Wow, I'm flabbergasted! Any good ideas on how to address this nonsense?
My pi-hole got smacked with >15GB of logs this morning (yes, the day is NOT yet over...) from one of my routers and one or more of my Wiz-branded smart LED lights.
The major offending queries seem to be "phone home" messages, which I was blocking... until my router went down and would NOT come back online until I unblocked Belkin.
Any idea why these effers are so persistent?
Any idea how to stop this nonsense?!?
39 MILLION attempts to contact WIZ (some of the calls were to the EU... not my geo) 6.6 MILLION attempts to contact BELKIN
The devices set to keep trying if they don't get a response that they like.
Several options.
Firstly, consider unblocking these domains. Given the functionality of the devices, they don't seem to be malicious.
The lights would seem to be using MQTT to communicate, and are trying to reach their server.
The router would seem to be trying to establish if it has a reliable connection to the internet. (Many domestic routers do this, using either DNS where they are expecting to see a specific IP in response to the query, or to find out what IP address to ping to determine if they are online).
Secondly, check the settings of each to see if there is a way to disable these connections if you find them offensive. Many routers for example have the option to disable checking of their connection status. I don't know how your lights would go if they are unable to reach their servers.
Failing either of those, you could try adding a local DNS record for each of these domains (in Settings->Local DNS Settings). It is possible, but not especially likely, that they may take better to receiving an IP other than 0.0.0.0 (Pi-hole's default response for a blocked address).
Put an unused IP address within your network's range as the "Associated IP".
There is nothing bad with these requests. The heartbeat is to check if the router is online and check for a new firmware version. NTP to get a the time.
There might not be anything wrong with these calls... and I want to sniff their actual calls when I get some time, put my mind at ease that it really is ONLY a heartbeat and not the opening of a call to send information about my network.
Any process that spams nearly three thousand calls "home" per second every 1-2 seconds for the entire day is abusive, and either poorly written and poorly tested, or something worse than a lazy developer not limiting their loops.
