Unknown Clients

Jim_Ford · April 24, 2023, 9:19am

In the Dashboard, under 'Top Clients (total)', I have several thousand showing as 'unknown'.

How can I trace what these clients are, please?

Jim

chrislph · April 24, 2023, 4:28pm

How many clients approximately are you expecting to see? Is this Pi-hole being used in just a home or for an organisation? Is the Pi-hole there with you or remote on a different network?

What is the output of these two commands (they will help show what the Pi-hole is doing for those clients)?

echo ">stats >quit" | nc localhost 4711
echo ">querytypes >quit" | nc localhost 4711

Jim_Ford · April 24, 2023, 4:52pm

Thanks for the reply 'chrislph'.

I'm using Pi-hole on a home network and expect to see less than 10 clients. I have the Pi-hole with me and can ssh into it.

Here are the outputs of the 2 commands:
pi@Pi-Hole:~ $ echo ">stats >quit" | nc localhost 4711
domains_being_blocked 831361
dns_queries_today 17438
ads_blocked_today 2164
ads_percentage_today 12.409680
unique_domains 4019
queries_forwarded 7299
queries_cached 7514
clients_ever_seen 22
unique_clients 18
dns_queries_all_types 17438
reply_UNKNOWN 483
reply_NODATA 925
reply_NXDOMAIN 6595
reply_CNAME 3878
reply_IP 5312
reply_DOMAIN 187
reply_RRNAME 0
reply_SERVFAIL 0
reply_REFUSED 0
reply_NOTIMP 0
reply_OTHER 0
reply_DNSSEC 0
reply_NONE 0
reply_BLOB 58
dns_queries_all_replies 17438
privacy_level 0
status enabled

pi@Pi-Hole:~ $ echo ">querytypes >quit" | nc localhost 4711
A (IPv4): 48.45
AAAA (IPv6): 5.96
ANY: 0.00
SRV: 0.02
SOA: 0.00
PTR: 38.27
TXT: 0.00
NAPTR: 0.00
MX: 0.00
DS: 0.00
RRSIG: 0.00
DNSKEY: 0.00
NS: 0.00
OTHER: 0.02

SVCB: 0.00
HTTPS: 7.28

and here's a screenshot that shows the puzzling number of 'unknown' clients:

Jim

rdwebdesign · April 24, 2023, 5:35pm

I think this is just a single client using the name "unknown" (for whatever reason).

If you click on the name you will be able to see the IP and all queries made by this "unknown" client.

You will see something like this on the title:

Recent Queries (showing all queries for client 192.168.0.1, show blocked only)

Look at the queries and you will be (probably) able to identify which device (or devices) is making the queries.

Jim_Ford · April 24, 2023, 6:07pm

Thanks for the reply 'rdwebdesign'.

All the entries are from a client I don't recognise:

2023-04-24 18:56:47 A epdg.epc.mnc020.mcc234.pub.3gppnetwork.org unknown OK (answered by dns.google#53)

A brief trawl on the net suggests that it's something to do with a mobile 'phone network, but I didn't understand enough of it to know whether it's good or bad!

Jim

chrislph · April 24, 2023, 6:47pm

Thanks for trying those commands, the results there look normal.

Try turning your phones and tablets fully off for 30 mins and at the end of that period, with them still turned off, click the "unknown" client and it will show its queries. You can see the last query made by it at the top of the log entries shown. Does it match with when you turned them off?

If so, then you can try turning on your phones and tablets one by one and, for each one you do, click the "unknown" client and see if it has started querying again. That will reveal which one it is.

However if "unknown" was still active while all the phones and tablets were off, then it must be something else and you can broaden your search.

The domain you listed is part of the mobile network Three UK, where a phone can switch to making calls over the wifi network if the mobile signal is low.

You can also take a look in Tools > Network and look for Unknown entries, and see if the Hardware Address to the left of it indicates which device manufacturer it is.

