Thank you for your donation!


Solved: Why is Moode pounding my router?
#1
I'm running Pi hole on a separate Pi3B+ than Moode. The Pi hole dash shows Moode as being one of the top clients on the network, but all the requests are to my router.....The router had a samba share on it, but it was little used as it had only like 2 albums, and I've deleted it...and yet this behavior continues.....The router is not the DHCP server or DNS server.....Moode setup in networking as static, using the router as gateway and Pi hole for DNS.....Whats going on? Why is Moode sending all these requests to my router?

Thanks
Rick
Reply
#2
What are the requests?
Reply
#3
(09-11-2019, 01:47 AM)Tim Curtis Wrote: What are the requests?

This what Pi hole shows me, not sure....
Date/time                Type        Domain                  Client   Status
2019-09-11 01:31:46  A  ea7300.home.linksys.com moode OK (forwarded)
2019-09-11 01:31:46 AAAA ea7300.home.linksys.com moode OK (forwarded)
2019-09-11 01:31:46 A ea7300.home.linksys.com moode OK (forwarded)

What can I do to find out?
Reply
#4
130 is Moode A=IPV4 AAAA=IPV6
Sep 11 10:38:24 dnsmasq[26771]: query[A] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: forwarded EA7300.home.linksys.com to 1.1.1.1
Sep 11 10:38:24 dnsmasq[26771]: query[AAAA] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: forwarded EA7300.home.linksys.com to 1.1.1.1
Sep 11 10:38:24 dnsmasq[26771]: query[A] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: forwarded EA7300.home.linksys.com to 1.1.1.1
Sep 11 10:38:24 dnsmasq[26771]: query[AAAA] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: forwarded EA7300.home.linksys.com to 1.1.1.1
Sep 11 10:38:24 dnsmasq[26771]: query[A] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: forwarded EA7300.home.linksys.com to 1.1.1.1
Sep 11 10:38:24 dnsmasq[26771]: query[AAAA] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: forwarded EA7300.home.linksys.com to 1.1.1.1
Sep 11 10:38:24 dnsmasq[26771]: query[A] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: forwarded EA7300.home.linksys.com to 1.1.1.1
Sep 11 10:38:24 dnsmasq[26771]: query[AAAA] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: forwarded EA7300.home.linksys.com to 1.1.1.1
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NXDOMAIN
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NODATA-IPv6
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NODATA-IPv6
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NODATA-IPv6
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NODATA-IPv4
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NODATA-IPv4
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NODATA-IPv6
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NODATA-IPv4
Sep 11 10:38:24 dnsmasq[26771]: query[A] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: cached EA7300.home.linksys.com is NODATA-IPv4
Sep 11 10:38:24 dnsmasq[26771]: query[AAAA] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: cached EA7300.home.linksys.com is NODATA-IPv6
Sep 11 10:38:24 dnsmasq[26771]: query[A] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: cached EA7300.home.linksys.com is NODATA-IPv4
Sep 11 10:38:24 dnsmasq[26771]: query[AAAA] EA7300.home.linksys.com from 192.168.1.130
Reply
#5
You are sort of on your own for troubleshooting your particular network configuration but generally you will want to use a combination of the commands below to try and determine if there really is an issue.

Code:
netstat
tcpdump

The commands have lots of parameters but there is plenty of info on the Internet about how to use them. The link below shows how to use netstat for monitoring outbound connections.
https://unix.stackexchange.com/questions...my-machine

Here is an example from one of my Pi's that has a Music Source configured (a Samba share on my Router) and is playing a radio station. The IP address breakdown is as follows:

192.168.1.177 = Pi (host rp3)
192.168.1.155 = My Mac Air
127.0.0.1 = host Localhost on Pi rp3
192.168.1.1 = My WiFi Router
173.239.76.149 = Radio station SomaFM Groove Salad Classic

What the command output shows is quite normal.

