Part 5: What Really Happens On Your Network?

Pi-hole is known for ad-blocking, but it’s capable of more than you might know. This post is the fifth iteration of a collection of public posts where people have discovered weird or strange things happening on their networks thanks to Pi-hole.

Since Pi-hole is a DNS server, it can keep track of which domains are queried. While you can’t see the exact Webpage (or other asset) that was queried, you can deduce some information by knowing what domain name was queried. For example, if a device using Pi-hole watched a video on Netflix, Pi-hole doesn’t know about the specific video–just that the Netflix domain was queried.

Below, you’ll find links and screenshots to the latest compilation of things people have discovered on their networks–enjoy!

• Part one: What Really Happens On Your Network?
• Part two: What Really Happens On Your Network?
• Part three: What Really Happens On Your Network?
• Part four: What Really Happens On Your Network?
• Part five: What Really Happens On Your Network?
• Part six: What Really Happens On Your Network?
• Part seven: What Really Happens On Your Network?
• Part eight: What Really Happens On Your Network?

Queries for strange domains

• This user had a device repeatedly contacting kat.cr
• This user had a device contacting gatekeeper.tss.net
• The “dot” domain (a period) in the query log
• 168rz.cc was queried and causing confusion
• Domains were queried when this user was asleep
• An APIPA address queried Kaspersky Labs
• *.local domains queried
• Many strange and varied queries
• Netflix was queried when no one was home…
• Pi-hole under attack from strange domains?
• Queries with no devices connected?

Excessive Queries For Domains

• This user experienced 5,000 queries a day to unfi
• Another user had over 140,000 queries to push.apple.com
• An ASUS router accounted for 50% of the daily DNS queries
• A Fritzbox router is the top client
• 3,000 to 40,000 queries for TP-LINK Research America
• GOG determined as the culprit for many queries to akamiedge.net
• An AWS script went wild with 19,000+ queries
• Crazy amounts of queries to ntp.org
• Some Haikam surveillance cameras calling home to baidu.com far too often
• 1,600 queries in five minutes to Steam during their maintenance period
• Apple captive portal generated lots of queries
• 17,000 queries for AWS
• Many queries for gmail.com
• 12,000 hits for an Amazon domain
• 77% of blocked domains were from a Chrome extension
• Floods of queries to isatap and wpad

Overly-aggressive Analytics

• A Plex update caused overly-aggressive analytics being sent to Plex (opt-out link)
• Another user could easily see when Plex was installed
• A user’s Nest thermostat queried Nest’s domains often
• A company laptop was calling home too often

Identifying Malware

• This user identified a trojan/spyware sending out 3,000 queries a day
• An anomalous spike in queries to mainnet.infura.io was identified with Pi-hole’s graphs
• Conficker malware discovered thanks to Pi-hole