New Rule

Alongside “don’t drink coffee too late at night” I have a new rule to make sure I get a good night’s sleep: “never fire up Wireshark after 10pm”.

I’m moving some network functionality — specifically, local DNS servers, I run split-horizon DNS — from two old Raspberry Pi machines onto something more modern. The question arose of how I’d know when I was done: how would I know when there are no more requests being made to the old machines?

I had a “bright idea” and made the mistake of firing up a Wireshark network analyser to quickly answer this question. I got more than I bargained for, as there were a lot of DNS queries I couldn’t see a reason for. The most common one looked like this:

Some host on the network is performing a query for www.microsoft.com every 15 seconds, regular as clockwork.

Well, that’s on one server. I have two: this is what the other one was seeing:

That’s another two sources of these queries, each also ticking away every 15 seconds.

These three hosts turn out to be the nodes in my WiFi mesh network. The manufacturer, Tenda, have arranged for each node to acquire an IP address on the network and use that to query for the address of www.microsoft.com every 15 seconds. That’s 17,280 queries a day.

Why? I found this post suggesting that the idea here is to establish whether there’s internet connectivity. Why each and every node in a WiFi mesh needs to know more than which RJ45 to send the packets out of is a mystery to me. It’s also amusing to think that as I have local servers all these queries are being swallowed by them and aren’t establishing second-by-second connectivity at all; it’s all just wasted effort.

Never fire up Wireshark after 10pm.