I run a Pi-hole on my local network to block ads and log DNS queries. Essentially network traffic is routed through a Raspberry Pi that filters more than a 100,000 domains known to be associated with ads and malware. This improves the browsing experience across every device on my network.
In addition to blocking unwanted traffic the Pi-hole logs DNS queries to a SQLite database. The data consists of the request timestamp, type, status (e.g. whether it was blocked), requested domain, requesting client, and forward destination (only if permitted and forwarded).
Typically a Pi-hole user would analyze DNS requests when there is a lot of traffic to better understand whether domains should be added to the blocklist. People will also look at their DNS query history during the day or at night to see if there are applications “phoning home”. Because I was recently out of town for a little more than a week I wanted to examine what my network was doing while I was gone.
The Pi-hole logged 24,656 DNS requests over approximately 11 days and 16 hours while I was out of town. This time period was manually curated using an optical estimation procedure to identify the starting period when the number of requests dropped off significantly and ending period when the number of requests drastically increased. My home was completely unoccupied during this time, so the DNS requests were made by devices automatically (i.e. without any human input).
The first thing I looked at is the number of queries by response status. The possible response statuses are: Unknown status (was not answered by forward destination), Blocked by gravity.list, Permitted + forwarded, Permitted + replied to from cache, Blocked by wildcard, and Blocked by black.list.
|Unknown status (was not answered by forward destination)||0|
|Blocked by gravity.list||75|
|Permitted + forwarded||20,036|
|Permitted + replied to from cache||4,545|
|Blocked by wildcard||0|
|Blocked by black.list||0|
I was surprised to see just how many requests (24,656!) were made while I was gone. This comes out to 1,896.62 requests per day - quite a lot of requests when no one is home!
However of these requests only 75 (0.3%) were blocked. This could mean that most of the automatic requests that occurred were safe or that there were many automatic requests occurring that should have been blocked but the domains aren’t on the block list!
Requests over time by response status
Next I looked at the number of DNS queries during 1 hour time intervals, grouped by response status. I figured hourly intervals would be sufficiently granualar, and not too noisy, to see if there were any patterns in the frequency of queries. For example, if an application was set to phone home at a particular time it would probably be result in a spike that would be apparant in the hourly data.
I was surprised to see that the number of DNS requests was fairly consistent, roughly 73 to 103 requests per hour, but also that there were some days (12/28, 1/3, and 1/5) with much lower requests per hour.
Requests over time by client
One question I had after seeing how many queries were made was: which clients are making the DNS requests?
The table and plot below shows the time series of number of requests made by each client during the vacation. There were a total of 6 clients, including the router and Pi-hole itself. The other clients consisted of 2 MacBook Pros, 1 AppleTV, and 1 other device from work.
The most talkative client was the AppleTV, followed by my work MacBook Pro. Interestingly my personal MacBook Pro was the least talkative client.
It wasn’t very surprising to see the AppleTV was the source of a considerable amount of traffic. However it’s a bit disconcerting to see that my work laptop is so much more talkative than my personal laptop.
Most frequent domains
Perhaps the most crucial question is: what are the clients requesting? In other word, which domains were being queried?
The plot below shows the top 20 queried domains and how often they were requested.
It’s easy to see most of these requests are to Apple and after a little bit of searching that most of the rest are to Apple’s CDN (e.g. *.akadns.net). This makes sense given that the majority of from the AppleTV.
Although only 75 (0.3%) were blocked, it’s worth taking a quick look at which domains they were and which clients the requests were from.
As you should expect by now, most of the blocked queries come from the AppleTV (the source of most queries) however a few are also from my work laptop.
So, what happens on your network while you’re on vacation? Apparently a whole lot. Clients can be really chatty, even when you’re not using them. This isn’t always a bad thing, but your devices shouldn’t really need to create much traffic while you’re not using them. Fortunately this traffic was pretty innocuous – the traffic that wasn’t blocked wasn’t harmless (although unnecessary).