Menu
What's new
By:
Filters Better Search

Constant localhost DNS querys for Google

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

Markfree

Regular Contributor
With a RT-AX86U router, I'm noticing some "google.com" DNS lookups from 127.0.0.1 every few minutes on the AdGuard dashboard.
I have blocked them and have not experienced any issues thus far.
google_blocked.png


However, I am still unsure which process is generating this constant traffic.

With TCPDump, I'm using the following query
Bash: 
tcpdump -n -i any 'host 127.0.0.1 and udp port 53'
19:21:36.042492 lo    In  IP 127.0.0.1.56844 > 127.0.0.1.53: 13269+ A? google.com. (28)
19:21:36.043174 lo    In  IP 127.0.0.1.53 > 127.0.0.1.56844: 13269 1/0/0 A 0.0.0.0 (44)
19:21:36.043241 lo    In  IP 127.0.0.1.56844 > 127.0.0.1.53: 14805+ AAAA? google.com. (28)
19:21:36.043444 lo    In  IP 127.0.0.1.53 > 127.0.0.1.56844: 14805 1/0/0 AAAA :: (56)
19:21:36.043922 lo    In  IP 127.0.0.1.49283 > 127.0.0.1.53: 22747+ PTR? 0.0.0.0.in-addr.arpa. (38)
19:21:36.044838 lo    In  IP 127.0.0.1.53 > 127.0.0.1.49283: 22747 NXDomain* 0/0/0 (38)
19:21:36.053413 lo    In  IP 127.0.0.1.55009 > 127.0.0.1.53: 55743+ A? www.google.com. (32)
19:21:36.053476 lo    In  IP 127.0.0.1.55009 > 127.0.0.1.53: 57279+ AAAA? www.google.com. (32)
19:21:36.054163 lo    In  IP 127.0.0.1.53 > 127.0.0.1.55009: 57279 1/0/0 AAAA :: (60)
19:21:36.054210 lo    In  IP 127.0.0.1.53 > 127.0.0.1.55009: 55743 1/0/0 A 0.0.0.0 (48)

Now, I need to find out which process is generating these DNS requests. Does anyone know what it might be or have any tips to share?
 
Last edited:
Nice!

Let me see if I got it and, please, correct me if I'm wrong.

The function first checks if the system date is sort of up to date. If it is, the ALIVE var is set to 0. I wonder if you ever found a situation where the year was less than 1970... 🤔

Then, it pings Cloudflare and queries the "google.com" domain. If they are both reachable, the ALIVE var remains 0.
Finally, the third check is a Google web request which also sets the ALIVE var.

So, in my scenario, I believe the function is returning something other than 0, since AdGuard is blocking the second and third "if".

What is that function for anyway?
Why are there 3 checks?
Would you mind clarifying that for me, please?
 
Markfree said:
Nice!

Let me see if I got it and, please, correct me if I'm wrong.

The function first checks if the system date is sort of up to date. If it is, the ALIVE var is set to 0. I wonder if you ever found a situation where the year was less than 1970... 🤔

Then, it pings Cloudflare and queries the "google.com" domain. If they are both reachable, the ALIVE var remains 0.
Finally, the third check is a Google web request which also sets the ALIVE var.

So, in my scenario, I believe the function is returning something other than 0, since AdGuard is blocking the second and third "if".

What is that function for anyway?
Why are there 3 checks?
Would you mind clarifying that for me, please?
Click to expand...
One checks the clocks time, 2 checks the dns, 3 checks the ability of your router to reach internet. If number 2, and 3 don't work, then you have a problem ( adguardhome watch dog restarts the actual adguardhome go binary to see if it has failed for some odd reason.) Number 3 check exist specifically for a case where your dns fails to return a response but somehow you are able to reach out to the web by other means. Either way, you trying to bypass these checks makes adguardhome script watch dog restart adguardhome at some point. Is your desire to understand how to break things a hobby? Or something you just do on your free time?
 
Last edited:
Markfree said:
With a RT-AX86U router, I'm noticing some "google.com" DNS lookups from 127.0.0.1 every few minutes on the AdGuard dashboard.
I have blocked them and have not experienced any issues thus far.
View attachment 49018

However, I am still unsure which process is generating this constant traffic.

