What's new

Unusually high DNS traffic - Is this normal?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

That is a LOT of DNS traffic. About 50k queries. But being DoT (I didn't even realize Chromecast used it), it means we can't see what's being queried. That's why secure DNS is a double-edged sword; no one can see YOU, but you can't see THEM either. I don't recall seeing this type of activity w/ my Chromecast-enabled TV (I do monitor traffic from time to time), then again, I've never been specifically looking for it either.

What specifically were you doing w/ the Chromecast at the time, if anything? Streaming?

FWIW, I just now monitored my Chromecast-enabled TV (circa 2015) and it's using Do53, and all I see is normal DNS traffic while streaming YouTube.
 
Last edited:
That is a LOT of DNS traffic. About 50k queries over 45 mins. But being DoT (I didn't even realize Chromecast used it), it means we can't see what's being queried. That's why secure DNS is a double-edged sword; no one can see YOU, but you can't see THEM either. I don't recall seeing this type of activity w/ my Chromecast-enabled TV (I do monitor traffic from time to time), then again, I've never been specifically looking for it either.

What specifically were you doing w/ the Chromecast at the time, if anything? Streaming?

FWIW, I just now monitored my Chromecast-enabled TV (circa 2015) and it's using Do53, and all I see is normal DNS traffic while streaming YouTube.
Absolutely nothing, Chromecast is just sitting, sleeping. Its weird, I cant see any of the traffic flows on my WAN so im confident that my firewall is blocking it, but still! WTF.

I also get a ton of arpwatch flip-flop notifications of client constantly changing mac addresses lol and then changing back again.
 
Maybe blocking it is making it behave this way (a desperate attempt to resolve DNS)? Still seems excessive.
 
Maybe blocking it is making it behave this way (a desperate attempt to resolve DNS)? Still seems excessive.
Yea I thought so too, but would it just spew out DNS requests before the others fail. I wouldn't imagine it would wait for the request to fail then send another. No just SPAM them.
 
As I said, since it's using DoT, that limits the ability to diagnose the situation. There's a big difference if the resolution attempts were to the same domain vs. different domains.
 
Yes it's normal for Google devices.
Go to here and read.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top