Apple device starts loop for lb._dns-sd._udp.0.86.168.192.in-addr.arpa

murloc · April 10, 2021, 2:47am

Using Raspbian on Raspberry Pi 2.

Apple iPhone queries "lb._dns-sd._udp.0.86.168.192.in-addr.arpa" which is causing Pi-hole to start a loop querying itself for "lb._dns-sd._udp.0.86.168.192.in-addr.arpa".

Conditional forwarding is disabled.

pihole_debug.log.txt (27.8 KB)

Bucking_Horn · April 10, 2021, 8:20am

Pi-hole wouldn't forward any queries to itself unless you'd have configured it to do so.
What makes you think your Pi-hole is forwarding DNS requests to itself?

What's the output for:

grep -m 12 -n "lb._dns-sd._udp." /var/log/pihole.log*

murloc · April 10, 2021, 7:24pm

The query log in the web interface shows the query is forwarded to itself (dionysus.att.com) and occasionally to my upstream server (8.8.8.8). It shows "OK (forwarded to dionysus.att.com)" for the status but shows an N/A for reply.

Here's that grep output:

/var/log/pihole.log:10362:Apr 10 09:17:40 dnsmasq[3577]: query[PTR] lb._dns-sd._udp.254.254.254.10.in-addr.arpa from 192.168.0.108
/var/log/pihole.log:10363:Apr 10 09:17:40 dnsmasq[3577]: forwarded lb._dns-sd._udp.254.254.254.10.in-addr.arpa to 8.8.4.4
/var/log/pihole.log:10364:Apr 10 09:17:40 dnsmasq[3577]: query[PTR] lb._dns-sd._udp.178.142.107.100.in-addr.arpa from 192.168.0.108
/var/log/pihole.log:10365:Apr 10 09:17:40 dnsmasq[3577]: forwarded lb._dns-sd._udp.178.142.107.100.in-addr.arpa to 8.8.4.4
/var/log/pihole.log:10366:Apr 10 09:17:40 dnsmasq[3577]: query[PTR] lb._dns-sd._udp.0.0.168.192.in-addr.arpa from 192.168.0.108
/var/log/pihole.log:10367:Apr 10 09:17:40 dnsmasq[3577]: forwarded lb._dns-sd._udp.0.0.168.192.in-addr.arpa to 8.8.4.4
/var/log/pihole.log:10370:Apr 10 09:17:40 dnsmasq[3577]: query[PTR] lb._dns-sd._udp.att.com from 192.168.0.108
/var/log/pihole.log:10371:Apr 10 09:17:40 dnsmasq[3577]: config lb._dns-sd._udp.att.com is NXDOMAIN
/var/log/pihole.log.1:17770:Apr  9 08:54:46 dnsmasq[748]: query[PTR] lb._dns-sd._udp.178.142.107.100.in-addr.arpa from 192.168.0.108
/var/log/pihole.log.1:17771:Apr  9 08:54:46 dnsmasq[748]: forwarded lb._dns-sd._udp.178.142.107.100.in-addr.arpa to 8.8.8.8
/var/log/pihole.log.1:17772:Apr  9 08:54:46 dnsmasq[748]: query[PTR] lb._dns-sd._udp.0.0.168.192.in-addr.arpa from 192.168.0.108
/var/log/pihole.log.1:17773:Apr  9 08:54:46 dnsmasq[748]: forwarded lb._dns-sd._udp.0.0.168.192.in-addr.arpa to 192.168.0.200
/var/log/pihole.log.1:17774:Apr  9 08:54:46 dnsmasq[748]: query[PTR] lb._dns-sd._udp.254.254.254.10.in-addr.arpa from 192.168.0.108
/var/log/pihole.log.1:17775:Apr  9 08:54:46 dnsmasq[748]: forwarded lb._dns-sd._udp.254.254.254.10.in-addr.arpa to 8.8.8.8
/var/log/pihole.log.1:17776:Apr  9 08:54:46 dnsmasq[748]: query[PTR] lb._dns-sd._udp.att.com from 192.168.0.108
/var/log/pihole.log.1:17777:Apr  9 08:54:46 dnsmasq[748]: config lb._dns-sd._udp.att.com is NXDOMAIN
/var/log/pihole.log.1:17778:Apr  9 08:54:46 dnsmasq[748]: query[PTR] lb._dns-sd._udp.0.0.168.192.in-addr.arpa from 192.168.0.200
/var/log/pihole.log.1:17808:Apr  9 08:54:47 dnsmasq[748]: query[PTR] lb._dns-sd._udp.0.0.168.192.in-addr.arpa from 192.168.0.108
/var/log/pihole.log.1:17809:Apr  9 08:54:47 dnsmasq[748]: forwarded lb._dns-sd._udp.0.0.168.192.in-addr.arpa to 192.168.0.200
/var/log/pihole.log.1:17810:Apr  9 08:54:47 dnsmasq[748]: query[PTR] lb._dns-sd._udp.0.0.168.192.in-addr.arpa from 192.168.0.200

