Skynet Hundreds of Outbound Blocks from Pi-hole

[phneeley]

Hi all, I just got my Pi-hole up and running and noticed in Skynet hundreds of blocked outbound connections originating with the Pi-hole device. Is this normal?

 

[dave14305]

Could be normal if you have Unbound installed on the Pi-Hole and you have excessive country blocking in Skynet. Are all the blocks for port 53?

 

[bennor]

Hi all, I just got my Pi-hole up and running and noticed in Skynet hundreds of blocked outbound connections originating with the Pi-hole device. Is this normal?

WIthout more information there is no way to tell if normal. As the previous poster asked, are you using Unbound? How is Skynet configured? What specific addresses are the hundreds that are being blocked by Skynet? What devices on your network are you running, is Pi-Hole indicating a large number of requests from specific devices? Certain devices, like Roku's, may send hundreds of requests if it cannot reach certain telemetry sites.

 

[SomeWhereOverTheRainBow]

Could be normal if you have Unbound installed on the Pi-Hole and you have excessive country blocking in Skynet. Are all the blocks for port 53?

You don't even need country blocking to cause Skynet to block Pi-Hole(unbound), it could simply be one of the blocked rages or single IP's causing it.

A simple firewall rule Added to firewall-start can solve this.

/usr/sbin/iptables -t raw -I PREROUTING -p udp --sport 1024:65535 --dport 53 -s [replace with IPaddress of pihole] -j ACCEPT
/usr/sbin/iptables -t raw -I PREROUTING -p tcp --sport 1024:65535 --dport 53 -s [replace with IPaddress of pihole] -j ACCEPT

Obviously adjust the source port range to match whatever you allow for unbound port randomization, typically by default it is 1024:65535.

 

[phneeley]

Thanks for the replies, and sorry for the original lack of specifics.

Yes, I am using Unbound (recursive, not as a forwarder).

For Skynet I’m currently using https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list and am also using country codes for Russia, China, Iran, and North Korea.

Aside from computers, phones, tablets, and the two Pi-holes, I have two Apple TVs, two Chromecast Ultras, and several Chromecast Audios and Google Nest Minis.

Here are the last 100 unique connections blocked per the Skynet Stats tool, the vast majority being outbound blocks.

