What Really Happens On Your Network? Find Out With Pi-hole

Originally published at: https://pi-hole.net/2017/02/22/what-really-happens-on-your-network-find-out-with-pi-hole/

What really happens on your network? Does it come to life when you leave for work? Are there devices connecting to the Internet that you don't know about? Let's take a look.

Check out our other iterations of this post:

Pi-hole was designed for blocking ads, but it can double as a network monitoring tool because it logs all DNS queries (this can be disabled). Once you setup your router to force your network clients to use Pi-hole as their DNS server, there is nothing else to do except wait and watch what happens.

Unexpected Domain Queries

Whether it's your smart TV spying on you--or just calling home often--(if you were using Pi-hole, you could have prevented your viewing history from being sent to VIZIO).

Some more examples include strange queries coming from Chrome, a spambot sending out mail, a printer sending out 34 million queries in a day, and lots of torrent activity on your network.

Once installed, you can configure your router so that every device that connects to your network will use Pi-hole as their DNS server. This will allow all the queries happening on your network flow through Pi-hole. This doesn't slow down your network (in fact it makes things faster), because it only processes DNS traffic, unlike a proxy.

Some More Real Life Examples

IoT Devices Excessively Sending Out Queries

This isn't terribly surprising because of the nature of smart devices, but some of them do this a bit excessively.

Certain Brands Of Routers Excessively Phoning Home

Porn

  • You can decide for yourself what happened with this one.

Microsoft Windows

Users have reported that Windows makes queries to Microsoft domains throughout the day. Most notably, this is previous versions of Windows contacting Microsoft about Windows 10 upgrades (crl.microsoft.com, teredo.ipv6.microsoft.com). Someone also had issues with 300,000 queries relating to the IPv6 protocol in Windows.

Other Examples

3 Likes

Hey, thnx for this blog. It is indeed a nice feature of the pi-hole that you can find malicious or invasive network traffic.

But what is a good way to deal with it?

I don't think the advice here should be to just blacklist microsoft.com... right? But what is a good way to curb excessive home-calling lightbulbs?

Also, I wanted to ask you if you already heard of Douse. You guys might find some interesting code over there...

Thnx!

It will depend on whether it is legitimate traffic or not. Every network is different, so it will have to be up to the user. Ideally, you could at least track it down the specific client and then deal with just that machine.

No, but (some people seem to think so!)

There might not be one. If the bulbs need the connectivity to function, you could try to contact the vendor about it being so excessive...

So then I could blacklist weird domain names this machine would be asking for all the time?

What do you think about this one? It kind of baffles me that a machine is asking for these URLs. A LOT!

1 Like

It's a form of trying to prevent spoofing like we use for some domains. Use of Mixed Case DNS Queries explains it a bit more, but basically the client sends out a mixed case query, and notes which letters are uppercase, and the reply that comes back should be the same case. If not, then the client knows there's something up and should signal an issue. I haven't seen it much in the wild beyond name servers verifying responses, this is definitely the first I've seen a use of it by an actual client software program.

2 Likes

It is actually maybe not that strange. This is my Ripe NCC probe. :slight_smile:

Kinda cool that Pi.hole now for the first time allowed me to see what this little thing does!
And thank you @DanSchaper for also helping me understand :slight_smile:

Also, my top domain list is kinda interesting...

Seems that my main router is feeling very worried about being late and checking NTP servers like crazy all the time....

blacklist weird domain names this machine

I have a Hinches hunch its and apple crawler agent of some sort.