Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - gardener

Pages1
#1
General Discussion / Re: Opnsense DOSing upstream DNS with bursts of requests
March 09, 2026, 08:54:40 PM
Quote from: newsense on March 08, 2026, 10:22:53 PMThat number of requests is a bit high, I'm assuming they're coming from a lot of lists or aliases.

As I said, it's the same request for one of the .opnsense hosts over and over again. What do you mean they come from lists/aliases?

Quote from: newsense on March 08, 2026, 10:22:53 PMMore importantly though, you're lacking a DNS caching capability.

What do you mean by this? I think pihole caches. But dnsmasq is supposed to only resolve it's DHCP hosts and the 2 extra entries I posted, nothing else, so I'm not sure what it's supposed to cache.
#2
General Discussion / Opnsense DOSing upstream DNS with bursts of requests
March 08, 2026, 09:05:44 PM
OpnSense is sending way too many requests (e.g. 800.000 in 10 minutes) for periods of time to the upstream DNS (my pihole). This happens now and then and causes problems on the pihole.

The requests come from OpnSense directly, not from downstream clients (Outbound NAT is disabled completely). They are all the same requests, usually for one host in it's own network, e.g. proxmox1.opnsense, and are forwarded to Opnsense (see below).

My servers are in an OpnSense subnet. The subnet uses .opnsense and pihole is configured to conditionally forward .opnsense to OpnSense (true,10.0.0.0/24,10.0.0.1,opnsense). I suspect some kind of loop but can't get behind it. DHCP sets the pihole ip as dns-server [6].

I only use dnsmasq to have DHCP and to resolve.opnsense from the pihole - including the proxmox hosts which aren't doing dhcp but static IP - those are added to dnsmasq.d like this:

Code Select
root@OPNsense:/usr/local/etc/dnsmasq.conf.d # cat proxmox-hosts-dns-records.conf
address=/proxmox1.opnsense/10.0.0.10
address=/proxmox2.opnsense/10.0.0.11
These are often (but not exclusively) the hosts that opnsense is requesting in those surge periods.

I recently upgraded from 25.7 to 26.1 and switched from ISC to dnsmasq for DHCP - I think that's when the issue started.

/var/log/dnsmasq/$latest.log is only 128 lines and is nothing but some DHCPREQUEST/DHCPACK in the time period.

The setup generally works fine, but after these spikes, pihole has some hiccups. Any help on how to nail this further down would be appreciated.


Ubound, KEA and ISC are disabled.

Versions
OPNsense 26.1.3-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19

Bare Metal (PC Engine APU)

Edit: The diagram was missing
Pages1