Disk shortage (/var/log/pihole/FTL.log) ahead: 99% used

darco · May 3, 2024, 10:52pm

Token: 3WuSUfPe/

Sorry guys, another Disk shortage issue. Getting slammed by this query:
newtab.0.1.168.192.in-addr.arpa from 192.1.1

Running Pi-hole on a RPI 3 w/Dietpi as OS..installed pi using dietpi software

Had issues w/my RPI and bought some new sd cards, 32g..sandisk.
Use teleport to restore...ever since, nothing but issues. On top of the disk shortage, cpu at 100% which im sure is a by product of the


root@DietPi:~# tail /var/log/pihole.log
May  3 15:29:36 dnsmasq[22694]: forwarded newtab to 192.168.1.1
May  3 15:29:36 dnsmasq[22694]: query[HTTPS] newtab from 192.168.1.1
May  3 15:29:36 dnsmasq[22694]: forwarded newtab to 192.168.1.1
May  3 15:29:36 dnsmasq[22694]: query[HTTPS] newtab from 192.168.1.1
May  3 15:29:36 dnsmasq[22694]: forwarded newtab to 192.168.1.1
May  3 15:29:36 dnsmasq[22694]: query[HTTPS] newtab from 192.168.1.1
May  3 15:29:36 dnsmasq[22694]: forwarded newtab to 192.168.1.1
May  3 15:29:36 dnsmasq[22694]: query[A] newtab.0.1.168.192.in-addr.arpa from 192.168.1.1
May  3 15:29:36 dnsmasq[22694]: forwarded newtab.0.1.168.192.in-addr.arpa to 192.168.1.1

root@DietPi:~stat /var/log/pihole.logog
File: /var/log/pihole.log -> /var/log/pihole/pihole.log
Size: 26 Blocks: 0 IO Block: 4096 symbolic link
Device: 1eh/30d Inode: 16 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 998/ pihole) Gid: ( 995/ pihole)
Access: 2024-04-21 12:09:18.273637770 -0700
Modify: 2022-07-07 16:40:24.221921330 -0700
Change: 2024-05-03 13:20:29.575999998 -

root@DietPi:~# sudo -u pihole stat /var/log/pihole.log
  File: /var/log/pihole.log -> /var/log/pihole/pihole.log
  Size: 26              Blocks: 0          IO Block: 4096   symbolic link
Device: 1eh/30d Inode: 16          Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (  998/  pihole)   Gid: (  995/  pihole)
Access: 2024-04-21 12:09:18.273637770 -0700
Modify: 2022-07-07 16:40:24.221921330 -0700
Change: 2024-05-03 13:20:29.575999998 -0700
 Birth: 2024-05-03 13:20:29.575999998 -0700

root@DietPi:~# ls -lha /var/log/pihole
total 60M
drwxr-xr-x 2 pihole pihole 140 Apr 21 11:35 .
drwxr-xr-t 6 root   root   340 May  3 16:13 ..
-rw-r--r-- 1 pihole pihole 12K May  3 15:54 FTL.log
-rw-r----- 1 pihole pihole 60M May  3 15:29 pihole.log
-rw-r----- 1 pihole pihole   0 Apr 27 00:17 pihole.log.1
-rw-r----- 1 root   pihole   0 May  3 15:46 pih

`

CallMeCurious · May 3, 2024, 11:17pm

What does df -h shows?

darco · May 3, 2024, 11:29pm


root@DietPi:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/root       3.5G  2.3G  1.1G  69% /
devtmpfs        446M     0  446M   0% /dev
tmpfs           480M     0  480M   0% /dev/shm
tmpfs           192M   20M  173M  11% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           1.9G  4.0K  1.9G   1% /tmp
log2ram          60M   36K   60M   1% /var/log
/dev/mmcblk0p1  127M   33M   94M  26% /boot
tmpfs            50M     0   50M   0% /var/hdd.log

CallMeCurious · May 4, 2024, 12:02am

May  3 15:29:36 dnsmasq[22694]: query[HTTPS] newtab from 192.168.1.1
May  3 15:29:36 dnsmasq[22694]: forwarded newtab to 192.168.1.1

So this seems like it might be somekind of loop. Is the wan side of the router using pihole as its upstream resolver? Maybe something with conditional forwarding?

darco · May 4, 2024, 12:08am

No, the wan interface does not show the .217 as the dns. The lan interface does....I also disabled conditional forwarding and restarted FTL....working good but eventually it will fail like above
Should the WAN side have the pihole dns server listed?

