Jump to content
PaulBR

DNS Queries to "."

Recommended Posts

PaulBR

I recently installed the Domotz agent on my Synology NAS.

 

I run a pi-hole server on my network (on a separate Linux server, not on the NAS). Recently I noticed a very large number of DNS queries on the pi-hole server to the IP address "." When I say 'very large' I mean over 20k queries per day. I tired to figure out which process on the NAS was generating the queries. When I stopped the Domotz process on the NAS, the queries to "." stopped. 

 

I am also getting a significant number of queries to a couple of other Domotz domains, but none as large as the number of queries to "." I attached a screen-shot of the query list from the pi-hole server.

 

I believe that "." represents the root name server on the Internet - I am not sure why the agent would be issuing queries to that. 

 

Does anyone know if this is normal behavior for the Domotz agent? If not, any suggestions as to what might be causing this?

 

Thanks - Paul

 

 

Screenshot 2018-01-30 20.15.38.png

Share this post


Link to post
Share on other sites
eti

Paul,

thought I was the only one with this issue.

I'm using domotz box and had the same issue, it is not normal, and only happens when the box is on one network, if I move it to another site the issue stops.

working with tech support was unable to solve the problem and just gave up and changed the DNS on the domotz to ISP so it no longer fills my pihole logs,  firewall traffic shows it still trying.

 

The other requests are normal and do fill up the log files in the pihole, use a big SD card and be sure to expand the file system to use the entire card, domotz crashed one of my piholes before I caught this.

 

I think it is a site specific issue, but have no idea where to start.

My router on site in question is a cisco asa-5506

 

and moving the pihole and domotz box to another network the "." issue goes away, installed a new domotx box and clean install of pihole on problem network and issue is still there.

 

I gave up trying to figure it out, but would be happy to step back into it.

 

Share this post


Link to post
Share on other sites
PaulBR

Hmm ... very interesting. Ok, so I am not the only one either. 

 

Could I ask what hardware you are running the Domotz agent on? I am running mine on a Synology NAS. I am not sure whether that plays into the equation, but if we could start identifying or eliminating common items between us maybe we could narrow things down.

 

I do think that we can rule the router out - I am currently running on a Netgear Orbi, but I had the same problem when I was running on an ASUS router, and you have the problem on a Cisco, so that doesn't seem to be common.

 

My ISP is Comcast and the upstream DNS that I am using is Google. The other settings that I have on the pi-hole settings page are 'never forward non-FQDNs' and 'never forward reverse lookups' both checked. Use DNSSEC is unchecked.

 

There aren't any settings that I could find on the Domotz agent to try to change, but please let me know if you were able to adjust anything on that side to try to isolate the problem.

 

Any other suggestions as to what I might look at, based upon your troubleshooting?

 

I could certainly set the agent to bypass the pi-hole, but I would really like to try to figure out what is causing this. On thing that I read online while researching this problem is that queries to "." can be used as an amplifier in DDoS attacks. I don't think that my server is infected with anything, but I would also like to rule that out definitively if I can.

 

Any suggestions regard regarding additional troubleshooting would be appreciated ... 

Share this post


Link to post
Share on other sites
eti

ruining domotz agent on the domotz box, tried both version of the pro box rev1 and rev2

 

pihole is running on a raspi

 

isp is cox, dns is google, open, level3, norton

non and never checked, dnssec unchecked

 

no setting I know of the the domotz, and domotz support has no idea or any log of the requests.

 

as far as your NAS being infected, I don't think so as I'm running domotz hardware same issue.

 

as far as further trouble shooting, I was going to setup a small net with only router, pihole and domotz, see if the issue was there, if not add back in each net device until the problem returned. but never got around to it

Share this post


Link to post
Share on other sites
PaulBR

Thanks - that is helpful. You are probably right that this isn't due to an infection on the NAS since you have the same issue on standalone hardware.

 

I have started to try to narrow it down by doing the opposite thing that you were going to do - I have begun disconnecting devices on my network one by one to see if the problem stops when I disconnect one of them. I am about 1/3 of the way through the devices on my network, but haven't found anything yet. It is getting late, so I will look at the rest tomorrow.

 

A couple of other quick questions about your environment:

  • You wouldn't happen to have any bonded Ethernet interfaces in your network, do you? The Synology NAS is connected to the router through two Ethernet connections that are setup as a bonded pair. I wonder if the Domotz agent might be have an issue monitoring a bonded connection.
  • Would you happen to have a Plex server in your environment? I do, and I have found that the Plex server can do strange things to my environment at times.

I will keep you posted as I test some more.

Share this post


Link to post
Share on other sites
eti

Paul,

 

yep have trunks / bonded pairs, between a few switches and servers (but I have this on other sties with no issue)

I do have a plex server running on a Qnap NAS and this is unique to the problem network, I will try shutting down the plex, not sure how this would be the issue, but worth a try.

Share this post


Link to post
Share on other sites
PaulBR

Finally got around to doing some testing. I turned off all of the devices on my network one by one but the queries didn't stop. I also turned off my plex server just to see if that might be affecting things, but no change.

 

I am stumped. If I shut down the Domotz agent the queries stop, but it doesn't appear that any element on my network is causing the agent to issue the queries.

 

I think that I am going to open a trouble ticket with Domotz support and reference this thread. Maybe they can help figure something out ....

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...