With TCPDump, I'm using the following query
Bash: 
tcpdump -n -i any 'host 127.0.0.1 and udp port 53'
19:21:36.042492 lo    In  IP 127.0.0.1.56844 > 127.0.0.1.53: 13269+ A? google.com. (28)
19:21:36.043174 lo    In  IP 127.0.0.1.53 > 127.0.0.1.56844: 13269 1/0/0 A 0.0.0.0 (44)
19:21:36.043241 lo    In  IP 127.0.0.1.56844 > 127.0.0.1.53: 14805+ AAAA? google.com. (28)
19:21:36.043444 lo    In  IP 127.0.0.1.53 > 127.0.0.1.56844: 14805 1/0/0 AAAA :: (56)
19:21:36.043922 lo    In  IP 127.0.0.1.49283 > 127.0.0.1.53: 22747+ PTR? 0.0.0.0.in-addr.arpa. (38)
19:21:36.044838 lo    In  IP 127.0.0.1.53 > 127.0.0.1.49283: 22747 NXDomain* 0/0/0 (38)
19:21:36.053413 lo    In  IP 127.0.0.1.55009 > 127.0.0.1.53: 55743+ A? www.google.com. (32)
19:21:36.053476 lo    In  IP 127.0.0.1.55009 > 127.0.0.1.53: 57279+ AAAA? www.google.com. (32)
19:21:36.054163 lo    In  IP 127.0.0.1.53 > 127.0.0.1.55009: 57279 1/0/0 AAAA :: (60)
19:21:36.054210 lo    In  IP 127.0.0.1.53 > 127.0.0.1.55009: 55743 1/0/0 A 0.0.0.0 (48)

Now, I need to find out which process is generating these DNS requests. Does anyone know what it might be or have any tips to share?
Click to expand...
BTW if you upgrade your adguardhome, it has away to ignore logging queries to these domains. There is no need to actually block them. When you could simply ignore them inside the adguardhome dns settings options.

github.com

Log ignore policy for Chatty Clients and/or domains · Issue #4299 · AdguardTeam/AdGuardHome

Okay, So I know on the Query page we can filter by both Domain and Client. What I am proposing is to add a policy for ignoring clients in the log and statistics. I came about this suggestion becaus...
github.com github.com
 
Markfree said:
...
I wonder if you ever found a situation where the year was less than 1970... 🤔
Click to expand...
A standard system clock would never return a year that is less than 1970 because the start time of the "Unix Epoch" is defined as 1970-01-01, UTC 00:00:00.

Just FYI.
 
Fortunately, nothing has broken so far.
In my spare time, I'll continue to work on understanding how everything is running on my system.
Ignoring specific domains might help me unclutter my logs, so I'll look into that, but I'll keep the block in place anyway.
Thanks for clarifying that. I appreciate your opinion.
 
Last edited:
You must log in or register to reply here.

Similar threads

P
dnsmasq: Maximum number of concurrent DNS queries reached (max: 150)
Replies
5
Views
1K
ColinTaylor
C
P
Issues with RT-AX92U running 388.2_2_0-gnuton1
Replies
6
Views
1K
tom.moughan
T
tRiFFiD
RT-AX56U - SSL error when accessing a specific website
Replies
12
Views
892
tRiFFiD
tRiFFiD
SeeJayEmm
AC68 intermittently VLAN tagging
Replies
8
Views
992
drinkingbird
drinkingbird
B
Scribe /usr/bin/logger messages don't make it to the log file - intermittent issue
Replies
15
Views
1K
bibikalka
B
Similar threads
Thread starter Title Forum Replies Date
T Using DOT DNS breaks ECS Asuswrt-Merlin 9
pdc Router DNS returning Refused Asuswrt-Merlin 2
C Need help with GT-AXE11000 and DNS Director Asuswrt-Merlin 0
V DNS server vs DNS-over TLS server list Asuswrt-Merlin 3
R Would any of this make my browsing more secure? (WAN DNS settings) Asuswrt-Merlin 20
A DNS/TLS IPv6. Asuswrt-Merlin 4
X DNS Director - question Asuswrt-Merlin 6
X RT-AX58U sudden DNS problem - URGENT Asuswrt-Merlin 14
P Solved Router DHCP and DNS not responding to changes Asuswrt-Merlin 35
icanfly DNS fails for local devices when there is no WAN! Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 881 (members: 25, guests: 856)
Top