[dns-operations] Android - "strange" queries - connectivity check related ?
operations at dns.16bits.net
Thu Jan 21 01:01:18 UTC 2021
On 2021-01-17 at 17:48 -0500, vom513 wrote:
> I managed to catch some of the DNS traffic from his phone (I told him
> I was doing this :) ) - and have it up in Wireshark. Looking at
> this, at the beginning of this flurry of queries, I see some for
> connectivitycheck.gstatic.com. So while it might be a red herring,
> it does seem grouped if you will with the other questionable
> queries. I’m familiar with the random alpha strings that chrome will
> query for to detect DNS wildcarding etc - this wasn’t that.
> So my actual question - could anyone give me a summary of what this
> Android phone is doing - or better yet - point me to some Android
> developer docs or something that might/hopefully spell these
> mechanics out ?
The connectivitycheck.gstatic.com is "normal". From the top of my head,
it starts by requesting a known content from
connectivitycheck.gstatic.com, both using https and also trying http if
needed. This way, it can detect if it has access to the internet or is
in some kind or captive portal. If you block these queries it will
determine that it has connected to a network with no access to the
Now, *after* it succeeds and claims "I have internet!", then everything
else will start connecting, from registering with the generic push
notification api, to individual apps calling home for its own reasons.
More information about the dns-operations