What's new

Tracking down device still using router DNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Gary_Dexter

Senior Member
Hi,

I've recently deployed AdGuard Home on my network via a newly acquired Raspberry Pi.

This is working correctly and I can see devices (by IP and/or hostname) in the Query Log in AGH.

However, there appears to be one rogue device that is using the routers DNS server rather than the AGH DNS IP, as it shows in the AGH query logs as coming from the Routers IP, rather than a device IP/Hostname.

Can I track this down on the router to try and find which device it is?

The device in question keeps making a call to Netflix, but I've turned off all set-top boxes and smart TV's etc. that could be doing this, but something is still making the call to Netflix via the router's IP...

Any help in tracking down the device would be greatly appreciated :)

Cheers!
Gary
 
I presume System Log>Connections looking at port 53 failed to show the device IP then?

When all else fails:
route.png

This stops my Samsung TV from using Google DNS, which it still tries no matter how it and network DNS are set (and it seems to detect DNS Director). *My lan being 192.168.127.0/24
 
Unplug all network clients, then enable each one, one at a time, to see which one is making the calls to Netflix.

Other things to check. If a device/browser contacting Netflix is using DoT or similar it may bypass the set DNS servers or the Raspberry Pi/AdGuard Home device. If inputting the Raspberry Pi/AdGuard Home device in the LAN DNS fields, make sure that Advertise router's IP in addition to user-specified DNS is set to No. Try using DNS Director to allow only the Raspberry Pi/AdGuard Home device through. Example (from this post) using Pi-Hole, you can likely do the same with Raspberry Pi/AdGuard Home device IP.

1675860539432.png
 
Unplug all network clients, then enable each one, one at a time, to see which one is making the calls to Netflix.

Other things to check. If a device/browser contacting Netflix is using DoT or similar it may bypass the set DNS servers or the Raspberry Pi/AdGuard Home device. If inputting the Raspberry Pi/AdGuard Home device in the LAN DNS fields, make sure that Advertise router's IP in addition to user-specified DNS is set to No. Try using DNS Director to allow only the Raspberry Pi/AdGuard Home device through. Example (from this post) using Pi-Hole, you can likely do the same with Raspberry Pi/AdGuard Home device IP.

View attachment 47754

This has been done (since I set it up yesterday) and it's still getting through.
 
I presume System Log>Connections looking at port 53 failed to show the device IP then?

When all else fails:
View attachment 47753
This stops my Samsung TV from using Google DNS, which it still tries no matter how it and network DNS are set (and it seems to detect DNS Director). *My lan being 192.168.127.0/24

Checking the connections log I can see the devices - they're all set-top boxes - but the DNS is hard-set on the boxes to my RPi manually - so maybe it's just the Netflix client on the box doing it's own thing DNS-wise?
 
Checking the connections log I can see the devices - they're all set-top boxes - but the DNS is hard-set on the boxes to my RPi manually - so maybe it's just the Netflix client on the box doing it's own thing DNS-wise?
So my Samsung TV is using a Raspberry Pi running PiHole and pointed at a Smart DNS Proxy. Without the "Route" I listed earlier not only will Netflix not run, but neither will BBC iPlayer or Disney+. Okay, so the argument has been had before that I should be running DNS Director not creating a sledgehammer of a route! Problem is, that using DNS director still means that Netflix, BBC iPlayer and now Disney+ are unreliable on the TV - that router is the only means I've found of making those services reliable on the TV itself.
 
Just double-checked for sanity's sake and the STB's are set with Static IP's and the DNS manually changed to the RPi IP address as part of that config.

DNS Director is enabled, Router set as the Global Redirect and the PI is added with No Redirection.

Yet somehow requests sent to nrdp.prod.ftl.netflix.com and push.prod.netflix.com are getting pushed through the router IP still.
 
Try adding a log statement to capture the original source and destination IP in syslog.
Code:
# get the chain num of the final rule in the DNSFILTER chain
iptables -t nat -nvL DNSFILTER --line-numbers

# add the rule at position 2, or whatever the final "chain num"
# is from the command above
iptables -t nat -I DNSFILTER 2 -j LOG

# delete the rule to stop the log spam later
iptables -t nat -D DNSFILTER -j LOG
 
Last edited:
Yet somehow requests sent to nrdp.prod.ftl.netflix.com and push.prod.netflix.com are getting pushed through the router IP still.
As indicated earlier if the device, app, browser is using DoT/DoH (or similar) it can and possibly will bypass the usual methods of filtering DNS requests including DNS Director, and likely services like AGHome and Pi-Hole.
Some similar discussion on Reddit that reference nrdp.prod.ftl.netflix.com:
 
As indicated earlier if the device, app, browser is using DoT/DoH (or similar) it can and possibly will bypass the usual methods of filtering DNS requests including DNS Director, and likely services like AGHome and Pi-Hole.
If the requests are being redirected to AGH by the router, then DoT/DoH would not be in use, at least not for these specific queries he’s trying to investigate.
 
I've read elsewhere to try set the RPi IP address as the WAN DNS.

And also in DNS Director to set the RPi IP Address as a User Defined DNS and then make that the Global Redirection rather than Router...

Would that actually make any difference?
 
I've read elsewhere to try set the RPi IP address as the WAN DNS.
Check with what AGHome recommends when installed on the Raspberry Pi.
When it comes to Pi-Hole on the Raspberry Pi, while Asus themselves recommend putting the Raspberry Pi's IP address in the router WAN DNS fields, Pi-hole's documentation indicate not using the WAN DNS fields, but instead using the LAN DNS fields. On a side note. For Pi-Hole, depending on the use of one specific setting in Pi-Hole, one can setup a feed back loop between the router and Pi-hole when using the Pi-Hole Raspberry Pi's IP in the WAN DNS fields. Been there, done that.
 
I presume System Log>Connections looking at port 53 failed to show the device IP then?

When all else fails:
View attachment 47753
This stops my Samsung TV from using Google DNS, which it still tries no matter how it and network DNS are set (and it seems to detect DNS Director). *My lan being 192.168.127.0/24

Question @Crimliar - did you point this to your router IP or the IP or your Pi?
 
The TV is pointed at a Pi-Hole on 192.168.127.5 but even with that in place (or if it's set via DHCP to look at the router on 192.168.127.1) the TV will still look at 8.8.8.8 using UDP, TCP, and even icmp in addition to the DNS it should be looking at! Without that route, Netflix will not work on the TV! It's a bit moot at the moment though as we've put Netflix on hold for a month or two.
 
The TV is pointed at a Pi-Hole on 192.168.127.5 but even with that in place (or if it's set via DHCP to look at the router on 192.168.127.1) the TV will still look at 8.8.8.8 using UDP, TCP, and even icmp! Without that route, Netflix will not work on the TV! It's a bit moot at the moment though as we've put Netflix on hold for a month or two.

Thanks - I’ve added that now. Turns out it’s Netflix on my Samsung TV - I’ve manually set the DNS on the TV to the RPi but the Netflix app has 8.8.8.8 as DNS2.

Having said that, even after adding the Route you provided I still have requests to Netflix coming from the Router IP rather than the TV’s IP showing in AdGuard Home.
 
Having said that, even after adding the Route you provided I still have requests to Netflix coming from the Router IP rather than the TV’s IP showing in AdGuard Home.

I get a few router entries in my piholes from time to time. It happens when the router forces something that isn't using a 'normal' DNS call to the piholes.

Best I can come up with at any rate. Odd that your Netflix TV app is giving you trouble. My Google TV (Sony TV) setup has Netflix and it is routed through my piholes with no issue.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top