Originally published at: https://pi-hole.net/2018/09/14/what-really-happens-on-your-network-part-seven/
We're back with the latest iteration of users discovering things on their network via Pi-hole. This post is a compilation of things users have discovered over the past year. Some were bad, some were interesting, and some were enlightening. This isn't the first time we've written a post like this, but we will try to go into more detail about what people have discovered and group together similar discoveries. Below you'll find previous renditions of this type of post.
- Part one: What Really Happens On Your Network?
- Part two: What Really Happens On Your Network?
- Part three: What Really Happens On Your Network?
- Part four: What Really Happens On Your Network?
- Part five: What Really Happens On Your Network?
- Part six: What Really Happens On Your Network?
- Part seven: What Really Happens On Your Network?
- Part eight: What Really Happens On Your Network?
Read on to find out more to find out what people discovered happening on their networks, thanks to Pi-hole.
Queries for strange domains or strange patterns on the graphs
We'll start off with people noticing strange domains being queried on their network. This could be anything from several queries to an unknown domain, or a computer sending out queries in the middle of the night when no one was using it.
This user discovered an odd domain in the query log:
ss.epdg.epc.mnc260.mcc310.pub.3gppnetwork.org. Turns out it was probably related to Wi-Fi calling, according to one user. According to them, 3gppnetwork.com relates to areas of low cellular signal where calls are routed over a stronger/more reliable Wi-Fi connection rather than the cellular network.
More evidence of this domain being used for Wi-Fi calling can be found here.
Another similar case was reported having to do with Wi-Fi calling querying a domain,
This user saw the domain your and smtp (without a TLD) in their query log. It turned out to be from a Sannce security camera and the issue was resolved after rebooting it.
More than one user discovered several different example.* domains that are constantly queried by an Amazon Echo. This isn't really anything that bad, but it's a bit excessive and can fill up your query log rather quickly.
This user had a very long and strange domain appear in their query log. What it actually was remains to be seen.
This user had an iPad making regular queries in the middle of the night. Most likely, it was some sort of push notification service, but the thread has more info.
This user's smart TV was reaching out to Netflix even though the app wasn't in active use.
This user just thought it was interesting to look at the graph and being able to see what time his family members were using the network.
Analytics, Telemetry, Advertisements, And Tracking
It's commonplace for many companies to inject telemetry and analytics into their software and then send it back to their servers. Companies use this information to build a profile of you, and/or they sell it to other companies who do the same thing.
This section will give some examples of things people have seen and/or blocked using their Pi-hole--preventing the analytics and telemetry from being sent back to the companies.
First up is Microsoft's telemetry. There is no shortage of users seeing and blocking these domains with their Pi-hole.
Here's an interesting situation. This user blocked some analytical domains but it caused them to continually to try to connect to them, keeping the user's phone awake, and eventually draining the battery. This goes to show how important it is for companies to keep tags on you.
This user saw 9,000 queries to Google ad servers while they were asleep, but they were blocked by Pi-hole.
This user's Samsung smart TV was querying all sorts of domains from Samsung and was the most chatty device on their network.
And they are not the only one to see this behavior.
This user saw an Android phone reaching out to
data.logentries.com more often then they were comfortable with.
Excessive Queries For Domains
Unlike analytics or tracking, users have seen excessive queries for different domains. There could be a number of explanations for why the domains need to be queried so often, but nonetheless, it is interesting to see what people have discovered.
Just as often, users notice
dns.msftnsci.com being excessively queried as a connectivity check.
This user saw queries from an app that was checking
icanhazip.com every 30 seconds.
This one is interesting: a user's TP-Link router was querying NTP domains 140,000 times a day. This is a lot of queries, and some may argue that time is critical for computers to work properly--and it is--but consider this situation where 750/MB a month is wasted on NTP queries; if you're on a limited bandwidth plan, this could easily become a source for concern. This user is not the only one to see a lot of NTP traffic, either.
Other times, users will see a lot of queries for specific domains. In this example, someone saw lots of queries to
life360.com. Was is part of an app that they were using and considered normal or was something else going on?
This user saw 20,000 queries to
ksmobile.com; it could have been legitimate usage by whatever app caused it, but the company also works with big data, so some telemetry and user tracking could have also been involved.
This user saw a large spike in DNS traffic from a machine running Norton Anti-virus--more than any other device on their network.
This user noticed lots of regular requests when Google Cloud Print was enabled. This is more legitimate than other things in this post, but might still be worth pointing out.
Other Random Things People Have Found
- This user didn't realize how bad the tracking and ads are until they used Pi-hole
- Lots of blocked ads and analytics
- A new user is shocked by how much is blocked by Pi-hole
- And another
- A user is utterly disgusted and in love with what they learned from Pi-hole
- Blocking IDN phishing domains
- Necromancing applications
- 72.8% blocked (including Microsoft telemetry)
- Learning 40% of your traffic is blocked within just 13 hours
- Saved an iPad mini from a lonesome retirement
- Long term stats revealed a spike in traffic
- This is why I have Pi-hole (example of an ad-laden site)
- Found malware thanks to Pi-hole
- Horrified by what is discovered when Pi-hole reveals what is happening
- So many trackers
- Sheer amazement at what happens on your network
- Odd requests for iqhive.com and others
- Strange domains in the Top Lists (it was Netflix)
- newsserver is the top domain
- Undetectable malware?
- Late night calls to ocsp.digicert.com
- reedpen.us being queried
- home.home in the query log
- An unusual MAC address...
- Apple TV shows so many ads
- The Magnavox TV that spies on you
- Fritz!Box on the fritz querying some strange domain
- An Android phone doing something during the middle of the night
- Weird dip in queries around midnight
- A sudden burst of queries from a phone
- A phone queries ral.lu
- A router exhibiting suspicious queries
- A desktop reaching out to ftp.asus.com.tw
- z.motoads.com in the query log
- and again
- strange Internet drops
- CentOS machines keep querying mirrors.powernet.com.ru
- A Raspberry Pi keeps contacting itself
- The "no" domain NO NEED TO CONNECT.lan?
- 3,000 queries every night and can't figure out why
- Weird queries that go bump in the night
- Unknown client in logs
- Pi-hole queries itself and a non-existant domain
- Torrent sites keep getting queried even when not in use
- mdrjr.com is being queried
- Dad stops for a visit and the queries on the network dramatically increase
- How long has authedmine.com been getting queried?
- Playstation 4 queries the "zero" domain
- A Mac reaches out to macromedia.com at regular intervals
- A phone sending queries to msplusps.vodafone.com and mspluswf.vodafone.com
- A phone home domain? d3p8zr0ffa9t17.cloudfront.net
- Almost had a heart attack after leaving the computer on all night to see this...
- Random string domains in the query log
- Roku captures more than just your viewing habits...
- iPhone queries in the night
- A bunch of requests for a strange domain