Weird Domains

stonerl · October 5, 2024, 7:14am

There is nothing you need to worry about here. You’re iPhone just uses mDNS service discovery to find AirPlay, AirPrint and other Bonjour services in your network.

Moto · October 5, 2024, 11:08am

deHakkelaar:

$ cat /etc/unbound/unbound.conf.d/pi-hole.conf
[..]
    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Should CGNAT reserved addresses 100.64.0.0/10 be added to that list.

stonerl · October 5, 2024, 11:12am

No, why? You won't use them on your local network. ~~And they are not specified as private IPs.~~

deHakkelaar · October 5, 2024, 4:11pm

I wouldnt know for sure.
Luckily I dont have CGNAT

anon36575986 · October 5, 2024, 9:22pm

I know its nothing to worry about, I just don't get why its only my iPhone and none of the others in the house, also it only started a few weeks ago, I do have airplay compatible devices, yes

wait a minute, when you open certain apps now it predicts you want to airplay and comes up on the dynamic island, maybe its that

anon36575986 · October 5, 2024, 9:26pm

deHakkelaar:

If Pi-hole or my router wont stop them (which they do OOTB if either is configured to do DHCP), my upstream Unbound will:

$ cat /etc/unbound/unbound.conf.d/pi-hole.conf
[..]
    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

dosn't NAT just do this anyway
private address don't do anything other than communicate with the router and LAN devices
if they got upstream they would be invalid as the address is not available to the public

anyway not as many today, but I bet its what I mentioned above

jfb · October 6, 2024, 2:08am

Because your iPhone uses the Apple Bonjour protocol, and this form of DNS Discovery Service is used by Apple in their OS's. The OS uses this to discover local services.

deHakkelaar · October 6, 2024, 7:47pm

Using Pi-hole as an example, it uses below directive to prevent those local PTR queries (reverse lookups) from flooding the upstream DNS servers with undesired queries that they cant answer anyway:

$ cat /etc/dnsmasq.d/01-pihole.conf
[..]
bogus-priv

$ man dnsmasq
[..]
       -b, --bogus-priv
              Bogus private reverse lookups. All reverse lookups for
              private IP ranges (ie 192.168.x.x, etc) which are  not
              found  in  /etc/hosts  or the DHCP leases file are an‐
              swered with "no such domain" rather  than  being  for‐
              warded  upstream.  The set of prefixes affected is the
              list given in RFC6303, for IPv4 and IPv6.

Have a read on that blackhole link:

The other way around (a forward lookup), if Pi-hole is doing DHCP, it applies below directive to prevent lookups with the local domain being forwarded upstream:

$ cat /etc/dnsmasq.d/02-pihole-dhcp.conf
[..]
local=/home.dehakkelaar.nl/

$ man dnsmasq
[..]
       -S,            --local,            --server=[/[<domain>]/[do‐
       main/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
              Specify IP address of upstream servers directly.
[..]
              Also permitted is a -S flag which gives a  domain  but
              no IP address; this tells dnsmasq that a domain is lo‐
              cal and it may answer queries from /etc/hosts or  DHCP
              but should never forward queries on that domain to any
              upstream servers.  --local is a synonym  for  --server
              to make configuration files clearer in this case.

Most routers do the same.

A while back the box. TLD became available publicly.
That caused problems for Fritzbox routers that have the fritz.box domain hardcoded into their routers.
Clients that were not using Fritzbox for DNS ended up on public servers bc some crooks registered fritz.box and created DNS records to redirect traffic.

anon36575986 · October 6, 2024, 9:24pm

long messages, but still nobody seems to agree or disagree with what I think it could be

it seems to have stopped suggesting airplay mirroring, and it think that's what stopped these requests, but further investigation is required, they were frequent

I will leave it here, and follow up if I have anymore information
or I might forget

deHakkelaar · October 6, 2024, 10:34pm

I thought you wanted to learn a bit so you yourself could figure it out
I do have two iPads here but not those queries.
They are not used for airply though.
I suspect an app thats depending on service discovery is the culprit.

Some more info about above dns-sd query:

EDIT: I changed the link a bit!

anon36575986 · October 10, 2024, 10:20am

They have come back and I have not used airplay mirroring, so this does seem the case

I gave that link a quick read
still no idea why its just my iPhone not anyone else's, we have 2 iPhone here all the time, and a lot of old ones that are used for beta testing, its just my main iPhone that does this

And as I setup both them iPhones, only one is mine, but I set them both up, there wireless setup is exactly the same

I wish I could find the destination intention as pi-hole seems to return nothing
NXDOAMIN, so why does the device not give up

so what uses DNS-SD?

anon36575986 · October 10, 2024, 10:26am

lb._dns-sd._udp.0.0.168.192.in-addr.arpa
lb._dns-sd._udp.cn-lan
lb._dns-sd._udp.6.0.0.192.in-addr.arpa
lb._dns-sd._udp.2.0.0.192.in-addr.arpa

does it think there is a device at 192.0.0.2 and 192.0.0.6 there invalid ip address anyway
the subnet is 255.255.0.0 not 255.0.0.0

192.168.0.0 is the only valid request being sent. but still gets nothing returned

anon36575986 · October 13, 2024, 9:22pm

I just made them hidden, so real domains can be on the top list, instead of these

system · November 3, 2024, 9:23pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.