Rohith's Blog

I write about tech.

09 Jul 2020

Pi-Hole Network Protection Analysis

Back in the start of May, I set up a network-wide ads/telemetrics/DNS blocking sinkhole using a Pi-hole.

In this post, I am going to analyse what stuff I have noticed on my network ever since I have installed the Pi-hole.

Pi-hole Dashboard

Pi-hole Dashboard

This is my pi-hole dashboard as on July 09, 2020.

As you can see, it’s displaying the last 100 DNS queries.

Dashboard The status of the DNS query is also displayed. Pi-hole gravity is the name for the DNS block-list. You can add your own ad-block lists to gravity by adding them to /etc/pihole/adlists.list on your pi-hole.

This is the graph for the total requests in the month of June

June List

The sudden increase in the mid of June was a bit sketchy

July List

The same sharp increase can be seen in July.

Yesterday List

This is the graph from yesterday

Today List

This is the graph from today

All of these sudden increases seemed sketchy, so I decided to dig around.

Here are the top allowed/blocked domains from the last 3 months

Top List

Here are the top connected devices from the last 3 months localhost is the pi on which I was running Pi-hole on. 192.168.1.1 is my main wireless router, hence the high frequency of requests.

Client List

I’ve noticed that in the last three months a certain bunch of domains have been logging a worryingly large number of DNS requests.

Blocked List

Top allowed

The high hits from speedtest.actcorp.in and speedtest.pioneer.co.in is due to the speedtesting script that I have running every day on my pi using crontab.

Seems like the pi has been pining ntp servers a lot to sync up time.

I have two Amazon Echos on my network.

After a bit of digging around, I noticed the Echos were sending a arbitrarily sending a huge number of requests to connect to two domains:

  1. https://device-metrics-us.amazon.com
  2. https://d3p8zr0ffa9t17.cloudfront.net

My gravity ad-lists were blocking out device-metrics-us.amazon.com and that is when the Echos ping d3p8zr0ffa9t17.cloudfront.net

Previously my Echo devices (I have seven, don’t ask why) were banging example.com, example.net, example.org , and device-metrics-us.amazon.com. I blacklisted all those when I first set up Pi-Holes.
They still query these four sites about every few minutes, now this cloudfront site is added to the group (they regularly query five domains now).
Just in the last 24 hours, one Echo has put out 3,224 DNS requests, and 3,037 of them were blocked by Pi-Hole (that’s a 94.2% block rate for those keeping score at home).
Of the roughly 26K DNS requests on the Pi-Hole that serves some of my network and all of the IOT devices, about 14K of these came from Echo devices.

Cloudfront is Amazon Web Services’s content distribution network (CDN) and point of presence (POP) used to cut latency. It is a standard product offering available to any AWS customer but Amazon uses Cloudfront as well.

Interesting that does make sense that they are trying to find a different method for analytics.

comments powered by Disqus