Hundreds to thousands of DNS queries for *.in-addr.arpa every second

Started by nojwe, April 18, 2023, 09:21:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 18, 2023, 09:21:28 PM
Setup:
- OPNsense 23.1.5
- DNS using 2 Pi-holes on same subnet as OPNsense. Pi-holes are set as DNS via DHCP for my LAN and Iot VLAN and they use OPNsense Unbound as their upstream.
- DHCP reservations are added to OPNsense
- OPNsense does not have any upstream servers set under System - General.
- Firewall/NAT rules in place to redirect traffic on port 53 to the Pi-holes.

Problem: I'm getting hundreds of PTR queries a second to each Pi-hole from OPNsense for *.in-addr.arpa. I understand that these are reverse DNS requests, but I don't understand why OPNsense is spamming so many. There are tons of duplicate requests that all register at the same time too (e.g. 80 requests in 1 second for 16.16.168.192.in-addr.arpa)

Is there a way to resolve this behavior, or it this expected and intended?

Is there a way to redirect only queries from OPNsense to its local instance of Unbound?
April 18, 2023, 11:13:57 PM #1
I believe OPNsense should be answering the local ptr requests...not making them.  In pihole settings, DNS, Advanced at the bottom, I have both "Never forward" options checked and use conditional forwarding...make sure to fill in the boxes below that option at the bottom.  You stated you are using opnsense for dhcp, not pihole...make sure you don't use both...it's one or the other of course, just in case I misunderstood your setup.

In unbound, I have register static mappings and dhcp leases checked (you may have other options as well).  Also, I would probably include a DNS in System General for the router itself as that's not going to be passed to hosts via DHCP unless you make that selection to do so.  I found the boot process seemed to be quicker when the router has that information.  Don't use your pihole in case it's offline (just my opinion).  This setup works for me.  I use pihole -> DNSCrypt-proxy for resolution...not unbound (though I use unbound for local host resolution)...otherwise it's a similar setup.  Hope this makes sense and solves your issue.
HP T730/AMD  RX-427BB/8GB/500GB SSD
HP NC365T 4-PORT
April 18, 2023, 11:33:35 PM #2
You probably told some service on your firewall to log the clients' FQDNs instead of IP addresses. This gives you one lookup for each connection that is subjected to that logging.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 18, 2023, 11:42:50 PM #3
Quote from: gpb on April 18, 2023, 11:13:57 PM
I believe OPNsense should be answering the local ptr requests...not making them.  In pihole settings, DNS, Advanced at the bottom, I have both "Never forward" options checked and use conditional forwarding...make sure to fill in the boxes below that option at the bottom.  You stated you are using opnsense for dhcp, not pihole...make sure you don't use both...it's one or the other of course, just in case I misunderstood your setup.

Thanks, good points to check. I already had both 'Never forward' options enabled. Conditional forwarding is off since OPNsense is the upstream. PiHole does not have DHCP enabled.

Quote from: gpb on April 18, 2023, 11:13:57 PM
In unbound, I have register static mappings and dhcp leases checked (you may have other options as well).  Also, I would probably include a DNS in System General for the router itself as that's not going to be passed to hosts via DHCP unless you make that selection to do so.

Thanks, I'll give this a try.
April 18, 2023, 11:45:43 PM #4 Last Edit: April 19, 2023, 12:12:28 AM by gpb
Based on your setup, I think you want conditional forwarding turned on.  But that shouldn't be the cause of your issue...so whatever you want.

Quote"If not configured as your DHCP server, Pi-hole typically won't be able to determine the names of devices on your local network. As a result, tables such as Top Clients will only show IP addresses."

EDIT: Also, look here to stop the hourly queries pihole does.
https://docs.pi-hole.net/ftldns/configfile/#refresh_hostnames
HP T730/AMD  RX-427BB/8GB/500GB SSD
HP NC365T 4-PORT
April 19, 2023, 12:00:41 AM #5
Quote from: pmhausen on April 18, 2023, 11:33:35 PM
You probably told some service on your firewall to log the clients' FQDNs instead of IP addresses. This gives you one lookup for each connection that is subjected to that logging.

Any ideas of services that may do this? I looked through everything (I think) and couldn't find a setting like this. I don't have much extra installed - Wireguard, mDNS, iPerf.
April 19, 2023, 12:09:32 AM #6
IIRC netflow has got an option to report hostnames instead of IP addresses.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 19, 2023, 02:50:48 AM #7
Quote from: pmhausen on April 19, 2023, 12:09:32 AM
IIRC netflow has got an option to report hostnames instead of IP addresses.

Thanks, I tried clearing out everything in Netflow, setting it to a different interface, etc. but it hasn't seemed to make a difference.
April 19, 2023, 04:17:19 PM #8
What services do you have running on OPN? It might not be netflow but another.
April 19, 2023, 09:12:38 PM #9
Quote from: cookiemonster on April 19, 2023, 04:17:19 PM
What services do you have running on OPN? It might not be netflow but another.

The only ones I installed beyond the base setup were ddclient, git backup, iperf, mdns repeater, smart, and wireguard.
April 20, 2023, 11:32:37 AM #10
One thought here. I used to get a good handful of those recorded in AdGuardHome. I probably still do, I just chose to disregard them but they were not as many nor as frequent.
What it was is a networked music client, the Squeezebox Touch (remember those?). Well, it turns out that the network stack of them is a little brittle and if a switch or router in the lan gets restarted, that client starts flooding with those reverse lookups. A restart of it cures it.
In short then, a misbehaving network client. Could you have a look for anything like that?
April 20, 2023, 04:50:18 PM #11
Found the issue. My NAT rules to redirect DNS queries to the PiHoles were creating a loop somehow with OPNsense. I changed the rules to:
Interface: LAN, IoT
TCP/IP: IPv4
Protocol: UDP
Invert source: checked
Source: Alias for the PiHole and OPNsense IPs (For OPNsense I added 192.168.12.1 and 127.0.0.1, as I wasn't sure which one I'd need)
Source Port Range: Any
Invert Destination: Checked
Destination: PiHole alias (PiHoles only)
Destination Port Range: DNS

So any DNS requests from devices other than the PiHoles or OPNsense box get routed to the PiHoles. I think what was happening earlier was that OPNsense's reverse lookups were getting sent to the PiHoles, which would then send them back to OPNsense or denied, in which case OPNsense would send more since it didn't receive data. Repeat forever.

I've been running the above rule for 24 hours now and the amount of queries looks sane. I'm still seeing in-addr.arpa, but only one at a time, so that seems ok to me.
Print
Go Up Pages1
User actions