LOTS of dns traffic. Normal?

Started by HCB, June 15, 2025, 05:22:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 15, 2025, 05:22:36 PM Last Edit: June 15, 2025, 05:27:58 PM by HCB
Hi,


I just did some regular maintenance and took the time to disable isc-dhcpd and move to Dnsmasq.
I now have both unbound and Dnsmasq running in a config closely resembling the docs at https://docs.opnsense.org/manual/dnsmasq.html

As I was debugging a connection issue with one of the devices on my network, I noticed there is a lot (on the order of 20 requests per second) of traffic outgoing from my network on UDP port 53. All this traffic is being passed under "let out anything from firewall host itself" and the "(force gw)" rules

I assume this is either Dnsmasq or unbound doing their thing, but I am surprised at the sheer volume of requests, considering my phone and laptop are the only active devices on the network right now.


It doesn't look particularly malicious, as it appears to be contacting registries, dns providers, aws, Akamai et all.
On the other hand I don't particularly see a reason for my dns to be querying LACNIC or AFRINIC as I am fairly unlikely to connect to services in Latin America or Africa.

Am I being overly cautious and does running DNS locally just cause lots of requests, or is there something I might have to look into, if only to be a better netizen and not spam the DNS providers unnecessarily?
June 15, 2025, 05:36:52 PM #1
There are lots of possible ways of misconfiguration for DNS, especially for the combination of Unbound and DNSmasq, even more so if your configuration "closely resembles" the official guide.

One problem could be DNSmasq still asking the upstream servers for local names for lack of having configured the "local" flag for your internal domains.

Another one could be an Unbound misconfiguration, for example when reverse lookups go to upstream servers.

Whatever the problem seems to be, you should look at the requests that go outside, either by looking at the logs after incresing log levels to log requests or using tcpdump for port 53. If there really are requests that should not leave your network, you can chase the cause down further.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
June 15, 2025, 06:36:45 PM #2
And lastly there could be some application. For example I am a bit of an SNMP nut, so I run Observium, an network management system. It polls all hosts every couple of minutes causing a DNS lookup for every host every couple of minutes. It's my far the most busy client in my AGH statistics panel.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 15, 2025, 09:26:31 PM #3
Quote from: meyergru on June 15, 2025, 05:36:52 PM[...]

One problem could be DNSmasq still asking the upstream servers for local names for lack of having configured the "local" flag for your internal domains.

[...]


If you checked "DHCP fqdn" under Dsnsmasq DNS & DHCP-General, checking "Local" on each and every host in "Hosts" should not be necessary accourding to the 3rd note here: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

QuoteDHCP fqdn will do two things:

    Make sure all devices are registered in DNS with the configured domain name appended, e.g. smartphone.lan.internal. This ensures that smartphone can exist in both lan.internal and guest.internal.

    Register the DHCP domain name as local, which will make Dnsmasq authoritative for this domain, ensuring NXDOMAIN is returned for devices querying unknown hostnames within this local domain.

This is how I understood this. Correct me if I'm wrong.
June 15, 2025, 09:31:57 PM #4 Last Edit: June 15, 2025, 09:34:50 PM by meyergru
With that option, you can but set one domain to be handled as local. Note the plural s in:

QuoteOne problem could be DNSmasq still asking the upstream servers for local names for lack of having configured the "local" flag for your internal domains.

And you do not have to use DHCP for all of those zones - I use local domains for sites I reach via VPN and only have the DNS part configured for those.

The problem is that any domain that is not declared to be local one way or another and that is within your local DNS search list will be appended even to internet names by Windows and thus lead to DNS leaks and parallel queries. This became evident with the new combined setup of DNSmasq and Unbound. I fell for that, too.


Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
June 15, 2025, 09:35:39 PM #5
Quote from: meyergru on June 15, 2025, 09:31:57 PMWith that option, you can but set one domain to be handled as local. Note the plural s in:

QuoteOne problem could be DNSmasq still asking the upstream servers for local names for lack of having configured the "local" flag for your internal domains.

And you do not have to use DHCP for all of those zones - I use local domains for sites I reach via VPN and only have the DNS part configured for those.

The problem is that any domain that is not declared to be local one way or another and that is within your local DNS search list will be appended even to internet names by Windows and thus lead to DNS leaks and parallel queries.



Ah yes, I understand. Thanks. I was only talking about the one domain Unbound forwards to Dnsmasq, but of course there can be more situations.
Print
Go Up Pages1
User actions