Grafana creates strange DNS traffic for releases >= 10.2.3

Edit: This is resolved and nothing malicious is happening. See here for the GitHub issue update. The issue here appears to be the result of Safari pre-fetching DNS for Grafana’s forums, which are linked on the Grafana landing page and do use advertising scripts.

I use AdGuard Home for DNS-based ad-blocking and recently noticed some suspicious looking traffic getting consistently blocked in my DNS query logs. Lots of outbound queries to fishy Russian and Greek ad servers (see the full list below):

DNS requests in AdGuard Home

After some investigating, I found that these requests were generated by Grafana, which is visualization software I use to monitor server health. Specifically, the requests are generated only by desktop Safari clients that load any local Grafana page from Docker image 10.2.3 or above (including latest at the time of this posting). Some details:

I confirmed these results using an entirely separate MacBook client, and they’ve also been confirmed independently on reddit. I reached out to the Grafana security team on April 3rd and again on April 8th, but received no response. I also created a GitHub issue.

I’m not qualified to speculate about the implications here, security or otherwise, but I do hope someone looks into this more. Even if the behavior isn’t malicious, it’s still incredibly strange. Crossing my fingers that this is a misconfiguration and not something worse, like a supply chain attack or the start of ads in Grafana.

🤞

Queried domains

This is the full list of domains queried when refreshing a page. The list seems to be static as it hasn’t changed between 10.2.3 and latest, as far as I can tell.