"
OpnSense is sending way too many requests (e.g. 800.000 in 10 minutes) for periods of time to the upstream DNS (my pihole). This happens now and then and causes problems on the pihole.
The requests come from OpnSense directly, not from downstream clients (Outbound NAT is disabled completely). They are all the same requests, usually for one host in it's own network, e.g. proxmox1.opnsense, and are forwarded to Opnsense (see below).
My servers are in an OpnSense subnet. The subnet uses .opnsense and pihole is configured to conditionally forward .opnsense to OpnSense (true,10.0.0.0/24,10.0.0.1,opnsense). I suspect some kind of loop but can't get behind it. DHCP sets the pihole ip as dns-server [6].
I only use dnsmasq to have DHCP and to resolve.opnsense from the pihole - including the proxmox hosts which aren't doing dhcp but static IP - those are added to dnsmasq.d like this:
These are often (but not exclusively) the hosts that opnsense is requesting in those surge periods.
I recently upgraded from 25.7 to 26.1 and switched from ISC to dnsmasq for DHCP - I think that's when the issue started.
/var/log/dnsmasq/$latest.log is only 128 lines and is nothing but some DHCPREQUEST/DHCPACK in the time period.
The setup generally works fine, but after these spikes, pihole has some hiccups. Any help on how to nail this further down would be appreciated.
Ubound, KEA and ISC are disabled.
Versions
OPNsense 26.1.3-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19
Bare Metal (PC Engine APU)
Edit: The diagram was missing
The requests come from OpnSense directly, not from downstream clients (Outbound NAT is disabled completely). They are all the same requests, usually for one host in it's own network, e.g. proxmox1.opnsense, and are forwarded to Opnsense (see below).
My servers are in an OpnSense subnet. The subnet uses .opnsense and pihole is configured to conditionally forward .opnsense to OpnSense (true,10.0.0.0/24,10.0.0.1,opnsense). I suspect some kind of loop but can't get behind it. DHCP sets the pihole ip as dns-server [6].
I only use dnsmasq to have DHCP and to resolve.opnsense from the pihole - including the proxmox hosts which aren't doing dhcp but static IP - those are added to dnsmasq.d like this:
Code Select
root@OPNsense:/usr/local/etc/dnsmasq.conf.d # cat proxmox-hosts-dns-records.conf
address=/proxmox1.opnsense/10.0.0.10
address=/proxmox2.opnsense/10.0.0.11These are often (but not exclusively) the hosts that opnsense is requesting in those surge periods.
I recently upgraded from 25.7 to 26.1 and switched from ISC to dnsmasq for DHCP - I think that's when the issue started.
/var/log/dnsmasq/$latest.log is only 128 lines and is nothing but some DHCPREQUEST/DHCPACK in the time period.
The setup generally works fine, but after these spikes, pihole has some hiccups. Any help on how to nail this further down would be appreciated.
Ubound, KEA and ISC are disabled.
Versions
OPNsense 26.1.3-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19
Bare Metal (PC Engine APU)
Edit: The diagram was missing
