Strange DNS requests.

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

alan6854321

Occasional Visitor
Hi there,
I posted this question in the "Asuswrt-Merlin 386.1 Beta (stage 2) is now available" thread, but I think it got lost in the noise so I'm posting a separate thread.


I updated from Stock to B5 yesterday, did a factory reset / initialize all before configuring it by hand. Everything is running fine but I've noticed something odd...

I run PiHole and I'm seeing lots of DNS requests for the hostname "162.62.57.325" (Note - not a valid IPaddr). They seem to come in batches of 25 every 10 minutes or so. PiHole is returning NXDOMAIN.

Before the update I think it used to regularly try "dns.msftncsi.com", but these have now stopped.
Nothing else has changed on my network, just the update from Stock FW to Merlin 386.1B5.

Any ideas what's going on?
 

dave14305

Part of the Furniture
What kind of devices are generating the requests according to the pihole logs? Sounds like a fat-fingered IP entry somewhere.
 

alan6854321

Occasional Visitor
What kind of devices are generating the requests according to the pihole logs? Sounds like a fat-fingered IP entry somewhere.

It's not possible to tell, all DNS requests 'Appear' to come from the router.
But I'm pretty sure it's the router itself as it only happened after the FW upgrade and the previous requests for dns.msftncsi.com (Which was from the router) have stopped
 

dave14305

Part of the Furniture
It's not possible to tell, all DNS requests 'Appear' to come from the router.
But I'm pretty sure it's the router itself as it only happened after the FW upgrade and the previous requests for dns.msftncsi.com (Which was from the router) have stopped
Merlin fixed the persistent dns queries when Network Monitoring is disabled. Something else is going on. Why not put the Pi-Hole as LAN DHCP DNS so the clients talk directly to Pi-Hole? Or setup a dnsmasq custom config to allow the client info to be passed to pihole:
/jffs/configs/dnsmasq.conf.add
Code:
add-mac
add-subnet=32
 

john9527

Part of the Furniture
Did a grep on that address string....doesn't appear anywhere in the code.
 

alan6854321

Occasional Visitor
Why not put the Pi-Hole as LAN DHCP DNS so the clients talk directly to Pi-Hole?
I don't think that will work as I have a lot of IoT devices on the guest network, it has a different subnet now I've switched to Merlin, I don't think they can talk directly to the PiHole.

Not sure I understand about the "dnsmasq custom config"
 

alan6854321

Occasional Visitor
OK guys, thanks for the help - the culprit is revealed!

I put the PiHole address into the LAN DHCP DNS field just to see what would happen and, luckily, one of the devices not on the guest network was requesting that host.

It's an IPcam, I'll try a reboot/reconfigure to see what happens.

It's odd that it only started after the FW upgrade though!
 

bbunge

Part of the Furniture
Pi-Hole setup changes the Pi dns settings to use the same upstream DNS servers as Pi-Hole. You I can see these in /etc/dhcpcd.conf. I change these to use the router IP address. However, somewhere Pi-hole still has some setting that goes out on port 53 for queries even though I have Pi-hole configured to use Stubby via DoT. I have noticed this for a while and did not let it bother me. Maybe sometime I will find out why...
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top