Client names doubled in GraphBar

Hi Guys,

[Don't know if I still need to post here or in the Help section, forgive me if I'm posting in the wrong place]

I've upgraded to the v5.0 the day it came out and everything's working fine so far.

The only thing I've noticed is a weird behavior displaying some clients name;

On the Client activity over last 24 hours charts I'm seeing this;

As you can see I'm getting a name doubled, this happens during the whole day.

NOTE: This laptop is not even online.

No double Entry in my /etc/hosts:

pi@retropie : ~ $ cat /etc/hosts | grep -i laptop
192.168.1.21 LAPTOP_69AHT9BH

PiHole is not my DHCP, just my DNS, all the names are retrieved from the /etc/hosts and those IPs are reserved on my router - no conditional forwarding.

Looking in the Query Log > Show All it shows 117 pages of "laptop_69aht9bh" , most of them seems like they're coming from my Amazon Firestick (see: ftv-smp.ntp-fireos.com), but other from an Apple Device (*.courier-push-apple.com.akadns.net - most likely one of our Apple Watches) while other from a work laptop (company domain in one of the calls) looking at my Firestick network settings, it shows 192.168.1.6 (way far from the .21 defined in my hosts).

That 192.168.1.21 is one of the reserved on the router through its NIC MAC address, so obviously I'm expecting nothing to take that IP - as far as I know it's not happening otherwise I'd have other problems (say, IP conflicts).

The only common thing between the Firestick, Apple Watches and that work laptop is they don't have a reserved IP address on my router, nor an entry in my PiHole /etc/hosts - so I should see their IPs in the graph bar, instead of the name of another client.

I had no problem prior to the upgrade, everything was shown in the correct way.

Already tried restarting DNS Resolver (just in case...) nothing to do.

Anything else I can try to do in order to solve it by myself, maybe some new v5 features I've missed?

It's not a blocking problem, so nothing urgent, just curious about this weird behavior :slight_smile:

Thanks in advance!

Could you please provide a debug log so we can take a look at a few things?

pihole -d

Of course! :slight_smile:

Debug token:

https://tricorder.pi-hole.net/vilbbeh92n

Do you have IPV6 comms on your network? If you have a device that is making DNS lookups via IPV4 and IPv6 it will show up as two separate clients in Pi-hole, as it does not merge them together.

What do you see if you look for the hostname of your work laptop in the network page?

http://pi.hole/admin/network.php

There's no IPv6 on my network, and it seems that doubled entry it's from those clients without a name on the /etc/hosts (it supposed to show the IP of my Firestick and AW - like it did on v4.4)

I just refreshed the page and now it's showing my MBP three times (where there was that "laptop_xxx"):

For the record, in that page the most recent entry for that laptop is:

This for my MBP

Is there another record for that laptop on that page?

Yes from before I fixed its IP on the router, but for my MBP there's only one, yet I'm still getting it three times in the graph bar, and "laptop_xxx" disappeared.

The screenshot is redacted, but I can assure there's no more "laptop_xxx" showing, but only "mbpdialessandro" (3 times) - one entry is expected (I'm using it rn) the other two are not...

What is the output of this command - this will show the clients for the past 24 hours.

echo ">top-clients withzero (25) >quit" | nc localhost 4711

This is the result for "mbpdialessandro" as you can see there's 3 entries:

11 671 192.168.1.16 mbpdialessandro
14 494 192.168.1.6 mbpdialessandro
15 391 192.168.1.3 mbpdialessandro

This collides with what I'm seeing on the Firestick, where 192.168.1.6 is its IP address, hence I'm expecting to see it without a name, like so:

xx yyy 192.168.1.6

And that .3 I'm pretty sure is another device on the net (most probably an Apple Watch), that's not my MBP.

The problem is with those clients without an entry in the /etc/hosts - note that everything used to work properly before upgrading to v5, and of course I didn't touch anything in the settings...

Something is telling your Pi-hole that these IP addresses belong to this host name.

What is the output of

grep -n2 "3.1.168.192.in-addr.arpa" /var/log/pihole.log
grep -n2 "6.1.168.192.in-addr.arpa" /var/log/pihole.log
grep -n2 "16.1.168.192.in-addr.arpa" /var/log/pihole.log

?

The data is for the past 24 hours, so somewhere along the way Pi-hole associated those three IPs to those clients.

