What Really Happens On Your Network? Part Seven


#1

Originally published at: https://pi-hole.net/2018/09/14/what-really-happens-on-your-network-part-seven/

We’re back with the latest iteration of users discovering things on their network via Pi-hole. This post is a compilation of things users have discovered over the past year. Some were bad, some were interesting, and some were enlightening. This isn’t the first time we’ve written a post like this, but we will try to go into more detail about what people have discovered and group together similar discoveries. Below you’ll find previous renditions of this type of post.

Read on to find out more to find out what people discovered happening on their networks, thanks to Pi-hole.

Queries for strange domains or strange patterns on the graphs

We’ll start off with people noticing strange domains being queried on their network. This could be anything from several queries to an unknown domain, or a computer sending out queries in the middle of the night when no one was using it.

This user discovered an odd domain in the query log: ss.epdg.epc.mnc260.mcc310.pub.3gppnetwork.org. Turns out it was probably related to Wi-Fi calling, according to one user. According to them, 3gppnetwork.com relates to areas of low cellular signal where calls are routed over a stronger/more reliable Wi-Fi connection rather than the cellular network.

More evidence of this domain being used for Wi-Fi calling can be found here.

Another similar case was reported having to do with Wi-Fi calling querying a domain, vasonanetworks.com.

This user saw the domain your and smtp (without a TLD) in their query log. It turned out to be from a Sannce security camera and the issue was resolved after rebooting it.

More than one user discovered several different example.* domains that are constantly queried by an Amazon Echo. This isn’t really anything that bad, but it’s a bit excessive and can fill up your query log rather quickly.

This user had a very long and strange domain appear in their query log. What it actually was remains to be seen.

This user had an iPad making regular queries in the middle of the night. Most likely, it was some sort of push notification service, but the thread has more info.

This user’s smart TV was reaching out to Netflix even though the app wasn’t in active use.

This user just thought it was interesting to look at the graph and being able to see what time his family members were using the network.

Analytics, Telemetry, Advertisements, And Tracking

It’s commonplace for many companies to inject telemetry and analytics into their software and then send it back to their servers. Companies use this information to build a profile of you, and/or they sell it to other companies who do the same thing.

This section will give some examples of things people have seen and/or blocked using their Pi-hole–preventing the analytics and telemetry from being sent back to the companies.

First up is Microsoft’s telemetry. There is no shortage of users seeing and blocking these domains with their Pi-hole.

Here’s an interesting situation. This user blocked some analytical domains but it caused them to continually to try to connect to them, keeping the user’s phone awake, and eventually draining the battery. This goes to show how important it is for companies to keep tags on you.

This user saw 9,000 queries to Google ad servers while they were asleep, but they were blocked by Pi-hole.

This user’s Samsung smart TV was querying all sorts of domains from Samsung and was the most chatty device on their network.

And they are not the only one to see this behavior.

This user saw an Android phone reaching out to data.logentries.com more often then they were comfortable with.

Excessive Queries For Domains

Unlike analytics or tracking, users have seen excessive queries for different domains. There could be a number of explanations for why the domains need to be queried so often, but nonetheless, it is interesting to see what people have discovered.

Just as often, users notice dns.msftnsci.com being excessively queried as a connectivity check.

This user saw queries from an app that was checking icanhazip.com every 30 seconds.

This one is interesting: a user’s TP-Link router was querying NTP domains 140,000 times a day. This is a lot of queries, and some may argue that time is critical for computers to work properly–and it is–but consider this situation where 750/MB a month is wasted on NTP queries; if you’re on a limited bandwidth plan, this could easily become a source for concern. This user is not the only one to see a lot of NTP traffic, either.

Other times, users will see a lot of queries for specific domains. In this example, someone saw lots of queries to life360.com. Was is part of an app that they were using and considered normal or was something else going on?

This user saw 20,000 queries to ksmobile.com; it could have been legitimate usage by whatever app caused it, but the company also works with big data, so some telemetry and user tracking could have also been involved.

This user saw a large spike in DNS traffic from a machine running Norton Anti-virus–more than any other device on their network.

This user noticed lots of regular requests when Google Cloud Print was enabled. This is more legitimate than other things in this post, but might still be worth pointing out.

Other Random Things People Have Found