Please follow the below template, it will help us to help you!
If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using nginx instead of lighttpd, or there is some other aspect of your install that is customised) - please use the Community Help category.
Expected Behaviour:
[Percentage of blocked sites costant during the whole day with little fluctuations (aroung 20-30%). Pi-hole version: 5.8.1]
Actual Behaviour:
[High percentage of blocked sites during the night with peak of 60-80% after the setup of "Allow only local requests".]
Does your internet connection go down overnight? In that case, I could image that some smart TV, speaker or cell phone keeps trying to talk to the mothership but fails because it never reaches it (but it can reach your local DNS and keeps asking it for an IP).
Before the 23:00 I disabled the Conditional Forwarding option in my pi-hole, and this night I did not get the high percentage of blocked sites. Could this be caused by that option?
What handles DHCP on your network? It looks like all your devices are using one device for queries; so I'm guessing you have everything getting DNS look up forwarded from your router to Pi-hole? Conditional forwarding just lets your pi-hole get hostnames of devices e.g. iPhone, or HPlaptop.
If you scroll down on the dashboard you will see "Top Blocked Domains"; that should tell you what is being blocked and some insight into what device is making the requests.
Also: Dashboard is a summary of the past 24 hours, not overnight.
I can see a ton of blocked requests between 0300 and 0700 and a spike at ~2300. From what I see you are getting 100% blocked queries at night. Something is trying hard to phone home.
So, it is 60% overall. If you put your cursor over the activity, it will tell you the exact breakdown.
Enable conditional forwarding tonight, and see what is making all those requests. It is not hurting anything to block it.
Screenshot the "Top Blocked Domains" for more help.
This should not be too hard to chase down; you only have 7 clients.
The blocked domains are "ad.doubleclick.net" and "www.googleadservices.com" over and over again from 0300 to 0700. It is strange 'cause I do not have any speaker at all, and the smartTV is off at that time.
Oddly enough, tonight I had some blocked domains (from 0300 to 0700) but not as high as the post, so I don't know what could. Maybe I configured the PiHole-Router interface wrongly and the firewall is open?
To zoom into the relevant section of Pi-hole's query log (showing queries within specified time interval), try clicking on one of the conspicuous bars in the Total queries over last 24 hours chart.
If you want to test your firewall you can go to shields up at GRC | ShieldsUP! — Internet Vulnerability Profiling
read, hit proceed and then use the UpNP test and the tests in the boarder of the rectangle just below it.
ad.doubleclick is an ad serving service, so that makes sense, They have been around forever. I remember seeing them in the late 90's show up on my Sonic Wall logs so often I manually blocked them.
Googleleadservices, however, is a hack. You need to find the device that it is running on and remove it.
If it only shows the router making the requests, then you are going to need to turn one thing off a night until you narrow it down.
There seems to be a lot of debate about it. Most people call it spyware and I did not read all the hits but from what I gather it can and is easily hijacked.
When doing the UpNP test it shows " The equipmente at the target IP Address
actively rejected our UPnP probes!"; but if I test the Service Ports I found that ports 21, 22, 23, 53 and 80 are open. I know port 21 to 23 are for ssh/telnet, but having the port 53 and 80 open are a risk factors (but I don't know how to close them).
Observing the query logs as @Bucking_Horn suggested, there are peaks only on 26-01-2022 and 31-01-2022 (always from 0200 to 0700), and the IP of the device showing the request is the one of my router!
Yes it shows up as the router because your devices are getting its DNS lookup address from it, the router then passes the request to the pi-hole. There is nothing wrong with that. It is normal.
You did configure your router to send DNS lookups to the pi-hole, yes? You can configure each device and the router manually. It is just redundant, but you can see what device made the query if DNS is manually entered. You can close those ports in your router.
I use OpenWRT and it shows nothing. Not one port is open. I do have file sharing and NetBIOS over TCP but they cannot detect it.
What does it return for the rest of the tests?
Just ignore the bottom two tests.
I've already said what I think of googleleadservices. The requests are being stopped by pi-hole. As long as you are at home.
Thanks for the fast reply, and sorry if I'm bothering you so much!
I think I configure my router to route all the traffic through the pi-hole (here's the guide I followed, it's in italian but I think you will understand what it does).
Regarding the port and the test, I just updated my router firewall and now it shows every port as "stealth".
It looks like you do have a couple devices that are trying to manually get DNS and I'm going to guess that guide about forwarding 53 is working or you manually configured them.
If this is really bothering you, just shut down devices you do not need at for a few nights.
If it does not happen then you know it is one of the devices you have off. If it still happens it is in the pool you left on.
I personally cannot stand Google, My phones are iPhones and so are my tablets. My computers are either Linux or Windows or. I surf with The Brave Browser and search with DuckDuckGo.
If you have an Android phone and you need it on at night, just disable wifi overnight and as far as the network knows it is off,
Given that:
My Pi-hole sinks that domain, and it, also, sinks ipinfo.io on my setup, and it looks like so does the OP.
I'm surprised you use Pi-hole and could access those sites.
Op is blocking it. My system is blocking it.
But I do have an additional list that raises blocked domains to ~240,000, so, I don't know.?
When I installed the 'official' 64bit version of Bullseye, (today on my new Zero 2) I only had ~100,000 blocked domains but after I teleported my settings, rebooted, it was back up to 243,252.
We can, at least, agree that some Pi-hole lists do not like it...
edit
Well, this is pertinent at an convenient time for me:
Ok, it seems I understand the problem: the router (mikrotik) was sending tons of requests to "cloud.mikrotik.com" because of services like "internet interface detection", "cloud", "auto time sync" and "timezone". Just disabling all it stopped with all the requests.
I extend my WiFi with a Netgear Nighthawk (in AP mode; for some reason it does not work as it should in bridge mode) and it sends thousands of requests to Netgear every 24 hours... All day and night.
It is doing nothing but extend my WiFi coverage. Basically a wired repeater.
I have no Idea why it phoned home so often but it bothered me and I added it, manually, to the blocklist.
I looked up mikrotik and they have a very good reputation but can be complicated for new users.
Give it a few days and if you are sure that is the issue, please post it so it does not dangle.