What is your DHCP server (router, it appears), and what is the specified lease duration in that server?

pi@retropie:~ $ grep -n2 "3.1.168.192.in-addr.arpa" /var/log/pihole.log

4426-May 15 01:00:00 dnsmasq[23760]: query[PTR] 26.1.168.192.in-addr.arpa from 127.0.0.1
4427-May 15 01:00:00 dnsmasq[23760]: forwarded 26.1.168.192.in-addr.arpa to 1.0.0.1
4428:May 15 01:00:00 dnsmasq[23760]: query[PTR] 3.1.168.192.in-addr.arpa from 127.0.0.1
4429:May 15 01:00:00 dnsmasq[23760]: forwarded 3.1.168.192.in-addr.arpa to 1.0.0.1
4430:May 15 01:00:00 dnsmasq[23760]: query[PTR] 3.1.168.192.in-addr.arpa from 127.0.0.1
4431:May 15 01:00:00 dnsmasq[23760]: forwarded 3.1.168.192.in-addr.arpa to 1.0.0.1
4432-May 15 01:00:00 dnsmasq[23760]: query[A] pi.hole from 192.168.1.16
4433-May 15 01:00:00 dnsmasq[23760]: /etc/pihole/local.list pi.hole is 192.168.1.18
pi@retropie:~ $ grep -n2 "6.1.168.192.in-addr.arpa" /var/log/pihole.log


1674-May 15 00:19:23 dnsmasq[23760]: cached gateway.fe.apple-dns.net is 17.248.146.116
1675-May 15 00:19:23 dnsmasq[23760]: cached gateway.fe.apple-dns.net is 17.248.145.10
1676:May 15 00:19:30 dnsmasq[23760]: query[PTR] 16.1.168.192.in-addr.arpa from 192.168.1.16
1677-May 15 00:19:30 dnsmasq[23760]: /etc/hosts 192.168.1.16 is MBPdiAlessandro
1678-May 15 00:19:31 dnsmasq[23760]: query[A] ocsp-lb.apple.com.akadns.net from 192.168.1.16
--
1813-May 15 00:19:42 dnsmasq[23760]: reply keyvalueservice-g.fe.apple-dns.net is 17.248.146.171
1814-May 15 00:19:42 dnsmasq[23760]: reply keyvalueservice-g.fe.apple-dns.net is 17.248.146.109
1815:May 15 00:19:49 dnsmasq[23760]: query[PTR] 16.1.168.192.in-addr.arpa from 192.168.1.16
1816-May 15 00:19:49 dnsmasq[23760]: /etc/hosts 192.168.1.16 is MBPdiAlessandro
1817-May 15 00:19:50 dnsmasq[23760]: query[A] MRS-efz.ms-acdc.office.com from 192.168.1.16
--
4418-May 15 00:59:59 dnsmasq[23760]: reply www.googleapis.com is 216.58.198.42
4419-May 15 00:59:59 dnsmasq[23760]: reply www.googleapis.com is 172.217.21.74
4420:May 15 01:00:00 dnsmasq[23760]: query[PTR] 6.1.168.192.in-addr.arpa from 127.0.0.1
4421:May 15 01:00:00 dnsmasq[23760]: forwarded 6.1.168.192.in-addr.arpa to 1.0.0.1
4422:May 15 01:00:00 dnsmasq[23760]: query[PTR] 6.1.168.192.in-addr.arpa from 127.0.0.1
4423:May 15 01:00:00 dnsmasq[23760]: forwarded 6.1.168.192.in-addr.arpa to 1.0.0.1
4428-May 15 01:00:00 dnsmasq[23760]: query[PTR] 3.1.168.192.in-addr.arpa from 127.0.0.1
4429-May 15 01:00:00 dnsmasq[23760]: forwarded 3.1.168.192.in-addr.arpa to 1.0.0.1
pi@retropie:~ $ grep -n2 "16.1.168.192.in-addr.arpa" /var/log/pihole.log

1674-May 15 00:19:23 dnsmasq[23760]: cached gateway.fe.apple-dns.net is 17.248.146.116
1675-May 15 00:19:23 dnsmasq[23760]: cached gateway.fe.apple-dns.net is 17.248.145.10
1676:May 15 00:19:30 dnsmasq[23760]: query[PTR] 16.1.168.192.in-addr.arpa from 192.168.1.16
1677-May 15 00:19:30 dnsmasq[23760]: /etc/hosts 192.168.1.16 is MBPdiAlessandro
1678-May 15 00:19:31 dnsmasq[23760]: query[A] ocsp-lb.apple.com.akadns.net from 192.168.1.16
--
1813-May 15 00:19:42 dnsmasq[23760]: reply keyvalueservice-g.fe.apple-dns.net is 17.248.146.171
1814-May 15 00:19:42 dnsmasq[23760]: reply keyvalueservice-g.fe.apple-dns.net is 17.248.146.109
1815:May 15 00:19:49 dnsmasq[23760]: query[PTR] 16.1.168.192.in-addr.arpa from 192.168.1.16
1816-May 15 00:19:49 dnsmasq[23760]: /etc/hosts 192.168.1.16 is MBPdiAlessandro
1817-May 15 00:19:50 dnsmasq[23760]: query[A] MRS-efz.ms-acdc.office.com from 192.168.1.16

As far as I can see the only time an IP is identified by "mbpdialessandro" is when PiHole looks for an entry for 192.168.1.16 on the /etc/hosts (see line 1677 and line 1816 on the second grep)

The real question here is ... why?

