The issue I am facing:
Hello, i've been looking at my query log and noticed a few weird entries, they are jumbled letters that end with .lan and are resolved by the external DNS while showing as secure
Details about my system:
Raspberry pi 4 running pihole
What I have changed since installing Pi-hole:
none aside from adding blocklists.
has anyone seen this behavior before?
Please upload a debug log and post just the token that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
pihole -d
or do it through the Web interface:
Tools > Generate Debug Log
the token is zandp0gjc3 had to reboot my pi because the web interface hung after I tried to generate the log from it.
generated from the cli and it worked fine.
did that help?
Could you share some samples?
If those would occur in packs of mostly three, then that could be a Chromium browser connecting to three random domains at startup.
yes, they do appear as packs of three, that's so strange though.
here's an example:
MS has switched its browser engine for Edge to Chromium since mid 2020 (though I don't know whether that would apply to Windows phones as well).
Maybe, but I wouldn't know that for Windows phone.
Regardless of browsers, you could check if you can correlate those entries with a browser starting.
In any case, those are valid queries initiated by your client.
You should also consider other sources for finding an explanation.
No, it would not, the last update to windows 10 phone was in 2019. before edge went chromium.
EDIT: January 14, 2020; I was off by 2 weeks, but it was still before that switch because I was hoping it would reach the phone as well and it didn't.
Considering I haven't launched the browser on that phone for ages, that is not the case.
however, I am seeing this on all devices in my network, not just that phone.
the weird thing is that it's been resolved correctly by the external DNS servers even though they're under the lan domain.
The Reply column is absent from your screen shot (likely because you are using the Long term query log), so all that can be inferred from it is that a query was forwarded, but not that it was resolved into an IP.
Given that they are for .lan, I'm very confident that all of those queries have been answered with NXDOMAIN, which should be verifiable by inspecting a more recent query in the Query Log.
they are indeed NXDOMAIN, what does that tell us? that your theory is correct and the devices are checking a random string and waiting for any response from the DNS?
if so, is there a way to group these? or hide them?
It tells us that neither your router nor your ISP would redirect DNS requests for invalid or unknown domains to a web page laden with ads for barely related terms, which is likely what the client software issuing those requests is trying to find out about as well.
From a DNS point of view, everything is working as expected.
Since they are randomly generated, I guess not.
well, it is interesting, I will try to find out more elsewhere as you suggested.
this is the last remnant of an issue I had where one machine was generating 10K queries a day and I got flagged by cloudflare for DDOS. (turned out it was my browser Opera, something there got screwed and was generating all that traffic while doing nothing.)
so I was chasing this just to make sure it's not something worse.
thanks!
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
