What is "root" and why does it keep contacting different servers?

Question

I have blocked this "root" [app/service/user] from accessing the network. However, I can find no specific answers as to what it is and why it attempts to contact only random servers. I use NetGuard to better control the network on my phone, that is where the screenshot came from.

I have searched for days for an answer to my question, but there are literally millions of instances across the network and boolean searches only narrow it to tens of thousands.

Should I be worried about malicious intent or just keep it locked down?

By the user-id 0 (Linux root user) you can see that these request don't belong to apps, but to system components (e.g. services) that run as root user (or if your system is rooted to programs that are executed via su). — Robert, Jan 29 '24 at 14:06
As @Robert already pointed out, those are requests made by the system itself. Most of them will probably originate from Google Mobile Services (including analytics) – all those google.com and 1e100.net ones. Though I'd indeed wonder what accesses .gov servers or .ring.com, facebook etc at system level (port 443 indicates web servers being accessed and not just name servers to resolve IP addresses). So I guess you should be worried about your Facebook & Co apps if you're afraid about tracking ;) — Izzy, Jan 30 '24 at 09:12
@Izzy GMS and other system/framework apps don't run with root (0) UID. So it must be some init service. Most probably netd, which is Android's DNS caching daemon i.e. it forwards DNS queries to internet as requested by apps. — Irfan Latif, Feb 01 '24 at 13:01
When there are multiple processes running with the same UID, it's possible to filter out the one doing network activity using cls_cgroup and xt_cgroup Linux features. But it requires a rooted device, some familiarity with Linux networking, and most probably a custom kernel. — Irfan Latif, Feb 01 '24 at 13:01

What is "root" and why does it keep contacting different servers?

0 Answers0