9 Months with a Pi-hole
About nine months ago, I installed a piece of software called "Pi-hole" to a Raspberry Pi and routed all my Internet traffic through it. This tool blocks advertisements for all devices on my network, so this includes mobile devices and cameras.
A feature many wanted was the ability to store long-term data on what domains were blocked, what device(s) requested that domain and how often they were requested. In the past we were limited to a rolling 24 hours, which produced a view like this:
I can infer that generally when sleeping, a majority of the requests that my devices make are blocked. What becomes more interesting is when we tabulate nine months of data and draw some conclusions.
So I ran an export which gave me a 219.5 MB sqlite database file. The first entry was dated June 23, 2017 and the last entry being March 24, 2018. This gives 274 days of data to parse for a total of 2,889,704 requests.
With 274 days of data, we get 383,600 minutes. So simple math gives us roughly 7.53 requests a minute across that time span. Taking all those requests, we can break them into the following categories.
| Status | Count |
|---|---|
| Allowed | 1,927,304 |
| Cached | 684,185 |
| Blocked | 276,942 |
| Unknown | 1,921 |
So for starters, I'll grab the top ten most visited domains that are not blocked. This should give a good indication of what websites/products I normally use.
| Domain | Count |
|---|---|
| b.canaryis.com | 333,629 |
| clients4.google.com | 94,777 |
| play.google.com | 78,242 |
| clients6.google.com | 67,188 |
| ssl.gstatic.com | 59,023 |
| slack.com | 30,399 |
| www.googleapis.com | 28,989 |
| i.canaryis.com | 28,896 |
| google.com | 27,452 |
| clientservices.googleapis.com | 24,365 |
First off, the clients#.google.com domains are apparently Google Maps. I do use Google Maps a ton as a by product of playing GPS based games, so this makes sense.
Second, we have a few Google domains which seem to be related to assets and needed functionality that Google provides.
Finally, the interesting point is the b.canaryis.com and i.canaryis.com domains which have combined nearly 360k requests over nine months. This is probably from my Canary Home Security System, which I very much enjoy having. The requests seem to alternate between domains roughly every minute which is probably responsible for machine learning for the temperature or detection of a person caught in the film. Looking at just the previous six minutes, this thing indeed sends a lot of requests in comparison to other devices in my home.
Switching gears to the blocked requests, we see they account for 23% of all requests. What domains are constantly being blocked? Lets take a look at my top ten blocked domains.
| Domain | Count |
|---|---|
| ssl.google-analytics.com | 62,017 |
| settings-win.data.microsoft.com | 38,691 |
| watson.telemetry.microsoft.com | 24,306 |
| e.crashlytics.com | 15,466 |
| ssl.gstatic.com | 59,023 |
| api.mixpanel.com | 9,940 |
| www.google-analytics.com | 9,385 |
| ssw.live.com | 9,183 |
| www.googleadservices.com | 6,063 |
| graph.instagram.com | 5,579 |
This table of domains seems mostly obvious in terms of blocking. I'm glad that Google Analytics and anything related to Windows telemetry is now blocked. I wasn't aware what mixpanel was for, but that is Twitch advertisements. I do watch Twitch quite frequently, so that makes sense.
Now that we know which domains are being blocked, lets take a look at the top six devices in my home that are making these requests.
| Device | Count | Type |
|---|---|---|
| tombstone.local | 679,685 | Ubuntu Laptop |
| win10_old.local | 413,741 | Windows Desktop |
| C100M1402129.local | 280,963 | Security Camera |
| 192.168.1.235 | 178,809 | Unknown |
| iBotPeaches.local | 166,167 | Windows Desktop |
| EXODUS.local | 148,916 | Windows Desktop |
Before I had host names, it would list the IP of the device that made the request. None of my devices currently have the .235 allocation and the requests it made makes me think a Windows computer, so more than likely the iBotPeaches/win10_old host name.
As time goes on, my analytics for blocked domains will continue to increase. Which is pretty funny in a sense, because I'm blocking domains that track me while I'm recording those domains for my own tracking. I'll end this post with a snapshot of my Pi-hole, with a note to myself to buy a bigger SD Card for this Raspberry Pi.