Bucking_Horn · April 10, 2021, 8:19pm

Indeed, your logs exhibit that requests are forwarded to your Pi-hole's IP:

/var/log/pihole.log.1:17808:Apr  9 08:54:47 dnsmasq[748]: query[PTR] lb._dns-sd._udp.0.0.168.192.in-addr.arpa from 192.168.0.108
/var/log/pihole.log.1:17809:Apr  9 08:54:47 dnsmasq[748]: forwarded lb._dns-sd._udp.0.0.168.192.in-addr.arpa to 192.168.0.200

However, your debug log shows you are using public upstream servers only:

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_DNS_1=8.8.8.8
    PIHOLE_DNS_2=8.8.4.4

Yet your logs indicate you may have used your Pi-hole as its own upstream in the past:

*** [ DIAGNOSING ]: contents of /var/log

-rw-r--r-- 1 pihole pihole 8361 Apr  9 22:20 /var/log/pihole-FTL.log
   -----tail of pihole-FTL.log------
   [2021-04-09 22:08:37.610 757M] New upstream server: 192.168.0.200:53 (2/1024)

When looking at the timestamps, it looks like that this was an issue, if in the past.

On your Pi-hole machine, please run:

pihole restartdns

Once finished, could you check
a) that Pi-hole is not listing its own IP as upstream in its UI
The following command may also help:

grep -n "New upstream" /var/log/pihole-FTL.log

b) whether the logs still would register forwards to Pi-hole's IP after the time of restart?
The following command may help with b)

 grep -n "to 192.168.0.200" /var/log/pihole.log

murloc · April 10, 2021, 9:10pm

Only Google's IPs are listed in the web UI, but the FTL log is showing its own IP as upstream.

59:[2021-04-10 16:52:01.419 13563M] New upstream server: 8.8.4.4:53 (0/1024)
60:[2021-04-10 16:52:01.421 13563M] New upstream server: 8.8.8.8:53 (1/1024)
63:[2021-04-10 16:52:01.492 13563M] New upstream server: 192.168.0.200:53 (2/1024)

Bucking_Horn:

b) whether the logs still would register forwards to Pi-hole's IP after the time of restart?
The following command may help with b)
 grep -n "to 192.168.0.200" /var/log/pihole.log

Nothing is showing at the moment. Will post in next day or so if it anything is generated in the log

Bucking_Horn · April 10, 2021, 9:20pm

That's unexpected.

Let's check your dnsmasq configuration for any stray server entries:

grep -n "server=" /etc/dnsmasq.d/*

murloc · April 10, 2021, 10:18pm

Here's the output:

/etc/dnsmasq.d/01-pihole.conf:43:server=8.8.8.8
/etc/dnsmasq.d/01-pihole.conf:44:server=8.8.4.4
/etc/dnsmasq.d/01-pihole.conf:49:#server=/use-application-dns.net/
/etc/dnsmasq.d/10-lan-domain.conf:1:server=/att.com/192.168.0.200
/etc/dnsmasq.d/10-lan-domain.conf:2:server=/0.168.192.in-addr.arpa/192.168.0.200

I never added "use-application-dns.net". Must be part of default config.

DanSchaper · April 11, 2021, 12:33am

That tells Pi-hole to use 192.168.0.200 for all queries ending in 0.168.192.in-addr.arpa,which includes lb._dns-sd._udp.0.0.168.192.in-addr.arpa.

Edit: Taken from

/var/log/pihole.log.1:17773:Apr  9 08:54:46 dnsmasq[748]: forwarded lb._dns-sd._udp.0.0.168.192.in-addr.arpa to 192.168.0.200

murloc · April 11, 2021, 3:12pm

Yes, indeed it does.

I was trying to resolve the loop of Pi-hole querying itself for that reverse lookup.

jfb · April 12, 2021, 3:25am

Which device on your network is able to resolve this DNS Discovery Service request?

Tntdruid · April 12, 2021, 7:07am

murloc · April 12, 2021, 9:19pm

I'm not sure if I understand what you're asking. I have a Pi-hole on my network, and it is the only device that could potentially resolve the DNS Discovery Service request.

system · May 3, 2021, 9:20pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.