THOUSANDS of DNS requests that "web usage" page does now show

General discussion about Gargoyle, OpenWrt or anything else even remotely related to the project

Moderator: Moderators

Post Reply
lollapalooza
Posts: 122
Joined: Mon Jun 09, 2014 12:53 pm

THOUSANDS of DNS requests that "web usage" page does now show

Post by lollapalooza »

I've got a static IP address at home, and I'm using OpenDNS.
This gives me the chance to see a nice dashboard with statistics.

I have noticed that in the last 15 days there's a huge number of DNS requests to account.kkbox.com domain (more than 30K per day).

Now ... I'm in Italy, where kkbox (a music streaming provider) is not available.

I wanted to investigate a bit: I want to know which of my devices tries so hard to connect to a service I did not subscribe...

For this reason I've enabled the Web Usage Monitor.

Unfortunately there's absolutely no trace of requests for this domain.

Can somebody help?

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: THOUSANDS of DNS requests that "web usage" page does now show

Post by RomanHK »

You can turn on DNS logging and see the results in the system log. Run these commands via ssh:
To enable DNS logging:

Code: Select all

uci set dhcp.@dnsmasq[0].logqueries=1
uci commit dhcp
/etc/init.d/dnsmasq restart
To disable DNS logging:

Code: Select all

uci delete dhcp.@dnsmasq[0].logqueries
uci commit dhcp
/etc/init.d/dnsmasq restart
Browse the system log:

Code: Select all

logread | grep account.kkbox.com
Also, by enabling this feature, the system log will be too large and it is a good idea to turn off this feature when it detects a domain you are looking for or if you are experiencing problems!
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

lollapalooza
Posts: 122
Joined: Mon Jun 09, 2014 12:53 pm

Re: THOUSANDS of DNS requests that "web usage" page does now show

Post by lollapalooza »

@RomanHK
Thanks for sharing this...
Anyway the only intenrnal IP I see, belongs to my Wireless Access Point :-(

Yes ... as I do have a mesh system at home, I do not rely on my Gargoyle Router for my Wi-Fi.

Here's an extract from the log:

Code: Select all

Fri Oct 18 19:41:03 2019 daemon.info dnsmasq[9384]: forwarded account.kkbox.com to 208.67.220.220
Fri Oct 18 19:41:03 2019 daemon.info dnsmasq[9384]: query[A] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:03 2019 daemon.info dnsmasq[9384]: cached account.kkbox.com is 210.61.182.104
Fri Oct 18 19:41:05 2019 daemon.info dnsmasq[9384]: query[AAAA] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:05 2019 daemon.info dnsmasq[9384]: forwarded account.kkbox.com to 208.67.220.220
Fri Oct 18 19:41:05 2019 daemon.info dnsmasq[9384]: query[A] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:05 2019 daemon.info dnsmasq[9384]: cached account.kkbox.com is 210.61.182.104
Fri Oct 18 19:41:06 2019 daemon.info dnsmasq[9384]: query[AAAA] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:06 2019 daemon.info dnsmasq[9384]: forwarded account.kkbox.com to 208.67.220.220
Fri Oct 18 19:41:07 2019 daemon.info dnsmasq[9384]: query[A] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:07 2019 daemon.info dnsmasq[9384]: cached account.kkbox.com is 210.61.182.104
Fri Oct 18 19:41:08 2019 daemon.info dnsmasq[9384]: query[AAAA] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:08 2019 daemon.info dnsmasq[9384]: forwarded account.kkbox.com to 208.67.220.220
Fri Oct 18 19:41:08 2019 daemon.info dnsmasq[9384]: query[A] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:08 2019 daemon.info dnsmasq[9384]: cached account.kkbox.com is 210.61.182.104
Fri Oct 18 19:41:10 2019 daemon.info dnsmasq[9384]: query[AAAA] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:10 2019 daemon.info dnsmasq[9384]: forwarded account.kkbox.com to 208.67.220.220
Fri Oct 18 19:41:11 2019 daemon.info dnsmasq[9384]: query[A] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:11 2019 daemon.info dnsmasq[9384]: cached account.kkbox.com is 210.61.182.104
Fri Oct 18 19:41:13 2019 daemon.info dnsmasq[9384]: query[AAAA] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:13 2019 daemon.info dnsmasq[9384]: forwarded account.kkbox.com to 208.67.220.220
Fri Oct 18 19:41:13 2019 daemon.info dnsmasq[9384]: query[A] account.kkbox.com from 192.168.0.10
Fri Oct 18 19:41:13 2019 daemon.info dnsmasq[9384]: cached account.kkbox.com is 210.61.182.104
[EDIT]
By unplugging all my devices one by one, I've been able to find out who's guilty.

It's my Orbi RBS40V (mesh satellite + Alexa speaker).
I'll check in Netgear forum.

Thank you!!

Post Reply