DNS Blocking with a Pi-Hole

Posted by JD 05/20/2020 at 01:00

Installed a pi-hole on the network here a few weeks ago. It is running inside an LXD container using next to no resources. Also set it up as the primary DNS server for the LAN here. It is not internet facing.

Anyways, after about 3 weeks, thought I’d share some data about the DNS queries it has been blocking by the types of network devices.

The Big Numbers

In the last 24 hrs, about 24,000 DNS queries have hit the pi-hole. That’s local and remote queries.
Just under 40% of the queries were blocked due to being in a block list. Most of the time, about 55% of the queries are blocked, so today my use was nicer, I suppose.

Here’s where it gets interesting. The top 10 clients for blocked DNS are:


Hostname Number of queries
roku 311,036
PlexMS 184,075
Fire8HD 163,085 has a 132K /etc/hosts file
email srv 119,431
Android Phone 117,790
Win7 112,767
nextcloud 88,098
VM host 79,330
VM host 62,643
Old Desktop 28,265 (VM is shutdown)
New Desktop 26,220 (VM running about 2 weeks)
Blog 16,562
Proxy 5,221
r-pi3 3,993
email-gatewy 369
HDHR Tuners 250-ish each

Streaming media is causing, by far, the most DNS queries with a Roku that gets used perhaps 2 hours a day showing almost 2x the queries.
The 2nd offender is our Plex Media Server, which is used for storage and LAN streaming. We don’t watch content directly on that system.
The 3rd offender is an Amazon Fire 8HD tablet. That tablet has been rooted and has a huge adblocking and “bad guys” /etc/hosts file, so most of those DNS queries shouldn’t show up on the Pi-Hole at all. Without that hosts file, I can only imagine how many “phone home” requests it would send to Amazon and Amazon partners.
Next is an email server. I haven’t looked to closely, but anti-spam is often about validated the sender forward and reverse DNS entries match, plus queries to DNS for SPF and DMARC records. Probably a necessary evil for that server.
Next is my Android phone. Most of the time, that device isn’t on any network (no wifi or data plan), so the fact that over 100K DNS requests were sent by it really is alarming. After all, we’re all stuck at home, so who needs a cell phone on a network? I don’t.
Then there’s a Win7 machine that is still used for video editing, but really nothing else. I’ve disabled the IPv6 stack on it and blocked the constant attempt to connect to teredo.ipv6.microsoft.com which is an IPv6 tunnel service that bypassed firewalls. Even without IPv6 enabled, it is still trying to phone home.
Next is our nextcloud server. This pulls RSS news feeds every few hours to a central server here, so all our clients have the same view of the read/unread news.
The rest aren’t so concerning to me. I’m a little surprised by the email-gateway server not having much higher DNS query numbers. The job of that system is to block as much garbage email as possible, and to provide a in/out gateway for the real email server which used 10x more resources. The gateway is very light on resources.

Top Blocked Domains

For the last 24 hours, here are the top domains being blocked:


scribe.logs.roku.com 44499
analytics-ingestion.production-public.tubi.io 662
austin.logs.roku.com 576
pasta.esfile.duapps.com 455
api.parse.com 397
graph.facebook.com 397
reports.crashlytics.com 271
ssl.google-analytics.com 230
device-api.urbanairship.com 227
sb.scorecardresearch.com 224

All tracking sites. Look at scribe.logs.roku.com! 44K DNS queries in 24 hours!!! That’s just crazy.

What Do I Block?

Mostly it is advertising and tracking sites. So google and google partners. Facebook and facebook partners. General web tracking companies which I group amazon into.

But look at Roku trying to get data send home! That’s a bug. Sometimes when I reboot the roku, the pi-hole blocking has to be disabled for 30 seconds so the boot can finish. Adding new channels requires access to some of the blocked roku domains, as does some searching for content at the Roku level.

I’m a little crazier than most about being tracked.

Our media players running Kodi didn’t even show up on this list. Guess we know who wants to track us – companies with a profit motive. That’s fine, just wish they clearly advertise how much and why instead of taking our data and hiding behind less-than-clear Privacy/Tracking statements.

For more about using an /etc/hosts file to block parts of the internet you don’t want, click here.