“A nearly impenetrable thicket of geekitude…”

New Rule

Posted on December 29, 2022 at 16:09

Alongside “don’t drink coffee too late at night” I have a new rule to make sure I get a good night’s sleep: “never fire up Wireshark after 10pm”.

I’m moving some network functionality — specifically, local DNS servers, I run split-horizon DNS — from two old Raspberry Pi machines onto something more modern. The question arose of how I’d know when I was done: how would I know when there are no more requests being made to the old machines?

I had a “bright idea” and made the mistake of firing up a Wireshark network analyser to quickly answer this question. I got more than I bargained for, as there were a lot of DNS queries I couldn’t see a reason for. The most common one looked like this:

Packet capture showing www.microsoft.com query every 15 seconds.

Some host on the network is performing a query for www.microsoft.com every 15 seconds, regular as clockwork.

Well, that’s on one server. I have two: this is what the other one was seeing:

Packet capture showing query from two sources every 15 seconds.

That’s another two sources of these queries, each also ticking away every 15 seconds.

These three hosts turn out to be the nodes in my WiFi mesh network. The manufacturer, Tenda, have arranged for each node to acquire an IP address on the network and use that to query for the address of www.microsoft.com every 15 seconds. That’s 17,280 queries a day.

Why? I found this post suggesting that the idea here is to establish whether there’s internet connectivity. Why each and every node in a WiFi mesh needs to know more than which RJ45 to send the packets out of is a mystery to me. It’s also amusing to think that as I have local servers all these queries are being swallowed by them and aren’t establishing second-by-second connectivity at all; it’s all just wasted effort.

Never fire up Wireshark after 10pm.

Tags: