Continuing to log tens of thousands of requests to 10.4.0.1

General
1

My original post was closed due inactivity. Summary of the issue I am seeing is pihole in a lxc on my router/firewall logging tons of request seemingly from the router/firewall or other clients connected to it.

A new discovery, is that these requests seem to be coming exclusively from Apple devices which are connected wirelessly to a dumb AP, containing addresses such as:

10-courier.push.apple.com
14-courier.push.apple.com
e673.dsce9.akamaiedge.net
gateway.fe2.apple-dns.net
gdmf.apple.com
get-bx.g.aaplimg.com
gsp-ssl.ls-apple.com.akadns.net
gsp-ssl.ls.apple.com
gspe35-ssl.ls-apple.com.akadns.net
init-cdn-lb.ess-apple.com.akadns.net
init-p01md.apple.com
init.ess.apple.com
init.ess.g.aaplimg.com
init.itunes.apple.com
kt-prod.v.aaplimg.com

I am trying to isolate the cause. Is it pihole in the container or is it something misconfigured on the router/firewall.

I have other client devices (Linux boxes) which do not have this problem.

The router/firewall runs OpenWrt. Specs below. Thanks for any thoughts.

ubus call system board 
{
	"kernel": "6.6.91",
	"hostname": "r2max",
	"system": "Intel(R) N150",
	"model": "iKOOLCORE R2Max",
	"board_name": "ikoolcore-r2max",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r29664+16-3cd2ff31504d",
		"target": "x86/64",
		"description": "OpenWrt SNAPSHOT r29664+16-3cd2ff31504d",
		"builddate": "1747569132"
	}
}
/etc/config/network 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd99:97d2:a14e::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'lan1'
	option ipv6 '0'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config device
	option name 'lan4'
	option ipv6 '0'

config device
	option name 'lan5'
	option ipv6 '0'

config device
	option name 'wg0'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.4.1'

config interface 'wg0'
	option proto 'wireguard'
         .... omitting the rest as it is just wireguard peers
/etc/config/firewall 
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config forwarding
	option src 'lan'
	option dest 'lxc'

config forwarding
	option src 'lxc'
	option dest 'wan'

config zone
        option name 'lxc'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lxc'

config rule 'wg'
        option name 'Allow-WireGuard'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '51820'

config zone
        option name 'iot'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'IOT'
        list network 'iot'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'guest'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'rpi4b-standard'
        option src 'wan'
        option src_dport '30122'
        option dest_ip '192.168.1.101'
        option family 'ipv4'
        list proto 'tcp'
        option dest_port '22'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'guest'

config forwarding
        option src 'lan'
        option dest 'iot'

config rule
        option name 'guest dhcp and dns'
        option src 'guest'
        option target 'ACCEPT'
        option dest_port '53 67 68'

config rule
        option name 'pi-hole-dns guest to lxc'
        list proto 'udp'
        option src 'guest'
        option dest 'lxc'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'IoT'
        option target 'ACCEPT'
        option name 'iot dhcp'
        option dest_port '67 68'

config rule
        option name 'iot dns'
        list proto 'udp'
        option src 'IoT'
        option dest 'lxc'
        option dest_port '53'
        option target 'ACCEPT'
/mnt/data/lxc/pihole

Distribution configuration

lxc.include = /usr/share/lxc/config/common.conf
lxc.include = /usr/share/lxc/config/userns.conf
lxc.arch = aarch64

Container specific configuration

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.rootfs.path = dir:/mnt/lxc/pihole/rootfs
lxc.uts.name = pihole

Network configuration

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.ipv4.address = 10.0.4.250/24
lxc.net.0.ipv4.gateway = 10.0.4.1

/etc/config/dhcp 
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,10.0.4.250'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,10.0.4.250'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wg0'
	option interface 'wg0'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
2

In an attempt to simplify this, I took the container out of the mix. Pi-hole is running on a bare metal x86 box now and I am seeing the same behavior. A minor difference is that there are tons of requests coming from the OpenWrt router/firewall's IP address (10.9.8.1) and all of them are from a single iOS device (iPhone 16).

Here is pihole.toml if there is something diagnostic in there.

What could possibly cause a DNS request from this device to appear in pihole's log as originating from the router/firewall rather than the device itself?

Note that some DNS requests do get logged as originating from the iPhone's IP address.

3

I am currently running on the 5.x line, and experience no such behavior. All devices on my network are set to use only my pi-hole system for DNS. Obviously, not your setup.

With that in mind, I have a few IoT devices on my network that love to phone home. One tries to hit a Chinese web site that bills it self as being the most popular, or something like that. No surprise if tons of devices try accessing the site.

Those devices alone were responsible for a decent amount of traffic. Naturally, I block such traffic, and also have pi-hole set to not include them in its statistics. They are in the log, though.

Depending on your configuration, like if all or many devices on your network refer to your router for DNS, and that in turn sends the requests to pi-hole, that could explain what you see.

You perhaps should generate a debug log, and post just the token, so the developers can check.

4

I don't think pi-hole is to blame... something is odd with that iPhone. I can stop the behavior by applying the following traffic rule, but that is really a band-aid fix.

Or a redirect:

config redirect
	option name 'Intercept-DNS'
	option src 'lxc'
	option src_dport '53'
	option dest 'lxc'
	option dest_ip '10.0.4.250'
	option dest_port '53'
	option src_ip '10.0.4.1'
5

Is that iPhone yours? One that is supposed to be in the house?

You could have a rogue app on the iPhone. (unlikely)

Do you have an option to temporary swap out the OpenWrt router? See if the behaviour continues with a different router?

Having things natter like mad is not unusual. I have annoying Chinese "Smart" plugs that spend all day nattering. Get worse if I attempt to block those with Pi-Hole as they then go into panic mode and chatter ten times worse.

I have devices that seem to be paranoid and keep checking if they are online every minute... just lousy coding.

6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.