router making random pings to domains...
Can anyone enlighten me why my router is pinging domains randomly? I have a private DNS running on a PiHole instance, but when I look at my query logs.... I see random pings to bing.com, linkedin.com, ebay, tp-link, wikipedia amazon and live... I would never voluntarily visit the websites myself or rarely ever visit the websites in question.... what is going on? What is my router doing?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
It could be the router checking to make sure there is an internet connection.
I believe our extenders do something similar.
- Copy Link
- Report Inappropriate Content
Interesting Issue - I also noticed the same thing from my Archer A6 in Access Point mode. During a routine check on systems, I realized I'd set up the default gateway on it incorrectly (never mattered to any of my WiFi clients; they went straight to the real router for Internet). After I fixed it, suddenly my PiHole picked up on a bunch of new DNS queries!
I isolated it by pointing the AP's gateway to my laptop and capturing all traffic from it. Over the course of 16 minutes, I captured the following DNS requests from the Archer A6 (sorted by most frequent):
93 n-devs-gw.tplinkcloud.com.
60 n-deventry-gw.tplinkcloud.com.
26 amazon.com.
25 wikipedia.org.
25 google.com.
22 tp-link.com.
21 netflix.com.
20 yahoo.com.
20 live.com.
20 bing.com.
17 a.root-servers.net.
16 linkedin.com.
16 ebay.com.
12 reddit.com.
Altogether, that's 393 DNS requests, putting my average query/minute rate at just over 24.5, or roughly one DNS query every two and a half seconds. That's nuts!
So figured that the probably picked up when it wasn't getting any replies, and sure enough - when I gave the Archer A6 the correct gateway address, it was able to resolve the problems, and now it's down to about 2 or 3 queries per minute. In the grand scheme of things, that's not too bad.
Just for the sake of my own sanity, I entered a couple custom DNS results (bing.com, wikipedia.com) and pointed them at my laptop again. That way, if the Archer A6 made a DNS request for those domains, it would receive my internal IP. If it tried to communicate in any way with those domains, I'd capture the attempt. Well, it looks like all it's really doing is reaching out to see if those domains are available through, because it never tried to contact them directly.
I expected to capture something on the "tp-link.com" requests, but nothing there either. I'm still suspicious, so I'll leave tcpdump capturing on a filter just for that host over the next few days. If anything comes up, I'll update this post or add a new comment.
In the meantime, it looks like the DNS requests from the Archer are relatively infrequent and entirely innocuous. I'm not too worried about it.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2199
Replies: 3
Voters 0
No one has voted for it yet.