Originally published at: https://pi-hole.net/2018/09/19/what-really-happens-on-your-network-part-eight/
Just last week, we had a post of things people have discovered happening on their networks. But there is no shortage of these types of posts, so here is another collection of them or you can read previous iterations of these type of posts.
- Part one: What Really Happens On Your Network?
- Part two: What Really Happens On Your Network?
- Part three: What Really Happens On Your Network?
- Part four: What Really Happens On Your Network?
- Part five: What Really Happens On Your Network?
- Part six: What Really Happens On Your Network?
- Part seven: What Really Happens On Your Network?
- Part eight: What Really Happens On Your Network?
Read on to find out more to find out what people discovered happening on their networks, thanks to Pi-hole.
Queries for strange domains or strange patterns on the graphs
This user saw regular queries to baidu.com
from a Wi-Fi amplifier. It turned out this--along with other domains--were the ones the company selected to query in order to verify Internet access.
This user saw queries to a strange domain, but nothing else is known about it.
We have seen reports of users finding devices that try to continually query domains to verify Internet connectivity. For example, this user saw a large spike in queries in the middle of the night.
This user saw a large spike in queries to a marketing, analytics, and engagement company on a Pixel2.
Queries to this .cc domain were originating from a UniFi Security Gateway, but no other information was disclosed in the thread.
This person saw one of their family member's work device making a lot of queries while the device was asleep in a laptop bag. The most likely thing that happened here is that the device was querying all sorts of local domains when it was disconnected from the VPN, as others in the thread seem to support this theory.
Analytics, Telemetry, Advertisements, And Tracking
Amazon, Roku, and Sonos were the top three offenders on this network that were blocked by Pi-hole (not to mention the other tracking domains in their list).
Here's a case of Roku sending back viewing habits and more back to Roku's mothership.
Sonos also likes to know what you're doing with their devices and how you're using them. This has been reported by more than one user.
This HP Envy printer phones home every hour.
According to one user, Malwarebytes collects telemetry from it's users as seen below.
This user's Washington Post app desperately tries to reach out to an analytical domain, as does this user's Android phone.
Excessive Queries For Domains
This user switched to a new Google Pixel phone and saw a massive jump in queries generated by Google Music.
It's also interesting to see how domains behave once they are blocked by Pi-hole. In the case of Comcast, blocking it results in devices trying to reach out excessively to the domain trying to re-establish contact.
NVIDIA is another example where the user blocked the domain and it generated tens of thousands of queries trying to re-establish contact.
This user saw a massive spike of 28,000 queries in the middle of the night for a Google connectivity check.
Other Random Things People Have Found
There is no shortage of posts about these sorts of things. Below is a large list of posts that are very similar to the ones already described in detail above or ones that didn't have a nice screenshot and weren't a great fit for this post, but they are left here for those that are curious about those things people have discovered.
- A DirectTV Genie querying level3.net every 2-6 seconds
- DLink modem queries dev
- A Netgear router excessively phoning home (and they don't want you to know about it)
- Once a second malwarebytes telemetry
- Ghostery still sends data even when off
- Xiaomi camera really wants to connect URL was apicn.hualaikeji.com
- Microsoft telemetry never gives up
- How much does Microsoft really need to track you?
- The Vizio Smart TV watches you
- Reddit's opt-out outbound analytics not being respected
- 11.5K requests for analytics domains from an Amazon device
- Sony TV reaches out to flingo.tv and netflix
- Windows telemetry tops this users top domains
- graph.facebook.com from an Android device
- The Logitech remote calling home every minute, 24 hours a day
- It's obvious when this Samsung smart TV is on
- iPhone phones home a lot
- Some Korean domains getting called every minute
- 3,000 hits to belkin.com after setting up a new Linksys router
- A Vizio opt-out or analytics is not being respected
- Roku phones home a lot
- A bunch of Amazon devices in this house, and it shows
- Rogue device pinging Google every 10 seconds
- First day with an Android device...
- Google Home Mini goes crazy with 3900+ requests at 1am
- A "trillion" hits from a smart TV
- A Sonos upgrade starts sending analytics to the mothership without consent
- Alexa calls home to Jeff Bezos
- Browsers dialing home to Amazon or Google
- Sonos data sharing is enabled, but Pi-hole says otherwise
- 7,200 hits a day to Samsung Cloud Solutions
- An Android phone phones home 500 times every 10 minutes
- Crazy amount of requests to kvinit-prod.api.kochava.com
- 28,000 queries to Google in the middle of the night
- Good ol' Microsoft (dsn.msftncsi.com)
- This user's Wi-Fi adapter queried NTP servers 500 time per hour
- Such queries. Most Netflix
- So chatty. Wow Netflix
- a 91% block rate from a single Android phone
- 50% of daily traffic is to api.segment.io
- 4,700 calls home to vizio.com (smart TV)
- 5,000 queries for scorecardresearch.com
- Google devices are very chatty
- Home Assistant has several queries every second for api.open-notify.org
- A new mesh router phones home 5,000 times an hour
- Don't buy a cheap Wi-Fi camera for this reason
- 5,000 queries home from a new router
- Abnormally high queries to .local domain
- Flooded by Google's API
- A pesky FireTV Stick hammers away at the network
- An Android phone queries pubsub.pubnub.com every minute
- Thousands of queries to "ping" domain from a Roku
- Docker pings .local domain thousands of times a minute
- helpkewl0.ksmobile.com with 20,000 queries
- 60% of queries from HolaVPN
- 60,000 NTP queries
- 3,000 queries home from a Linksys Velop router
- A CenturyLink router spams amazonvideo.com
- Thousands of queries from an AppleTV to edge.ussjc.apple.com
- A cell phone with tons of blocked requests to api.skyhookwireless.com
- 60% of blocked queries are cdn.optmizely.com
- Unusually high queries to googleadservices.com
- Thousand of queries for wpad.hsd1.ca.comcast.com
- More wpad
- Roku has insane amount of queries
- A Logitech Harmony gone wild
- Devices start freaking out during an Internet outage
- Runaway queries for merck.com
- iPhone DNS surge
- Queries to appcloud.mcafee.com
- Runaway Google Home Mini (12k requests)
- Foscam with a large amount of queries
- High amounts of queries to minexmr.com (cryptomining)
- More Amazon chatty devices
- [complex_uuid].v4.metric.gstatic.com queries
- 300,000 requests to alb.reddit.com per day
- Lots of requests to akamiedge.net
- Pi-hole dashboard calms down once Webcam is removed
- Google OnHub call gstatic.com 100,000 times
- Too much traffic from a Wyze camera
- Crazy calls to crashlytics.com
- Lots of requests to strict.bing.com
- This router pings google.com every 10 seconds
- This router was spying on this user
- Huge number of AppleTV queries
- Lots of queries to the Docker registry
- ISP equipment phones home
- Strange PayPal requests