59.36.132.142 (CN) | https://otx.alienvault.com/indicator/ip/59.36.132.142
121.51.160.100 (CN) | https://otx.alienvault.com/indicator/ip/121.51.160.100
203.205.221.79 (HK) | https://otx.alienvault.com/indicator/ip/203.205.221.79
101.227.218.144 (CN) | https://otx.alienvault.com/indicator/ip/101.227.218.144
211.100.32.218 (CN) | https://otx.alienvault.com/indicator/ip/211.100.32.218
157.255.246.101 (CN) | https://otx.alienvault.com/indicator/ip/157.255.246.101
203.205.220.251 (HK) | https://otx.alienvault.com/indicator/ip/203.205.220.251
203.205.249.143 (HK) | https://otx.alienvault.com/indicator/ip/203.205.249.143
117.184.232.216 (CN) | https://otx.alienvault.com/indicator/ip/117.184.232.216
112.60.1.69 (CN) | https://otx.alienvault.com/indicator/ip/112.60.1.69
183.36.112.46 (CN) | https://otx.alienvault.com/indicator/ip/183.36.112.46
203.205.195.94 (US) | https://otx.alienvault.com/indicator/ip/203.205.195.94
58.144.154.100 (CN) | https://otx.alienvault.com/indicator/ip/58.144.154.100
218.68.91.143 (CN) | https://otx.alienvault.com/indicator/ip/218.68.91.143
203.205.195.104 (US) | https://otx.alienvault.com/indicator/ip/203.205.195.104
203.205.235.151 (HK) | https://otx.alienvault.com/indicator/ip/203.205.235.151
203.99.27.1 (CN) | https://otx.alienvault.com/indicator/ip/203.99.27.1
42.62.2.16 (CN) | https://otx.alienvault.com/indicator/ip/42.62.2.16
203.99.26.1 (CN) | https://otx.alienvault.com/indicator/ip/203.99.26.1
203.99.24.1 (CN) | https://otx.alienvault.com/indicator/ip/203.99.24.1
203.99.25.1 (CN) | https://otx.alienvault.com/indicator/ip/203.99.25.1
114.67.16.204 (CN) | https://otx.alienvault.com/indicator/ip/114.67.16.204
114.67.16.206 (CN) | https://otx.alienvault.com/indicator/ip/114.67.16.206
119.167.244.44 (CN) | https://otx.alienvault.com/indicator/ip/119.167.244.44
42.62.2.24 (CN) | https://otx.alienvault.com/indicator/ip/42.62.2.24
203.99.23.3 (CN) | https://otx.alienvault.com/indicator/ip/203.99.23.3
114.67.16.205 (CN) | https://otx.alienvault.com/indicator/ip/114.67.16.205
27.221.63.3 (CN) | https://otx.alienvault.com/indicator/ip/27.221.63.3
203.99.22.3 (CN) | https://otx.alienvault.com/indicator/ip/203.99.22.3
117.27.241.168 (CN) | https://otx.alienvault.com/indicator/ip/117.27.241.168
180.95.178.218 (CN) | https://otx.alienvault.com/indicator/ip/180.95.178.218
101.227.98.150 (CN) | https://otx.alienvault.com/indicator/ip/101.227.98.150
59.37.82.98 (CN) | https://otx.alienvault.com/indicator/ip/59.37.82.98
125.77.129.49 (CN) | https://otx.alienvault.com/indicator/ip/125.77.129.49
125.77.129.44 (CN) | https://otx.alienvault.com/indicator/ip/125.77.129.44
61.147.210.29 (CN) | https://otx.alienvault.com/indicator/ip/61.147.210.29
116.162.185.142 (CN) | https://otx.alienvault.com/indicator/ip/116.162.185.142
113.5.170.89 (CN) | https://otx.alienvault.com/indicator/ip/113.5.170.89
211.95.52.76 (CN) | https://otx.alienvault.com/indicator/ip/211.95.52.76
194.190.124.17 (RU) | https://otx.alienvault.com/indicator/ip/194.190.124.17
193.232.156.17 (RU) | https://otx.alienvault.com/indicator/ip/193.232.156.17
194.85.252.62 (RU) | https://otx.alienvault.com/indicator/ip/194.85.252.62
193.232.128.6 (RU) | https://otx.alienvault.com/indicator/ip/193.232.128.6
193.232.142.17 (RU) | https://otx.alienvault.com/indicator/ip/193.232.142.17
139.224.142.110 (CN) | https://otx.alienvault.com/indicator/ip/139.224.142.110
47.118.199.198 (CN) | https://otx.alienvault.com/indicator/ip/47.118.199.198
120.76.107.61 (CN) | https://otx.alienvault.com/indicator/ip/120.76.107.61
39.96.153.40 (CN) | https://otx.alienvault.com/indicator/ip/39.96.153.40
39.96.153.61 (CN) | https://otx.alienvault.com/indicator/ip/39.96.153.61
47.118.199.220 (CN) | https://otx.alienvault.com/indicator/ip/47.118.199.220
139.224.142.100 (CN) | https://otx.alienvault.com/indicator/ip/139.224.142.100
120.76.107.60 (CN) | https://otx.alienvault.com/indicator/ip/120.76.107.60
139.224.142.98 (CN) | https://otx.alienvault.com/indicator/ip/139.224.142.98
39.96.153.38 (CN) | https://otx.alienvault.com/indicator/ip/39.96.153.38
120.76.107.38 (CN) | https://otx.alienvault.com/indicator/ip/120.76.107.38
47.118.199.222 (CN) | https://otx.alienvault.com/indicator/ip/47.118.199.222
139.224.142.108 (CN) | https://otx.alienvault.com/indicator/ip/139.224.142.108
120.76.107.40 (CN) | https://otx.alienvault.com/indicator/ip/120.76.107.40
47.118.199.200 (CN) | https://otx.alienvault.com/indicator/ip/47.118.199.200
39.96.153.60 (CN) | https://otx.alienvault.com/indicator/ip/39.96.153.60
39.96.153.63 (CN) | https://otx.alienvault.com/indicator/ip/39.96.153.63
120.76.107.43 (CN) | https://otx.alienvault.com/indicator/ip/120.76.107.43
120.76.107.63 (CN) | https://otx.alienvault.com/indicator/ip/120.76.107.63
120.76.107.44 (CN) | https://otx.alienvault.com/indicator/ip/120.76.107.44
39.96.153.54 (CN) | https://otx.alienvault.com/indicator/ip/39.96.153.54
47.118.199.213 (CN) | https://otx.alienvault.com/indicator/ip/47.118.199.213
39.96.153.44 (CN) | https://otx.alienvault.com/indicator/ip/39.96.153.44
139.224.142.123 (CN) | https://otx.alienvault.com/indicator/ip/139.224.142.123
120.76.107.54 (CN) | https://otx.alienvault.com/indicator/ip/120.76.107.54
47.118.199.214 (CN) | https://otx.alienvault.com/indicator/ip/47.118.199.214
139.224.142.124 (CN) | https://otx.alienvault.com/indicator/ip/139.224.142.124
47.118.199.204 (CN) | https://otx.alienvault.com/indicator/ip/47.118.199.204
47.118.199.203 (CN) | https://otx.alienvault.com/indicator/ip/47.118.199.203
39.96.153.43 (CN) | https://otx.alienvault.com/indicator/ip/39.96.153.43
139.224.142.114 (CN) | https://otx.alienvault.com/indicator/ip/139.224.142.114
139.224.142.113 (CN) | https://otx.alienvault.com/indicator/ip/139.224.142.113
67.225.161.51 (US) | https://otx.alienvault.com/indicator/ip/67.225.161.51
45.232.151.175 (PE) | https://otx.alienvault.com/indicator/ip/45.232.151.175
201.191.195.26 (CR) | https://otx.alienvault.com/indicator/ip/201.191.195.26

