices for example and see if the log entries stop ?
But this is not really a Pi-Hole issue TBH.

Use below one to tail the Pi-Hole logs:

tailf /var/log/pihole.log | grep -e '^.*query.**$'

I have an Android Phone that connect on both wifi home/office, but even when the phone is off the request are still in the log.
With the tail log, there is a pattern on the requests every 30 seconds, the ip is the external ip assigned to the router from the adsl provider.
Maybe it is the Router TpLink calling home?

Check the router's WAN DNS setting. That's the DNS server the router itself would use for lookups.

You need to put on your Sherlock Holmes cap to figure out which device behind the IP address is making those queries.
You can for example disconnect your LAN ethernet cable(s) from your modem/router first to see if queries stops.
Then you could disable WLAN on your modem/router to see if stops.
Or install Pi-Hole on your LAN so you can see local private IP addresses in the Pi-Hole logs instead of that public IP address.
Or route traffic on your LAN through a network packet sniffing box like for example WireShark or TCPdump but this is more for the advanced users (I will need to google again too as has been long time ago :wink:

I have disconnected all the lan/wifi devices, Phone, Sky Decoder, Mac Mini, etc.
Disabled NTP, DDNS and all the services on the router.
But I still have those calls every 30 seconds.
I will try to check also with Wireshark, but I need to better understand how to use it :stuck_out_tongue:

This is my dns setting on the router (wan and dhcp)
IP 45.76.xx.xx is my PI-Hole installation on Vultr vps.

If you are sure no devices are connected to the router while the queries keep coming, its no use for sniffing network packets on your LAN/WLAN.
I dont know why the router behaves in such a way.
Or maybe the router allows apps/addons to be installed and one of them is generating this network traffic.

Finally all the A.ROOT-SERVERS.NET calls are vanished :grin:
changing the router setting of the wan to automatic dns (ISP dns are assigned) and using the pi-hole IP address on my vps in the DHCP primary dns setting, fixed the problem.