Hundreds to thousands of DNS queries for *.in-addr.arpa every second

[nojwe]

Setup:
- OPNsense 23.1.5
- DNS using 2 Pi-holes on same subnet as OPNsense. Pi-holes are set as DNS via DHCP for my LAN and Iot VLAN and they use OPNsense Unbound as their upstream.
- DHCP reservations are added to OPNsense
- OPNsense does not have any upstream servers set under System - General.
- Firewall/NAT rules in place to redirect traffic on port 53 to the Pi-holes.

Problem: I'm getting hundreds of PTR queries a second to each Pi-hole from OPNsense for *.in-addr.arpa. I understand that these are reverse DNS requests, but I don't understand why OPNsense is spamming so many. There are tons of duplicate requests that all register at the same time too (e.g. 80 requests in 1 second for 16.16.168.192.in-addr.arpa)

Is there a way to resolve this behavior, or it this expected and intended?

Is there a way to redirect only queries from OPNsense to its local instance of Unbound?

[gpb]

I believe OPNsense should be answering the local ptr requests...not making them.  In pihole settings, DNS, Advanced at the bottom, I have both "Never forward" options checked and use conditional forwarding...make sure to fill in the boxes below that option at the bottom.  You stated you are using opnsense for dhcp, not pihole...make sure you don't use both...it's one or the other of course, just in case I misunderstood your setup.

In unbound, I have register static mappings and dhcp leases checked (you may have other options as well).  Also, I would probably include a DNS in System General for the router itself as that's not going to be passed to hosts via DHCP unless you make that selection to do so.  I found the boot process seemed to be quicker when the router has that information.  Don't use your pihole in case it's offline (just my opinion).  This setup works for me.  I use pihole -> DNSCrypt-proxy for resolution...not unbound (though I use unbound for local host resolution)...otherwise it's a similar setup.  Hope this makes sense and solves your issue.

[Patrick M. Hausen]

You probably told some service on your firewall to log the clients' FQDNs instead of IP addresses. This gives you one lookup for each connection that is subjected to that logging.

[nojwe]

I believe OPNsense should be answering the local ptr requests...not making them.  In pihole settings, DNS, Advanced at the bottom, I have both "Never forward" options checked and use conditional forwarding...make sure to fill in the boxes below that option at the bottom.  You stated you are using opnsense for dhcp, not pihole...make sure you don't use both...it's one or the other of course, just in case I misunderstood your setup.

Thanks, good points to check. I already had both 'Never forward' options enabled. Conditional forwarding is off since OPNsense is the upstream. PiHole does not have DHCP enabled.

In unbound, I have register static mappings and dhcp leases checked (you may have other options as well).  Also, I would probably include a DNS in System General for the router itself as that's not going to be passed to hosts via DHCP unless you make that selection to do so.

Thanks, I'll give this a try.

[gpb]

Based on your setup, I think you want conditional forwarding turned on.  But that shouldn't be the cause of your issue...so whatever you want.

"If not configured as your DHCP server, Pi-hole typically won't be able to determine the names of devices on your local network. As a result, tables such as Top Clients will only show IP addresses."

EDIT: Also, look here to stop the hourly queries pihole does.
https://docs.pi-hole.net/ftldns/configfile/#refresh_hostnames

[nojwe]

You probably told some service on your firewall to log the clients' FQDNs instead of IP addresses. This gives you one lookup for each connection that is subjected to that logging.

Any ideas of services that may do this? I looked through everything (I think) and couldn't find a setting like this. I don't have much extra installed - Wireguard, mDNS, iPerf.

[Patrick M. Hausen]

IIRC netflow has got an option to report hostnames instead of IP addresses.

[nojwe]

IIRC netflow has got an option to report hostnames instead of IP addresses.

Thanks, I tried clearing out everything in Netflow, setting it to a different interface, etc. but it hasn't seemed to make a difference.

[cookiemonster]

What services do you have running on OPN? It might not be netflow but another.

[nojwe]

What services do you have running on OPN? It might not be netflow but another.

The only ones I installed beyond the base setup were ddclient, git backup, iperf, mdns repeater, smart, and wireguard.

[cookiemonster]

One thought here. I used to get a good handful of those recorded in AdGuardHome. I probably still do, I just chose to disregard them but they were not as many nor as frequent.
What it was is a networked music client, the Squeezebox Touch (remember those?). Well, it turns out that the network stack of them is a little brittle and if a switch or router in the lan gets restarted, that client starts flooding with those reverse lookups. A restart of it cures it.
In short then, a misbehaving network client. Could you have a look for anything like that?

[nojwe]

Found the issue. My NAT rules to redirect DNS queries to the PiHoles were creating a loop somehow with OPNsense. I changed the rules to:
Interface: LAN, IoT
TCP/IP: IPv4
Protocol: UDP
Invert source: checked
Source: Alias for the PiHole and OPNsense IPs (For OPNsense I added 192.168.12.1 and 127.0.0.1, as I wasn't sure which one I'd need)
Source Port Range: Any
Invert Destination: Checked
Destination: PiHole alias (PiHoles only)
Destination Port Range: DNS

So any DNS requests from devices other than the PiHoles or OPNsense box get routed to the PiHoles. I think what was happening earlier was that OPNsense's reverse lookups were getting sent to the PiHoles, which would then send them back to OPNsense or denied, in which case OPNsense would send more since it didn't receive data. Repeat forever.

I've been running the above rule for 24 hours now and the amount of queries looks sane. I'm still seeing in-addr.arpa, but only one at a time, so that seems ok to me.