Confusion from the main display/screen

I go to the main screen and scroll down to the breakdown of what sites are being addressed.

I see this:

Screenshot from 2022-06-19 11-50-13

Ok, so I click on it to try and understand what is going on.

And after a while I get this.

192.168.0.83 is the PiHole machine.
RasPi 3B+ Buster

One of your network clients is repeatedly requesting this domain, along with the response. You can quickly search the dnsmasq log and see which client is doing this. From the Pi terminal

grep heartbeat /var/log/pihole.log | tail -n10

The error is an out -of-memory error. Your device was not able to load all the data into it's memory because the number of queries was too high.

This Improve loop for getAllQueries from FTL's memory by yubiuser · Pull Request #2163 · pi-hole/AdminLTE · GitHub should have prevented the memory error. But maybe the query volume is just to high even after mitigation.

Thanks all.... Good news and bad news. (Though not for you. More for me.)

Yes, the log file was HUGE.

Digging and filtering I found it started at 19:32 17 July.

Jun 17 19:32:27 dnsmasq[9674]: query[A] heartbeat from 192.168.0.99
Jun 17 19:32:27 dnsmasq[9674]: config heartbeat is NXDOMAIN

And it has been going strong since then.

I tried wireshark but it is out of my depth.
I did host 192.168.0.99 and got what was coming out, but I didn't see anything like that with a DNS request for heartbeat.

Yes, I stuffed up.
And worse than that, the backup/s I thought I made didn't work.

So I am left with what I have now and no older version to check. (Of my program)

Yes, wireshark is off topic here, but I'm just wanting to ask if anyone can tell/help me better track down how this is happening.

I have a heartbeat message in my program. (That bit is a no-brainer)
I disabled that part and it seems the messages are still being created.
(I'll go back and triple check that after posting.)
(Only because if I do it BEFORE posting, it won't be the same result.)
(You've heard of that "Mr Murphy" guy?)

You should address this at the source:
What client is sending those DNS requests for heartbeat?
What software on that client is issuing those requests?

Chances are that some kind of monitoring software would be involved.

Once you've found out, you'd have a couple of options to limit the seemingly excessive amout of DNS queries hammering your Pi-hole.
a) adjust the heartbeat sending software's time interval to something bigger, i.e. once per minute (or 1,440 requests per 24 hours).
b) make sure the client is caching DNS requests, either again by adjusting the software, or by enabling a caching stub resolver on that client
c) if the client is already caching, try to adjust the heartbeat domain's TTL to a higher value, see e.g. Overriding `local-ttl` in user config files - #2 by Bucking_Horn
d) stop using the software that issues those requests (depending on your personal assessment of its usefulness)

I admit I screwed up.

With no older versions (other than 3 to 4 months ago) I can't look for what changed.

The idea of the heartbeat is to detect if anything dies. I could maybe make it every 60 seconds.
But .... that isn't really fixing the problem. Note: I am not blaming PiHole. I am blaming myself for a lot of reasons.

But to try and learn from it, I need to work out where in my program it is coming.
Yeah, probably asking a lot of Wireshark.
I've 99.99999999% proven if I fully stop my program the entries stop. So it isn't anything else doing it.

Sorry, I'll stop complaining here and try to invest the effort into finding out from where in my program it is coming.

Good news - for me.

I found the cause.

Not really sure how it works/happened/(what ever). But I guess that is a thing about bugs.
They aren't easy to find.

All good now.

What was it?

It was a node I was using in Node-red.

I'm not sure it is a bug - but I reported it anyway - or how it is supposed to work.
(I doubt that though)

So for now I can't do what I want to do and the node is disabled.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.