dns.msftncsi.com DNS Requests Every Few Seconds

Over the week­end, I updat­ed my wire­less router to the lat­est revi­sion of ASUSWRT-Mer­lin. I also decid­ed to update my Diet­Pi Pi-hole to their lat­est builds. Due to a full code rewrite of Diet­pi, it meant a com­plete rebuild for that sys­tem. The release of ASUSWRT-Mer­lin also sug­gest­ed reset­ting to fac­to­ry defaults due to some major changes. Every­thing was about to be new again.

Once I got every­thing rebuilt and run­ning, I noticed requests com­ing from my fire­wall to my diet­pi every 10 sec­onds or so for dns.msftncsi.com. I imme­di­ate­ly assumed this was some Microsoft teleme­try noise on my net­work from MS NLA. How­ev­er, the queries were com­ing direct­ly from my fire­wall which seemed odd. Anoth­er search led me to a post on the Pi-hole dis­course. After I ran nvram show | grep dns_probe, it was clear I found the cul­prit.

admin@gw:/tmp/home/root# nvram show | grep dns_probe
dns_probe_host=dns.msftncsi.com
dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1

I ran the fol­low­ing three lines and con­firmed the traf­fic stopped. No reboot was nec­es­sary. The first post I read rec­om­mend­ed set­ting dns_probe_content to 0.0.0.0 and dns_probe_host to “” (effec­tive­ly blank). I lat­er found a post by RMer­lin that explains set­ting dns_probe_content to blank dis­ables the watch­dog ser­vice but effec­tive­ly dis­ables the dual WAN fea­ture. It would make sense that dual WAN would require a watch­dog ser­vice. So, if you use dual WAN, don’t do this. Oth­er­wise, you should be fine.

admin@gw:/tmp/home/root# nvram set dns_probe_content=
admin@gw:/tmp/home/root# nvram set dns_probe_host=
admin@gw:/tmp/home/root# nvram commit