Unusually high DNS traffic - Is this normal?

eibgrad

Part of the Furniture
That is a LOT of DNS traffic. About 50k queries. But being DoT (I didn't even realize Chromecast used it), it means we can't see what's being queried. That's why secure DNS is a double-edged sword; no one can see YOU, but you can't see THEM either. I don't recall seeing this type of activity w/ my Chromecast-enabled TV (I do monitor traffic from time to time), then again, I've never been specifically looking for it either.

What specifically were you doing w/ the Chromecast at the time, if anything? Streaming?

FWIW, I just now monitored my Chromecast-enabled TV (circa 2015) and it's using Do53, and all I see is normal DNS traffic while streaming YouTube.
 
Last edited:

deanfourie

Occasional Visitor
That is a LOT of DNS traffic. About 50k queries over 45 mins. But being DoT (I didn't even realize Chromecast used it), it means we can't see what's being queried. That's why secure DNS is a double-edged sword; no one can see YOU, but you can't see THEM either. I don't recall seeing this type of activity w/ my Chromecast-enabled TV (I do monitor traffic from time to time), then again, I've never been specifically looking for it either.

What specifically were you doing w/ the Chromecast at the time, if anything? Streaming?

FWIW, I just now monitored my Chromecast-enabled TV (circa 2015) and it's using Do53, and all I see is normal DNS traffic while streaming YouTube.
Absolutely nothing, Chromecast is just sitting, sleeping. Its weird, I cant see any of the traffic flows on my WAN so im confident that my firewall is blocking it, but still! WTF.

I also get a ton of arpwatch flip-flop notifications of client constantly changing mac addresses lol and then changing back again.
 

eibgrad

Part of the Furniture
Maybe blocking it is making it behave this way (a desperate attempt to resolve DNS)? Still seems excessive.
 

deanfourie

Occasional Visitor
Maybe blocking it is making it behave this way (a desperate attempt to resolve DNS)? Still seems excessive.
Yea I thought so too, but would it just spew out DNS requests before the others fail. I wouldn't imagine it would wait for the request to fail then send another. No just SPAM them.
 

eibgrad

Part of the Furniture
As I said, since it's using DoT, that limits the ability to diagnose the situation. There's a big difference if the resolution attempts were to the same domain vs. different domains.
 

follower

Very Senior Member
Yes it's normal for Google devices.
Go to here and read.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top