The issue I am facing:
After switching to a new router from my ISP most of the reported traffic is originating from the router and has some very strange charcteristics.
The queries that are recorded as coming from the router itself are dominating all other devices.
Many of these queries:
are clearly originating from a different device on the network (some of them are domains I only access from a work device)
are happening when the other device is offline
often have .station prepended
Does anyone why so many queries with these characteristics could be coming from the router?
Some Examples
2021-02-20 08:43:48 A beacons.gcp.gvt2.com.station 192.168.0.1 Unknown (0) N/A (0.0ms)
2021-02-20 08:43:48 A connectivity-check.ubuntu.com.station 192.168.0.1 Unknown (0) N/A (0.0ms)
2021-02-20 08:43:47 A r3---sn-8vq54voxpx-q0c6.googlevideo.com.station 192.168.0.1 Unknown (0) N/A (0.0ms)
This shows the relative dominance of these kinds of queries coming from the router (192.168.0.1 in blue) compared to any other device
.station may just be the local domain name as used by your new router.
It is not uncommon to see requests for local hostnames being appended by the local domain (e.g. mylaptop -> mylaptop.station).
On a Windows client machine, you could confirm this by running
ipconfig /all | find /i "suffix"
Sounds like you've configured your new router to use Pi-hole as its upstream DNS server. It is distributing its own IP address as local DNS server, hence your clients send their DNS to your router, and your router then queries Pi-hole.
This is a valid configuration, but you won't be able to attribute traffic to individual client IPs (as you already noted), and thus cannot use Pi-hole's client-based filtering.
Depending on your router, you may be able to instead configure it to distribute Pi-hole as local DNS server via DHCP. This is commonly a LAN or DHCP setting.
You'd have to consult your router's documentation for further details, both on whether it supports setting a local DNS server and how to achieve that.
Thanks for the really helpful feedback and suggestions.
I don't see any other configuration within the router web based admin portal (even in expert mode) to change the DNS setup and move it away from sitting in the middle and using the pihole as just an upstream DNS.
I'll do a bit of digging and see if this can be changed on the particular model.
If I find anything useful on that I'll share/post back here.
This image suggests that other devices do are accessing ur pihole directly, instead of querying ur router which forwards queries to pihole.
Is ur router querying all sorts of domains, or only a few ones? Is the .station domain on the queried domains, or on clients list?
The best setup is rly to set router DHCP to report pihole's IP as DNS server, not itself as DNS server and forward queries to pihole. It's odd if that's happening, I'd expect to be easier to setup router DHCP to use another DNS server than setup its DNS to forward queries.
if ur router is querying all sorts of domains, then its DNS server is indeed forwarding. U'll need to remove this forwarding and setup DHCP. But if it's querying a few domains too frequently, then it's its own queries and it has some odd custom setup/software. U'll need to ask help to ISP, specially if these domains are .station which means they are on ISP intranet.
If the .station domain is on queried domains, same applies, ur router is trying to connect to some ISP intranet service. In example, it verifies firmware updates and when the domain resolution fails it starts flooding attempts. But if it's on clients list, it only means ur router had setup .station as ur LAN domain.
