Why is my computer pinging example.org 10 times a second every three minutes?

The ping.manjaro.org thing was easy to figure out. So were a couple others. Maybe it’s because of the required terms to search for the problem, but this one’s not so easy.

We’re not in quite Windows or Android territory, but it’s still pretty annoying how much different behind-the-scenes phoning home (or elsewhere) that I’ve discovered Manjaro is doing.

Pihole screenshot attached. Every three minutes, ten times a second, 24/7/365, my PC is hitting example.org for something. (Couldn’t get a whole set in any one screenshot, sorry. It’s close.)

Screenshot 2023-09-17 at 20-25-25 Pi-hole - pi-hole544×864 43.2 KB

Why is my PC doing this? What is the rationale? A connectivity test? A speed test of sorts?

What is it caused by? Some piece of software? A gnome extension? The network stack? Or the OS itself?

example.org is a real site that you can visit. It looks like it’s run by IANA, so I doubt it’s anything shady.

Still, I didn’t ask for it, and I don’t want it doing that. I can block this from my pihole and it doesn’t appear to affect anything so, as far as I’m concerned, it’s unneeded.

How do I make this stop?

It’s not “phoning home”. It’s a ping test to see whether your network connection is up. ping does not convey any information onto the target.

It simply tests whether the computer can send and receive network traffic, and pinging example.org is a stable and innocent way to do that, because — like you say — it’s owned by IANA, and used specifically for this purpose.

There is a difference between being careful and being paranoid. You’re being paranoid.

Only if you consider your IP, location, the time your device was turned on, not an information.

What program is sending these pings?

Maybe. Still, as far as I’m concerned, it’s a useless operation that isn’t getting me anywhere, and it’s using up network bandwidth and CPU cycles to do it. A couple times a second once or even twice an hour is barely noticeable. 10 times a second every 3 minutes, to me, is excessive.

That, i don’t know. I’m just seeing this in Pihole. It happens to fast to see in iftop, and while wireshark will show it, too, it doesn’t tell me which program is doing it.

I’ve been stuck at home for a few weeks, and lately I’m finding myself doing things like shutting down all the telemetry on my Windows laptop, tracking down all the things nobody ever tells you about (unless you ask) that Firefox does, and now, wondering why My PC is hitting some website 200 times an hour for reasons I’ve never been given.

If it’s just a connectivity check, what does this do that the one to ping.manjaro.org wasn’t accomplishing?

I’ll just add that, as far as connectivity checks go, here’s all the ones I see that keep happening over and over, every few minutes:

• ping.manjaro.org
• 114.148.64.172.in-addr.arpa
• 131.167.214.181.in-addr.arpa
• 183.36.18.104.in-addr.arpa
• 238.186.233.44.in-addr.arpa
• 174.0.217.172.in-addr.arpa
• 200.200.222.209.in-addr.arpa
• a.a.c.2.7.5.1.b.6.7.b.8.f.d.1.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
• 240.154.80.208.in-addr.arpa
• 224.154.80.208.in-addr.arpa
• 91.91.203.116.in-addr.arpa
• ping.manjaro.org (yes again)
• 174.27.181.135.in-addr.arpa
• 234.244.89.40.in-addr.arpa
• 132.18.83.20.in-addr.arpa

And that’s just the last 10 minutes.

Look, I get that there’s always background comms happening, but this thing’s making 1,000s of connections per hour that the 2nd Manjaro PC on the other side of the room doesn’t. And that’s my torrent/server box running all the *arr software, reaching out, grabbing stuff, scraping sites for metadata, subtitles, whatever. I use this PC for email and youtube.

I’d just like to know how to whittle that number down some is all.

The in-addr.arpa addresses are reverse DNS lookups, completely normal.

To find out what is doing the example.org pings or anything else install opensnitch.

Are you by any chance using ENIAC?

You can check your system for occurences of the phrase example.org

It will make sense to check the common location of binaries and configurations.

e.g. the /etc (you may want to add sudo to eliminate permission errors)

grep -rl 'example.org' /etc

Another common place is /usr/share

grep -rl 'example.org' /usr/share

Another tool to see network traffic is ss which monitors sockets ss(8) — Arch manual pages

A third method is to use opensnitch to monitor your traffic - a very effective tool …

Nothing in /etc. That one gave some output, but it’s a good sized list. Other than nmap’s .nse files, it’s all just manual pages and guides for this, that, and the other.

I’ll take it for a ride and see what I come up with.

I could’t start opensnitch. The toggle switch could not be moved either with sudo nor with pkexec.

Anyway, note that this exact functionality changes with today’s update

Changing NetworkManager Connectivity-Ping to manjaro.org

So i guess it will be

grep -rl 'manjaro.org' /usr/share

Why do you believe a connection is established to example.org? Just asking a DNS Sever for an IP for example.org doesn’t mean a connection to this IP will be created after the DNS request.

The url is indeed here (as of today)

/usr/lib/NetworkManager/conf.d/20-connectivity.conf

[connectivity]
uri=http://ping.manjaro.org/check_network_status.txt

but i have no idea where to stop the service if that is so important to you

That url hasn’t changed.

