Pi-Hole Network Protection Analysis
Back in the start of May, I set up a network-wide ads/telemetrics/DNS blocking sinkhole using a Pi-hole.
In this post, I am going to analyse what stuff I have noticed on my network ever since I have installed the Pi-hole.
This is my pi-hole dashboard as on July 09, 2020.
As you can see, it’s displaying the last 100 DNS queries.
The status of the DNS query is also displayed. Pi-hole gravity is the name for the DNS block-list. You can add your own ad-block lists to gravity by adding them to /etc/pihole/adlists.list on your pi-hole.
This is the graph for the total requests in the month of June
The sudden increase in the mid of June was a bit sketchy
The same sharp increase can be seen in July.
This is the graph from yesterday
This is the graph from today
All of these sudden increases seemed sketchy, so I decided to dig around.
Here are the top allowed/blocked domains from the last 3 months
Here are the top connected devices from the last 3 months localhost is the pi on which I was running Pi-hole on. 192.168.1.1 is my main wireless router, hence the high frequency of requests.
I’ve noticed that in the last three months a certain bunch of domains have been logging a worryingly large number of DNS requests.
The high hits from speedtest.actcorp.in and speedtest.pioneer.co.in is due to the speedtesting script that I have running every day on my pi using crontab.
Seems like the pi has been pining ntp servers a lot to sync up time.
I have two Amazon Echos on my network.
After a bit of digging around, I noticed the Echos were sending a arbitrarily sending a huge number of requests to connect to two domains:
My gravity ad-lists were blocking out device-metrics-us.amazon.com and that is when the Echos ping d3p8zr0ffa9t17.cloudfront.net
Previously my Echo devices (I have seven, don’t ask why) were banging example.com, example.net, example.org , and device-metrics-us.amazon.com. I blacklisted all those when I first set up Pi-Holes.
They still query these four sites about every few minutes, now this cloudfront site is added to the group (they regularly query five domains now).
Just in the last 24 hours, one Echo has put out 3,224 DNS requests, and 3,037 of them were blocked by Pi-Hole (that’s a 94.2% block rate for those keeping score at home).
Of the roughly 26K DNS requests on the Pi-Hole that serves some of my network and all of the IOT devices, about 14K of these came from Echo devices.
Cloudfront is Amazon Web Services’s content distribution network (CDN) and point of presence (POP) used to cut latency. It is a standard product offering available to any AWS customer but Amazon uses Cloudfront as well.
Interesting that does make sense that they are trying to find a different method for analytics.