I see two domains leading my toplist with 10k+ hits, but when I click on them there are 0 database entries.
The "Hits" numbers of the top two entries are there unchanged since some 10+ days. Not sure if this is a known bug, or if I just have to wait longer for the toplists to update.
In that regard, how to clear toplists and also the long-term logs (but not the networks table and the rest of the database) via SSH/Terminal?
When I search here in the help forum, I find the commands to backup, or delete and recreate the whole FTL database. But that's not what I wanna do.
Now, a feature request: There's a button to flush logs of the last 24 hrs in the settings, and also a button to flush the network table. But I (personally) miss extra buttons in the settings UI that would do the following database operations:
A button to clear toplists would be nice (maybe I'm just overlooking that one).
A button to clear long-term logs with a selectable date range.
Or some way to configure Pi-Hole to only keep up to max 3-6 months in the long-term database.
Now I read here: Redirecting...
But then I understand nothing of the SQL commands and have no idea how to form a command that will kill the toplist and long-term data only.
And finally, here are some screens in regard to the initial question with broken toplist entries:
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
Are you running any software the repetitively makes API queries for cache statistics? This series of entries is all that shows in your pihole.log included in your debug log.
Apr 1 00:00:15 dnsmasq[29527]: config cachesize.bind is <TXT>
Apr 1 00:00:15 dnsmasq[29527]: config insertions.bind is <TXT>
Apr 1 00:00:15 dnsmasq[29527]: config evictions.bind is <TXT>
Apr 1 00:00:15 dnsmasq[29527]: config hits.bind is <TXT>
Apr 1 00:00:15 dnsmasq[29527]: config misses.bind is <TXT>
Apr 1 00:00:15 dnsmasq[29527]: config auth.bind is <TXT>
Apr 1 00:00:15 dnsmasq[29527]: config servers.bind is <TXT>
Along with a lot of these:
-rw-r--r-- 1 pihole pihole 1.6K Apr 1 19:41 /var/log/pihole-FTL.log
-----head of pihole-FTL.log------
...
[2022-04-01 13:18:50.311 29527M] Resizing "FTL-dns-cache" from 622592 to (39168 * 16) == 626688 (/dev/shm: 5.7MB used, 484.0MB total, FTL uses 5.3MB)
[2022-04-01 19:23:14.611 29527M] WARNING in dnsmasq core: Maximum number of concurrent DNS queries reached (max: 150)
[2022-04-01 19:23:52.519 29527M] WARNING in dnsmasq core: Maximum number of concurrent DNS queries reached (max: 150)
...
I am not aware of any software that would make such calls. I run Pi-Hole on a dedicated Raspi 3B, together with my own unbound resolver. I remember some help ticket ages ago where those entries were described as "normal behavior".
I once had a VPN server running on the same Raspi (openVPN) but that one was uninstalled a while ago.
Maybe you could give me an example of software types that would usually cause these API calls? I can search my network once I know what I'm looking for.
Basically Pi-Hole WebUI is always open in a Chrome tab (PC and Chrome run like 12-18 hours a day), so maybe it's from constantly updating statistics shown in the web interface?
That one is easily explained. My router crashed and until it was rebooted the Pi-Hole was flooded by 30+ devices wondering where the internet went. That results in a query flood/spike as can be seen between 19:00-20:00h
So, now that the debug log was analyzed and the API calls etc were explained, I still wonder about my initial post.
Those two toplist leading entries still show up, but when you click on them it still shows no data in the corresponding tables.
From my understanding, the toplist just sums up the total count of a given domains blocked entries table, so there should be actual 16017 and 15368 entries in the details table, not 0.
Are there possible Causes/Solutions? The sqlite command to kick those two domains from the table manually would help a lot.
Just need a quick confirmation if I read correctly and this config file will limit my long-term database to 90 days (and thereby deleting everything in long-term database older than 90 days):
Is it required to restart FTL or the device to apply the new config settings?
About netdata and growing daemon logs as described in the linked topic
Disabling netdata service is no option for me, so another question arouse:
I assume, the log files referenced there are pihole.log and/or pihole-FTL.log
Are those two files size and/or age limited by Debian's system default logrotate settings, so they won't grow endlessly? I found the following settings on the system, just need confirmation that it handles also the two pihole log files:
As the documentation mentions, options in pihole-FTL.conf are read by FTLDNS on startup, so yes, you have to restart Pi-hole, e.g. by pihole restartdns.
Depending on which of Netdata's collector you've deployed, you could also try to disable Netdata's collector for Pi-hole or dnsmasq, or to configure the respective collector to poll at a lower frequency than its once-per-second.default.
No, they are not.
They are controlled and limited by Pi-hole's own logrotate configuration (see your debug log's [DIAGNOSING]: contents of /etc/pihole section).
Do those domains still appear at the top of those lists?
Do they also show up for the following command, run from your Pi-hole host machine?
echo ">top-ads >quit" | nc localhost 4711
What does a grep for those domains in pihole.log* return?
I added MAXDBDAYS=90 and used pihole restartdns. The mentioned domains finally disappeared from the toplists. I let PiHole compute the toplists for the last 3 months, ever there they don't appear anymore.
When I did echo ">top-ads >quit" | nc localhost 4711 before restarting the DNS, it still showed the domains leading the list in the commands output.
However, domains are gone from toplist, the original issue is fixed for me. Thanks for the great support
This looks to like proper rotation to me. One log daily, keep 5, the other 1 weekly, keep 3.
While looking at the allowed toplist, I found a newly added Win 11 Home machine sends a ton of SRV requests like these:
Any idea where I can get educated what that is? It's new and only Windows 11 seems to do it.