 

[bennor]

What does the Pi-Hole Query Log show for those IP addresses (if anything), does it indicate which device is making the request that is being blocked by Skynet? If so check that device, could be normal requests or it could be the device might be compromised or infected.

 

[Tech9]

Or some IoT device trying to communicate with the online server it depends on.

 

[Viktor Jaep]

Or some IoT device trying to communicate with the online server it depends on.

My chinese-built robovac, picture frame and wireless power outlets love to try to relentlessly communicate with their homebase in CN... nope, DENIED!

 

[SomeWhereOverTheRainBow]

My chinese-built robovac, picture frame and wireless power outlets love to try to relentlessly communicate with their homebase in CN... nope, DENIED!

That's how they try to secretly gain knowledge of your usage data.. After-all, why did they need to know you were keeping that lil robovac busy at 3am while using the picture frame as your only light source since the wireless power outlet has been acting abit buggy lately missing out on all those bug checks and firmware updates.......

 

[Weblee2407]

I noticed a few things in SkyNet I would like clarification on too. I have SkyNet installed and using ban list:
ban country "ru cn kp ir iq sa ae pk af az ba bg hr cu cz eg ee ge va hu id in il kz kw kg lv md om qa ro rs sk si sy tr ua uz" and also using Unbound with safe search enabled.

I expect to have at least one outbound device with blocks in addition to my WAN address because that person uses Kaspersky. Here is the header outbound block count

Here is the device outbound connection listing...the top is the router with 21 blocks and the bottom is my Kaspersky user with 10. So where does the "2" come from in KEY STATS?

 

[SomeWhereOverTheRainBow]

I noticed a few things in SkyNet I would like clarification on too. I have SkyNet installed and using ban list:
ban country "ru cn kp ir iq sa ae pk af az ba bg hr cu cz eg ee ge va hu id in il kz kw kg lv md om qa ro rs sk si sy tr ua uz" and also using Unbound with safe search enabled.

I expect to have at least one outbound device with blocks in addition to my WAN address because that person uses Kaspersky. Here is the header outbound block count

View attachment 55047

Here is the device outbound connection listing...the top is the router with 21 blocks and the bottom is my Kaspersky user with 10. So where does the "2" come from in KEY STATS? View attachment 55048

Do you have only one device connected to the internet or only one not traveling VIA VPN?

heres mine,

 

[dave14305]

So where does the "2" come from in KEY STATS?

That number comes from the current state (and counters) of the firewall rules. So if the firewall has been restarted recently, the counters also get reset to zero. Other charts come from scanning the historical logs that Skynet keeps.

 

[Weblee2407]

19 IOT devices on an isolated guest SSID and 15 other 5ghz phones iPads laptops tvs and Apple TV boxes. I have systematically reset anything that showed up in device connections until I have just wan and ms kaspersky listed. I had something in that IOT group calling home and the network was slooow because it was probing anything it could reach.

How could I find out what those devices were trying to connect to?