I mean;

Everything was working as expected prior the upgrade, nothing changed on my router (no firmware updates or such), no changes in my PiHole settings, the only thing that changed is the PiHole version.
(I'm just going by exclusion here...)

Plus, my MBP has a reserved IP (router) from day one so no one can take its IP, otherwise I couldn't be online, I'd surely have some kind of IP conflicts (mind that the Firestick is always online, since it's plugged into a PDU day and night)

So my answer arise by its own, why

along the way Pi-hole associated those three IPs to those clients.

?

Another thing is, on v4.4 I was seeing IPs on my dashboard for those clients without an entry in my /etc/hosts - mainly clients I don't really care to "tag" (see Apple Watches, Work Laptops...) now I'm not anymore, but I see them once as "laptop_69aht9bh", then as "mbpdialessandro" ... maybe tomorrow I'll spot them with the name of another client (causing to see that particular name twice or three times)

UPDATE: I tried clearing my Safari cache and guess what...?

As predicted above;

maybe tomorrow I'll spot them with the name of another client (causing to see that particular name twice or three times)

Now those IPs are showing, on the Graph Bar, as one of our iPhones.

I tried executing your command again, and this the results, .6 and .3 that were mbpdialessandro earlier, now are iphonexxx.

(for clearance, 192.168.1.10 is the real IP of that device, which has its own entry in the /etc/hosts , along with its reservation on my router)

pi@retropie : ~ $ echo ">top-clients withzero (25) >quit" | nc localhost 4711

5 2336 192.168.1.10 iphonexxx
14 488 192.168.1.6 iphonexxx
15 390 192.168.1.3 iphonexxx

Meanwhile, now mbpdialessandro has only one entry

pi@retropie : ~ $ echo ">top-clients withzero (25) >quit" | nc localhost 4711 | grep mbpdialessandro

9 981 192.168.1.16 mbpdialessandro

So I tried another thing;

I moved my /etc/hosts and restarted the DNS Resolver, and I noticed that while PiHole is trying to gather client names (from its Network Table?) it assigns random names, before getting the right one:

As you can see, right after PiHole fully loaded its informations (/etc/hosts still moved with another name), the 3rd, 4th and 5th entry from the screenshot above, are displayed with their real names in the screenshot below (you can identify them by looking at the number of requests)

The output from that command, still the same - "mbpdialessandro" displayed 3 times:

pi@retropie:~ $ echo ">top-clients withzero (25) >quit" | nc localhost 4711

5 2503 192.168.1.16 mbpdialessandro
10 515 192.168.1.3 mbpdialessandro
12 242 192.168.1.6 mbpdialessandro

Those .3 and .6 are still (wrongly) "tagged" with another client name, where they should just display their IPs, and not a name.

What if I try to Flush the network table? Would this fix the problem?

This will cause no harm. Flush it and see if the problem resolves.

Nope, unfortunately didn't help...

5 2528 192.168.1.16 mbpdialessandro
10 583 192.168.1.3 mbpdialessandro
16 57 192.168.1.6 mbpdialessandro

This is what I see from the Network page

I tried to restart the DNS Resolver after that, now the "duplicated" device is another, so I leave below the whole analysis (this should also help sum up the problem in few lines):

1. Right after restarting DNS Resolver - All IPs

2. DNS Resolver successfully restarted - Hostnames

3. Network page

4. Number of Queries per client, via CLI

0 6225 192.168.1.17 galaxy_a7
11 621 192.168.1.3 galaxy_a7
15 68 192.168.1.6 galaxy_a7

A weird thing I'm noticing, looking at the Network page, is that all those clients have "TP-Link" as their network card...

They're all connecting via a TP-Link Range Extender, yet, they should appear as separate devices, and not as one... I mean, The Galaxy-A7 and the MBP are shown correctly as separate devices so should the Amazon Firestick and the Apple Watch (that are not "tagged" on the router and /etc/hosts)

From my Range Extender Page;
As you can see all the devices mentioned above, are here:

P.S: Sorry if I'm flooding you with screenshot, but I'm trying to give you as much info as possible

No need to be sorry, the more information you can provide, the more we are likely to be able to help troubleshoot.

If the TP-Link Range Extender is modifying/rewriting their MAC addresses, there is nothing in Pi-hole that could interpret them as separate devices. Pinging @Bucking_Horn if this is the L3 switch kind of issue you were talking about?

Yes, that could be the case: We see several I addresses associated with the same MAC address, and that MAC belongs to some network equipment that seems to act as an L3 switch.

@GeekyAle, would you be able to supply us with the exact make and model of your range extender, so we could confirm this from its specs (if publically available)?

EDIT:
Independent of specs's availability: After reading the post, I think GeekyAle's Range Extender is working as an L3 switch, effectively hiding the MAC addresses of devices connecting through it behind its own MAC.