Messages

[Interface]

Found the issue. My NAT rules to redirect DNS queries to the PiHoles were creating a loop somehow with OPNsense. I changed the rules to:
Interface: LAN, IoT
TCP/IP: IPv4
Protocol: UDP
Invert source: checked
Source: Alias for the PiHole and OPNsense IPs (For OPNsense I added 192.168.12.1 and 127.0.0.1, as I wasn't sure which one I'd need)
Source Port Range: Any
Invert Destination: Checked
Destination: PiHole alias (PiHoles only)
Destination Port Range: DNS

So any DNS requests from devices other than the PiHoles or OPNsense box get routed to the PiHoles. I think what was happening earlier was that OPNsense's reverse lookups were getting sent to the PiHoles, which would then send them back to OPNsense or denied, in which case OPNsense would send more since it didn't receive data. Repeat forever.

I've been running the above rule for 24 hours now and the amount of queries looks sane. I'm still seeing in-addr.arpa, but only one at a time, so that seems ok to me.

What services do you have running on OPN? It might not be netflow but another.

The only ones I installed beyond the base setup were ddclient, git backup, iperf, mdns repeater, smart, and wireguard.

IIRC netflow has got an option to report hostnames instead of IP addresses.

Thanks, I tried clearing out everything in Netflow, setting it to a different interface, etc. but it hasn't seemed to make a difference.

You probably told some service on your firewall to log the clients' FQDNs instead of IP addresses. This gives you one lookup for each connection that is subjected to that logging.

Any ideas of services that may do this? I looked through everything (I think) and couldn't find a setting like this. I don't have much extra installed - Wireguard, mDNS, iPerf.

I believe OPNsense should be answering the local ptr requests...not making them.  In pihole settings, DNS, Advanced at the bottom, I have both "Never forward" options checked and use conditional forwarding...make sure to fill in the boxes below that option at the bottom.  You stated you are using opnsense for dhcp, not pihole...make sure you don't use both...it's one or the other of course, just in case I misunderstood your setup.

Thanks, good points to check. I already had both 'Never forward' options enabled. Conditional forwarding is off since OPNsense is the upstream. PiHole does not have DHCP enabled.

In unbound, I have register static mappings and dhcp leases checked (you may have other options as well).  Also, I would probably include a DNS in System General for the router itself as that's not going to be passed to hosts via DHCP unless you make that selection to do so.

Thanks, I'll give this a try.

Setup:
- OPNsense 23.1.5
- DNS using 2 Pi-holes on same subnet as OPNsense. Pi-holes are set as DNS via DHCP for my LAN and Iot VLAN and they use OPNsense Unbound as their upstream.
- DHCP reservations are added to OPNsense
- OPNsense does not have any upstream servers set under System - General.
- Firewall/NAT rules in place to redirect traffic on port 53 to the Pi-holes.

Problem: I'm getting hundreds of PTR queries a second to each Pi-hole from OPNsense for *.in-addr.arpa. I understand that these are reverse DNS requests, but I don't understand why OPNsense is spamming so many. There are tons of duplicate requests that all register at the same time too (e.g. 80 requests in 1 second for 16.16.168.192.in-addr.arpa)

Is there a way to resolve this behavior, or it this expected and intended?

Is there a way to redirect only queries from OPNsense to its local instance of Unbound?