What's new

Strange DNS requests.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

alan6854321

Senior Member
Hi there,
I posted this question in the "Asuswrt-Merlin 386.1 Beta (stage 2) is now available" thread, but I think it got lost in the noise so I'm posting a separate thread.


I updated from Stock to B5 yesterday, did a factory reset / initialize all before configuring it by hand. Everything is running fine but I've noticed something odd...

I run PiHole and I'm seeing lots of DNS requests for the hostname "162.62.57.325" (Note - not a valid IPaddr). They seem to come in batches of 25 every 10 minutes or so. PiHole is returning NXDOMAIN.

Before the update I think it used to regularly try "dns.msftncsi.com", but these have now stopped.
Nothing else has changed on my network, just the update from Stock FW to Merlin 386.1B5.

Any ideas what's going on?
 
What kind of devices are generating the requests according to the pihole logs? Sounds like a fat-fingered IP entry somewhere.
 
What kind of devices are generating the requests according to the pihole logs? Sounds like a fat-fingered IP entry somewhere.

It's not possible to tell, all DNS requests 'Appear' to come from the router.
But I'm pretty sure it's the router itself as it only happened after the FW upgrade and the previous requests for dns.msftncsi.com (Which was from the router) have stopped
 
It's not possible to tell, all DNS requests 'Appear' to come from the router.
But I'm pretty sure it's the router itself as it only happened after the FW upgrade and the previous requests for dns.msftncsi.com (Which was from the router) have stopped
Merlin fixed the persistent dns queries when Network Monitoring is disabled. Something else is going on. Why not put the Pi-Hole as LAN DHCP DNS so the clients talk directly to Pi-Hole? Or setup a dnsmasq custom config to allow the client info to be passed to pihole:
/jffs/configs/dnsmasq.conf.add
Code:
add-mac
add-subnet=32
 
Did a grep on that address string....doesn't appear anywhere in the code.
 
Why not put the Pi-Hole as LAN DHCP DNS so the clients talk directly to Pi-Hole?
I don't think that will work as I have a lot of IoT devices on the guest network, it has a different subnet now I've switched to Merlin, I don't think they can talk directly to the PiHole.

Not sure I understand about the "dnsmasq custom config"
 
OK guys, thanks for the help - the culprit is revealed!

I put the PiHole address into the LAN DHCP DNS field just to see what would happen and, luckily, one of the devices not on the guest network was requesting that host.

It's an IPcam, I'll try a reboot/reconfigure to see what happens.

It's odd that it only started after the FW upgrade though!
 
Pi-Hole setup changes the Pi dns settings to use the same upstream DNS servers as Pi-Hole. You I can see these in /etc/dhcpcd.conf. I change these to use the router IP address. However, somewhere Pi-hole still has some setting that goes out on port 53 for queries even though I have Pi-hole configured to use Stubby via DoT. I have noticed this for a while and did not let it bother me. Maybe sometime I will find out why...
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top