- Some connections between PHP and MPD on port 6600, IP address 127.0.0.1
- Connection between my Air and Samba on the Pi over port 445. I've connected to the SDCard share that moOde posts.
- Connection between MPD and the radio station over port 80
- Some connections between NGINX web server and my Air over port 80. This is the moOde WebUI running on my Air.
- A connection between the Pi and my Router over port 445. My Router runs a Samba share.
- A connection between my Air and the Pi over port 22 (SSH)

Code:
pi@rp3:~ $ sudo netstat -nputw
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        1      0 127.0.0.1:34060         127.0.0.1:6600          CLOSE_WAIT  876/sudo            
tcp        0      0 127.0.0.1:47922         127.0.0.1:6600          ESTABLISHED 26105/php-fpm: pool
tcp        0      0 192.168.1.177:43168     192.168.1.155:445       ESTABLISHED -                  
tcp        0      0 127.0.0.1:6600          127.0.0.1:47922         ESTABLISHED 839/mpd            
tcp        0      0 192.168.1.177:49400     173.239.76.149:80       ESTABLISHED 839/mpd            
tcp        0      0 192.168.1.177:80        192.168.1.155:52239     ESTABLISHED 445/nginx: worker p
tcp        0      0 192.168.1.177:80        192.168.1.155:51423     ESTABLISHED 445/nginx: worker p
tcp        0      0 192.168.1.177:80        192.168.1.155:51603     ESTABLISHED 445/nginx: worker p
tcp        0      0 192.168.1.177:33648     192.168.1.1:445         ESTABLISHED -                  
tcp        0      0 192.168.1.177:80        192.168.1.155:50430     ESTABLISHED 445/nginx: worker p
tcp        0    600 192.168.1.177:22        192.168.1.155:51092     ESTABLISHED 23241/sshd: pi [pri
pi@rp3:~ $

If you want to see a packet trace then you would need to run tcpdump. Just beware that it will be difficult to interpret unless you filter the results. This is because there is always a lot of Link Layer traffic on networks (ARP, ICMP, etc) plus web server keep-alive, etc. Also protocols like Samba, UPnP, Spotify Connect, etc can be very chatty.

I haven't read a tcpdump in ages so i won't be able to help out.

-Tim
Reply
#6
@HemiRick

Dnsmasq is using Cloudflare's DNS (1.1.1.1) to resolve ARP requests from your moOde player.

Let's take just this snippet

Code:
Sep 11 10:38:24 dnsmasq[26771]: query[A] EA7300.home.linksys.com from 192.168.1.130
...
Sep 11 10:38:24 dnsmasq[26771]: query[AAAA] EA7300.home.linksys.com from 192.168.1.130
Sep 11 10:38:24 dnsmasq[26771]: forwarded EA7300.home.linksys.com to 1.1.1.1
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NXDOMAIN
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NODATA-IPv6
...
Sep 11 10:38:24 dnsmasq[26771]: reply EA7300.home.linksys.com is NODATA-IPv4...


Your moOde player sends IPv4/v6 DNS requests asking the address of EA7300.home.linksys.com.
Dnsmasq on your Pi-Hole doesn't recognize the hostname and forwards it to Cloudflare's DNS (1.1.1.1). 
The reply data: 
NXDOMAIN === non-existent domain (not surprising; Cloudflare doesn't know your LAN)
NODATAIP-v4/6 === no A/AAA record on the hostname



Regards,
Kent
Reply
#7
Nice analysis Kent :-)
Reply
#8
Just a guess, but mightn't the router fully qualified hostname be "EA7300.home-linksys.com", e.g., a host in a local domain home-linksys.com and not in the vendor's domain linksys.com. Or perhaps even in a name in the special high-level domain ".home"
Reply
#9
Typical Router with integrated DHCP/DNS automatically updates the DNS cache when a LAN client connects. It also adds the Router host itself to the cache. It would be assigned the Routers LAN address e.g. 192.168.1.1 or something similar. DHCP would be configured to assign clients the Routers LAN address for both Gateway and DNS.

This ensures that all client queries to other clients on the LAN never get forwarded to the public DNS's which are configured on the Routers WAM side.

Once you get into separating DNS and DHCP from the Router, static IP addressing, etc you have to ensure a configuration that prevents queries from LAN hosts to other LAN hosts or to the Router from being forwarded to the public DNS. It usually involves manually updating the hosts file on the DNS/DHCP server.

Something like that.

-Tim
Reply
#10
(09-11-2019, 01:22 PM)Tim Curtis Wrote: ...
Once you get into separating DNS and DHCP from the Router, static IP addressing, etc you have to ensure a configuration that  prevents queries from LAN hosts to other LAN hosts or to the Router from being forwarded to the public DNS. It usually involves manually updating the hosts file on the DNS/DHCP server.
...

I think @HemiRick has two issues  one issue to resolve:

1. fix the static IP config in his moOde player

2. ask himself if his Pi-Hole should ever reach out to a public DNS server, in this case the Cloudflare 1.1.1.1

[Second-thought edit] Sorry, forgot the Pi-Hole is now his DNS server.
Reply


Forum Jump: