"
I disabled the conditional forwarding from pihole to opnsense as a "solution".
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: Opnsense DOSing upstream DNS with bursts of requests
March 28, 2026, 08:42:37 PM #2
General Discussion / Re: Opnsense DOSing upstream DNS with bursts of requests
March 10, 2026, 09:22:48 AM
Thank you all, I'll check your recommendations later today. As a workaround, I went back to ISC + Unbound.
I have found one culprit: one of the clients was requesting a non-existing .opnsense domain (think google.com.opnsense). Pihole conditionally forwards it to opnsense, which doesn't know it and forwards to upstream (Pihole). This would explain a loop. I have to find out, why the request was made in the first place and figure out a way to stop opnsense/dnsmasq from forwarding those.
Earlier, I've seen loops with valid addresses though (e.g. proxmox1.opnsense), so this wouldn't be the only reason.
I also think pihole's SD card (I know...) got damaged after logging all these excessive loops, making analysis difficult. I'll make sure to be on working hardware again before knocking opnsense further.
I have found one culprit: one of the clients was requesting a non-existing .opnsense domain (think google.com.opnsense). Pihole conditionally forwards it to opnsense, which doesn't know it and forwards to upstream (Pihole). This would explain a loop. I have to find out, why the request was made in the first place and figure out a way to stop opnsense/dnsmasq from forwarding those.
Earlier, I've seen loops with valid addresses though (e.g. proxmox1.opnsense), so this wouldn't be the only reason.
I also think pihole's SD card (I know...) got damaged after logging all these excessive loops, making analysis difficult. I'll make sure to be on working hardware again before knocking opnsense further.
#3
General Discussion / Re: Opnsense DOSing upstream DNS with bursts of requests
March 09, 2026, 08:54:40 PMQuote from: newsense on March 08, 2026, 10:22:53 PMThat number of requests is a bit high, I'm assuming they're coming from a lot of lists or aliases.
As I said, it's the same request for one of the .opnsense hosts over and over again. What do you mean they come from lists/aliases?
Quote from: newsense on March 08, 2026, 10:22:53 PMMore importantly though, you're lacking a DNS caching capability.
What do you mean by this? I think pihole caches. But dnsmasq is supposed to only resolve it's DHCP hosts and the 2 extra entries I posted, nothing else, so I'm not sure what it's supposed to cache.
#4
General Discussion / [Solved] Opnsense DOSing upstream DNS with bursts of requests
March 08, 2026, 09:05:44 PM
OpnSense is sending way too many requests (e.g. 800.000 in 10 minutes) for periods of time to the upstream DNS (my pihole). This happens now and then and causes problems on the pihole.
The requests come from OpnSense directly, not from downstream clients (Outbound NAT is disabled completely). They are all the same requests, usually for one host in it's own network, e.g. proxmox1.opnsense, and are forwarded to Opnsense (see below).
My servers are in an OpnSense subnet. The subnet uses .opnsense and pihole is configured to conditionally forward .opnsense to OpnSense (true,10.0.0.0/24,10.0.0.1,opnsense). I suspect some kind of loop but can't get behind it. DHCP sets the pihole ip as dns-server [6].
I only use dnsmasq to have DHCP and to resolve.opnsense from the pihole - including the proxmox hosts which aren't doing dhcp but static IP - those are added to dnsmasq.d like this:
These are often (but not exclusively) the hosts that opnsense is requesting in those surge periods.
I recently upgraded from 25.7 to 26.1 and switched from ISC to dnsmasq for DHCP - I think that's when the issue started.
/var/log/dnsmasq/$latest.log is only 128 lines and is nothing but some DHCPREQUEST/DHCPACK in the time period.
The setup generally works fine, but after these spikes, pihole has some hiccups. Any help on how to nail this further down would be appreciated.
Ubound, KEA and ISC are disabled.
Versions
OPNsense 26.1.3-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19
Bare Metal (PC Engine APU)
Edit: The diagram was missing
The requests come from OpnSense directly, not from downstream clients (Outbound NAT is disabled completely). They are all the same requests, usually for one host in it's own network, e.g. proxmox1.opnsense, and are forwarded to Opnsense (see below).
My servers are in an OpnSense subnet. The subnet uses .opnsense and pihole is configured to conditionally forward .opnsense to OpnSense (true,10.0.0.0/24,10.0.0.1,opnsense). I suspect some kind of loop but can't get behind it. DHCP sets the pihole ip as dns-server [6].
I only use dnsmasq to have DHCP and to resolve.opnsense from the pihole - including the proxmox hosts which aren't doing dhcp but static IP - those are added to dnsmasq.d like this:
Code Select
root@OPNsense:/usr/local/etc/dnsmasq.conf.d # cat proxmox-hosts-dns-records.conf
address=/proxmox1.opnsense/10.0.0.10
address=/proxmox2.opnsense/10.0.0.11These are often (but not exclusively) the hosts that opnsense is requesting in those surge periods.
I recently upgraded from 25.7 to 26.1 and switched from ISC to dnsmasq for DHCP - I think that's when the issue started.
/var/log/dnsmasq/$latest.log is only 128 lines and is nothing but some DHCPREQUEST/DHCPACK in the time period.
The setup generally works fine, but after these spikes, pihole has some hiccups. Any help on how to nail this further down would be appreciated.
Ubound, KEA and ISC are disabled.
Versions
OPNsense 26.1.3-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19
Bare Metal (PC Engine APU)
Edit: The diagram was missing
Pages1
