Hello again,
Am I understanding correctly that the "top clients" list at the bottom of the admin page should only show my one router that acts as the dhcp server for my home network?
I am seeing requests from that server as the highest but followed by another that has over 400 hits today while my dhcp server has 4000+. Does this mean that these requests are coming in from outside? I don't know much at all about iptabels settings but this pi device is in the DMZ of my comcast router.
Last login: Tue Jan 3 19:47:38 2017 from 10.0.0.18
pi@raspberrypi ~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
pi@raspberrypi ~ $
Appears to be pretty open.
I have also looked at the logfile for the external host in question and find these type entries:
pi@raspberrypi ~ $ cd /var/log
pi@raspberrypi /var/log $ grep "198.48.92.104" pihole.log
Jan 3 00:01:11 dnsmasq[3087]: query[A] 2ch.net from 198.48.92.104
Jan 3 00:05:07 dnsmasq[3087]: query[A] weblio.jp from 198.48.92.104
Jan 3 00:06:20 dnsmasq[3087]: query[A] ensonhaber.com from 198.48.92.104
Jan 3 00:08:25 dnsmasq[3087]: query[A] wp.pl from 198.48.92.104
Jan 3 00:12:41 dnsmasq[3087]: query[A] shopify.com from 198.48.92.104
Jan 3 00:14:54 dnsmasq[3087]: query[A] google.com.bd from 198.48.92.104
Jan 3 00:16:55 dnsmasq[3087]: query[A] onlinevideoconverter.com from 198.48.92.104
Jan 3 00:20:13 dnsmasq[3087]: query[A] playstation.com from 198.48.92.104
Jan 3 00:22:14 dnsmasq[3087]: query[A] my-hit.org from 198.48.92.104
Jan 3 00:25:07 dnsmasq[3087]: query[A] google.com.kw from 198.48.92.104
Jan 3 00:28:11 dnsmasq[3087]: query[A] hurriyet.com.tr from 198.48.92.104
Jan 3 00:28:48 dnsmasq[3087]: query[A] discordapp.com from 198.48.92.104
Jan 3 00:32:19 dnsmasq[3087]: query[A] airbnb.com from 198.48.92.104
Jan 3 00:35:28 dnsmasq[3087]: query[A] ytimg.com from 198.48.92.104
Jan 3 00:38:03 dnsmasq[3087]: query[A] atlassian.net from 198.48.92.104
Jan 3 00:40:12 dnsmasq[3087]: query[A] newegg.com from 198.48.92.104
Jan 3 00:42:32 dnsmasq[3087]: query[A] nike.com from 198.48.92.104
Jan 3 00:45:43 dnsmasq[3087]: query[A] chinaz.com from 198.48.92.104
Jan 3 00:47:50 dnsmasq[3087]: query[A] kohls.com from 198.48.92.104
Jan 3 00:49:57 dnsmasq[3087]: query[A] cricbuzz.com from 198.48.92.104
Jan 3 00:52:04 dnsmasq[3087]: query[A] videodownloadconverter.com from 198.48.92.104
Jan 3 00:54:29 dnsmasq[3087]: query[A] instructables.com from 198.48.92.104
Jan 3 00:57:15 dnsmasq[3087]: query[A] blkget.com from 198.48.92.104
198.48.92.104 is the host in question from the top clients page, one odd thing is when viewing in admin page it appears green so the request was honored or answered? Just guessing, but grepping for the ip in question in the log file they show the up in red. My thinking went along the lines that means denied.
My guess is I need to tighten things up but the comcast router seems to have very few options, just low medium and high settings for the firewall in the router, currently set to medium, was low this morning but using that did not change the # of requests from this client. There were a handful of others listed but they were all at 1 request.
pi@raspberrypi ~ $ pihole -v
::: Pi-hole version is v2.11 (Latest version is v2.11)
::: Web-Admin version is v2.3 (Latest version is v2.3)
pi@raspberrypi ~ $ uname -a
Linux raspberrypi 4.1.19+ #858 Tue Mar 15 15:52:03 GMT 2016 armv6l GNU/Linux
pi@raspberrypi ~ $
Thanks again for a great Job on pihole!
ayb