9 Months with a Pi-hole

About nine months ago, I installed a piece of software called "Pi-hole" to a Raspberry Pi and routed all my Internet traffic through it. This tool blocks advertisements for all devices on my network, so this includes mobile devices and cameras.

A feature many wanted was the ability to store long-term data on what domains were blocked, what device(s) requested that domain and how often they were requested. In the past we were limited to a rolling 24 hours, which produced a view like this:

pi-hole-24h

I can infer that generally when sleeping, a majority of the requests that my devices make are blocked. What becomes more interesting is when we tabulate nine months of data and draw some conclusions.

So I ran an export which gave me a 219.5 MB sqlite database file. The first entry was dated June 23, 2017 and the last entry being March 24, 2018. This gives 274 days of data to parse for a total of 2,889,704 requests.

With 274 days of data, we get 383,600 minutes. So simple math gives us roughly 7.53 requests a minute across that time span. Taking all those requests, we can break them into the following categories.

Status Count
Allowed 1,927,304
Cached 684,185
Blocked 276,942
Unknown 1,921

So for starters, I'll grab the top ten most visited domains that are not blocked. This should give a good indication of what websites/products I normally use.

Domain Count
b.canaryis.com 333,629
clients4.google.com 94,777
play.google.com 78,242
clients6.google.com 67,188
ssl.gstatic.com 59,023
slack.com 30,399
www.googleapis.com 28,989
i.canaryis.com 28,896
google.com 27,452
clientservices.googleapis.com 24,365

First off, the clients#.google.com domains are apparently Google Maps. I do use Google Maps a ton as a by product of playing GPS based games, so this makes sense.

Second, we have a few Google domains which seem to be related to assets and needed functionality that Google provides.

Finally, the interesting point is the b.canaryis.com and i.canaryis.com domains which have combined nearly 360k requests over nine months. This is probably from my Canary Home Security System, which I very much enjoy having. The requests seem to alternate between domains roughly every minute which is probably responsible for machine learning for the temperature or detection of a person caught in the film. Looking at just the previous six minutes, this thing indeed sends a lot of requests in comparison to other devices in my home.

camera

Switching gears to the blocked requests, we see they account for 23% of all requests. What domains are constantly being blocked? Lets take a look at my top ten blocked domains.

Domain Count
ssl.google-analytics.com 62,017
settings-win.data.microsoft.com 38,691
watson.telemetry.microsoft.com 24,306
e.crashlytics.com 15,466
ssl.gstatic.com 59,023
api.mixpanel.com 9,940
www.google-analytics.com 9,385
ssw.live.com 9,183
www.googleadservices.com 6,063
graph.instagram.com 5,579

This table of domains seems mostly obvious in terms of blocking. I'm glad that Google Analytics and anything related to Windows telemetry is now blocked. I wasn't aware what mixpanel was for, but that is Twitch advertisements. I do watch Twitch quite frequently, so that makes sense.

Now that we know which domains are being blocked, lets take a look at the top six devices in my home that are making these requests.

                                               
Device Count Type
tombstone.local 679,685 Ubuntu Laptop
win10_old.local 413,741Windows Desktop
C100M1402129.local 280,963Security Camera
192.168.1.235 178,809 Unknown
iBotPeaches.local 166,167Windows Desktop
EXODUS.local 148,916Windows Desktop

Before I had host names, it would list the IP of the device that made the request. None of my devices currently have the .235 allocation and the requests it made makes me think a Windows computer, so more than likely the iBotPeaches/win10_old host name.

As time goes on, my analytics for blocked domains will continue to increase. Which is pretty funny in a sense, because I'm blocking domains that track me while I'm recording those domains for my own tracking. I'll end this post with a snapshot of my Pi-hole, with a note to myself to buy a bigger SD Card for this Raspberry Pi.

raspberry

Top