# /usr/lib/NetworkManager/conf.d/20-connectivity.conf                                                                                                                                                              
[connectivity]
uri=http://ping.manjaro.org/check_network_status.txt

-rw-r--r-- 1 root root 68 Jun  1 09:48 /usr/lib/NetworkManager/conf.d/20-connectivity.conf

This will do it:

sudo touch /etc/NetworkManager/conf.d/20-connectivity.conf

However example.org is from something else.

After installing opensnitch - enable and start the daemon

sudo systemctl enable --now opensnitchd.service

As for the network manager see NetworkManager - ArchWiki

EDIT:

On my system the systemd-resolved binary query my dns for the example.org domain.

Probably some kind of nameserver accessible check - the userid associated with the process is 977

 $ cat /etc/group | grep 977
systemd-resolve:x:977:

network resolution and lookup is a fairly crucial part of the system so I recommend not messing too much with it

querying the nameserver for the example.org domain is a very anonymous action and the result serves to provide feedback to system daemons about the state of the dns resolution capabilities of the system it is running on.

FWIW:

I have just checked my PiHole and there is no mention of “example” never mind “example.org”.

So I’m thinking it’s something you’ve either got installed or perhaps you’ve set it up and forgot about it…

i remeber disabling the network activity ping before, and in my case i did it with setting
/etc/NetworkManager/conf.d/20-connectivity.conf

[connectivity]
enabled=false

now with the rest of my findings;

i did run;

# grep -rl 'example.org' /etc
/etc/named.conf
/etc/lynis/default.prf
/etc/clamav-unofficial-sigs/user.conf
/etc/clamav-unofficial-sigs/master.conf

/etc/named.conf is apparently configuration file for BIND - DNS which has *arpa, example.com references. BIND - ArchWiki

it is part of bind package and has service named.service, see whether this is running. you might have inadvertantly running a local DNS server.

The connectivity check in /usr/lib/NetworkManager/conf.d/20-connectivity.conf usually checks internet connection every 300 seconds
Time interval can be changed to 0 to disable connectivity check

[connectivity]
uri=http://ping.manjaro.org/check_network_status.txt
interval=0

NetworkManager.conf – CONNECTIVITY SECTION — Arch manual pages

So now we know there are at least 4 ways to disable Network Manager’s connectivity check.

1. Empty override
2. Override with empty uri=
3. Override with enabled=false
4. Override with interval=0

You could presumably do any of those to the original, but that’s silly.

Just to update everyone:
I did run opensnitch and, with some searching and following along here, it did lead me to the same place as koshikas:

It did ring some bells, but I was very confused, since neither

nor

existed on my system. But I did have /etc/NetworkManager/conf.d/21-disable-connectivity-check.conf
…so I’ve been mucking around in here at some point.

So this, ended up, oddly, being the solution to everything. I didn’t have those .conf files at all. Why or how or if I ever had them or not, I don’t know. Maybe I deleted them thinking it was a good idea. I can’t imagine doing something like that, but stranger things have happened.
Anyway, I (re?)created them and set the one in /usr/lib/NetworkManager/conf.d to a 3600s interval - once per hour - which to me, seems reasonable. I also deleted the 21.disable… file, since it apparently doesn’t work. I created the one in /etc/NetworkManager/conf.d as well.

Somewhere along the line, I rebooted for whatever reason, and everything stopped - or, rather, reduced to the once per hour interval. Which, again, seems reasonable to me.

Yeah, I’ve got none of that:

# grep -rl 'example.org' /etc
#
# systemctl status named.service
Unit named.service could not be found.
# cat /etc/named.conf
cat: /etc/named.conf: No such file or directory

Which, I guess, is a good sign in this case.
But this struck me, too:

Which I thought was somehow a possibility, but I checked all my PCs/devices, and all of them are configured to use the Pihole for DNS, unless I’m using my VPN, in which case, I’m tied to my VPN’s DNS servers. I don’t see any errors in the configuration*, and I do see all my household devices (three PCs, a phone, a tablet, the pihole, a router, and a few more Pis running TVs) in the Pihole’s logs when not on the VPN.

* I am running the pihole on the same subnet as all the rest of my home LAN (in a standard Class C scheme). My understanding is that is not the right way to do things, is a possible security risk, and is a remnant of when I first set it up like 3 years ago. While I’ve always had intent to change it, I’ve just never done it.

I will say this:
I didn’t realize DNS was as complex as it apparently is, and probably should have looked into a lot of these things back in like 2020 before I decided to take it upon myself to run a pihole. (In my defense, most of the setup tutorials are extremely entry-level.) It seems pretty simple on its face, but the actual machinery behind it all is kind of surprising. But, at least with being stuck at home for the time being, I’m looking into it now.

Also, this one slipped by me, but I’ll address it now:

That’s good and worth a chuckle, even if at my expense.
But! Computations are computations, no matter the device, and I’m in a single-ISP town on a metered connection. (You guess the company.) Thousands and thousands of connections every single hour 24/7 are still going to add up to something.

Now, back to fighting all my Windows 10 telemetry.

Thank you, everyone, for your help.

That will be overwritten next time the networkmanager package is updated, that’s why we override it in /etc/NetworkManager/conf.d.