It's looking like you're safe and it's probably a mobile device on your network doing its background stuff. You're right to have wanted to check though, it's good to be sure what is going on. Pi-hole helps a lot with that.

Jim_Ford · April 24, 2023, 8:34pm

Many thank for the comprehensive reply 'chrislph' - it's reassuring!
Jim

Jim_Ford · April 25, 2023, 10:06am

I've noticed that there's a spike of 'unknown' client activity every hour, between 20 and 10 minutes to the hour. I'm at a loss as what causes this activity - I've checked for any cron activity at this time, but can't seen any. Suggestions?

Jim

chrislph · April 25, 2023, 12:25pm

Probably the client in question performing some periodic background activity. The first step is to identify the client. Clicking it shows the domains it's querying, and the process I described gives a way to try and identify the device. The domain you posted is linked to Three, so if you have any Three devices (phone, tablet, hotspot, etc), that would be the likely cause and a good place to start.

For example say your phone was an iPhone 12, if you use your phone and access a made up website such as iphone12.example.com and then refresh the Query Log, you'll see the domain and the name of the device that requested it. You can use this on each device, with a unique made up name, to identify the Unknown device or rule out the other devices.

Jim_Ford · April 25, 2023, 2:06pm

If I go to Tools>Network and select 'unknown' I see that the queries are from my router, with great blocks of non-existent domain entries like the following.

Recent Queries (showing all queries for client 192.168.1.1, show blocked only)

2023-04-25 12:46:20 	PTR	17.1.168.192.in-addr.arpa	unknown	OK (cache)	NXDOMAIN

These entries appear to be the culprits for the 'unknown' spikes that occur every hour.

Jim

chrislph · April 25, 2023, 2:53pm

It's common for devices like routers to make PTR queries periodically, and once every hour is quite typical. It makes a query to the DNS server (in this cas Pi-hole) for each of the IPs it knows about to check if they are present and find their hostname.

So in your above example the router asked Pi-hole for the hostname of 192.168.1.17 and that IP appears to have gone away since the router first saw it, hence the NXDOMAIN.

Your earlier stats show in a 24-hour period 17,400 requests and 38% of those being PTR requests which is around 6,600, or around 275 per hour on average. Your stats also show around 20 clients which means the PTR requests do seem slightly excessive, but for example Apple devices make PTR reqeusts to to look for various Apple services on your network to support their "it just works" way of working. Some smart devices also make such queries repeatedly. Most clients will be making at least some such requests on and off all the time.

Some misconfigurations can cause excessive PTR requests (a form of loop) but that usually creates a ton more than you are seeing, and things would be not working right.

The main thing is you've identified "Unknown" as your router, the PTR requests are a normal part of the network operation, routers often send a batch of them every hour and the numbers seem okay. You were right to check what's going on.

Jim_Ford · April 25, 2023, 3:54pm

Excellent information - many thanks 'chrislph'!

Is there a way of filtering out these requests to reduce visual clutter?

Jim

nprampage · April 25, 2023, 5:02pm

You can filter this out a couple of ways. I do it on my setup by going to Settings/API and adding:

*.home.arpa
*.in-addr.arpa

to Top Domains/Top Advertisers and

*.in-addr.arpa

to Top Clients. That way Pihole still does its job but the stats are hidden from the Dashboard.

EDIT: The second entry should be 192.168.1.1 as @chrislph says below, this is just what I choose to filter for my needs.

chrislph · April 25, 2023, 5:03pm

Not in the Query Log. Pi-hole is just showing what's coming in. You can, however, hide the router in the Top Clients part of the dashboard (the top line of your earlier screenshot) by going to Settings > API and enter the router's IP 192.168.1.1 in the box labelled Top Clients and click Save.

Jim_Ford · April 30, 2023, 4:57pm

Many thanks to those that have replied. I think that I've got enough information (once I've digested it!)
Jim

system · May 21, 2023, 4:58pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.