CallMeCurious · May 4, 2024, 12:21am

No, Its best not. The wan side is only querying things the router might need like ntp etc.

if you do a sudo grep newtab /var/log/pihole/pihole.log does it show anything? I'm guessing you cleared the logs to make space so it may not.

darco · May 4, 2024, 12:38am

ya it may have cleared when I restarted FTL....nothing shows

CallMeCurious · May 4, 2024, 1:00am

Do you have any apple devices. This query type [HTTPS] seems to be used primarily by apple devices. I'm not really familiar with so the "newtab" portion is throwing me.

darco · May 4, 2024, 1:03am

Yes, two devices, phone and tablet..2million newtabs queries,,,,ya its throwing me too

CallMeCurious · May 4, 2024, 1:12am

If the query is the same every time you have the issue it might be worth powering each device down one at a time to see if you can atleast isolate the client. I would also suggest a debug log / token for the devs to check the configuration.

darco · May 4, 2024, 1:16am

heres some more info:

root@DietPi:~# grep arpa /var/log/pihole.log | tail -n25
May  3 17:26:50 dnsmasq[40902]: query[PTR] 1.36.14.76.in-addr.arpa from 192.168.1.1
May  3 17:26:50 dnsmasq[40902]: query[PTR] 220.36.14.76.in-addr.arpa from 192.168.1.1
May  3 17:44:26 dnsmasq[40902]: query[SVCB] _dns.resolver.arpa from 192.168.1.170
May  3 17:44:26 dnsmasq[40902]: cached _dns.resolver.arpa is NXDOMAIN
May  3 17:51:06 dnsmasq[40902]: query[PTR] 1.36.14.76.in-addr.arpa from 192.168.1.1
May  3 17:51:06 dnsmasq[40902]: query[PTR] 220.36.14.76.in-addr.arpa from 192.168.1.1
May  3 18:03:07 dnsmasq[45990]: query[PTR] 100.1.168.192.in-addr.arpa from 127.0.0.1
May  3 18:03:07 dnsmasq[45990]: forwarded 100.1.168.192.in-addr.arpa to 127.0.0.1#5335
May  3 18:03:07 dnsmasq[45990]: query[PTR] 108.1.168.192.in-addr.arpa from 127.0.0.1
May  3 18:03:07 dnsmasq[45990]: forwarded 108.1.168.192.in-addr.arpa to 127.0.0.1#5335
May  3 18:03:07 dnsmasq[45990]: query[PTR] 168.1.168.192.in-addr.arpa from 127.0.0.1
May  3 18:03:07 dnsmasq[45990]: forwarded 168.1.168.192.in-addr.arpa to 127.0.0.1#5335
May  3 18:03:07 dnsmasq[45990]: query[PTR] 159.1.168.192.in-addr.arpa from 127.0.0.1
May  3 18:03:07 dnsmasq[45990]: forwarded 159.1.168.192.in-addr.arpa to 127.0.0.1#5335
May  3 18:03:07 dnsmasq[45990]: query[PTR] 217.1.168.192.in-addr.arpa from 127.0.0.1
May  3 18:03:07 dnsmasq[45990]: config 217.1.168.192.in-addr.arpa is <PTR>
May  3 18:03:07 dnsmasq[45990]: query[PTR] 170.1.168.192.in-addr.arpa from 127.0.0.1
May  3 18:03:07 dnsmasq[45990]: forwarded 170.1.168.192.in-addr.arpa to 127.0.0.1#5335
May  3 18:03:07 dnsmasq[45990]: query[PTR] 1.1.168.192.in-addr.arpa from 127.0.0.1
May  3 18:03:07 dnsmasq[45990]: forwarded 1.1.168.192.in-addr.arpa to 127.0.0.1#5335
May  3 18:14:16 dnsmasq[45990]: query[SVCB] _dns.resolver.arpa from 192.168.1.170
May  3 18:14:16 dnsmasq[45990]: forwarded _dns.resolver.arpa to 127.0.0.1#5335
May  3 18:14:16 dnsmasq[4
``5990]: reply _dns.resolver.arpa is NXDOMAIN

root@DietPi:~# echo ">top-clients >quit" | nc localhost 4711
0 2230939 192.168.1.1 darco.lan
1 2025 192.168.1.100 DarcoPC.lan
2 1011 127.0.0.1 localhost
3 438 192.168.1.170 iFone.lan
4 335 192.168.1.168 Bose.lan
5 42 192.168.1.159 fluidd.lan
6 13 192.168.1.108 iPad.lan
7 3 192.168.1.217 pi.hole

root@DietPi:~# echo ">top-domains >quit" | nc localhost 4711
0 2230953 newtab.0.1.168.192.in-addr.arpa
1 976 raw.githubusercontent.com
2 142 iot.api.bose.io
3 120 data.api.bose.io
4 79 connectivity-check.ubuntu.com
5 55 hp.lingscars.com
6 53 p-aw2-dynaman.movetv.com
7 49 streams.adobeprimetime.com
8 35 safebrowsing.googleapis.com
9 32 arksine.github.io

Bucking_Horn · May 4, 2024, 11:49am

You have configured a DNS loop:
Your router (presumably) at 192.168.1.1 is using Pi-hole for DNS, and at the same time, your Pi-hole is using 192.168.1.1 as upstream DNS server.

Your debug log is empty, so I can't tell whether you've enabled Pi-hole's Conditional Forwarding or you've configured one of Pi-hole's upstream DNS servers to forward to your router.

To break the loop, you'd need to point either your router or Pi-hole to a different upstream.

darco · May 4, 2024, 3:42pm

Thxs for the reply...I am using unbound. Pihole upstream DNS is pointing to 127.0.0.1. I did have CF set and is currently disabled. My router is 192.168.1.1 and the LAN interface DNS is pointing to 192.168.1.217 (in 2 different places) which is the Pihole.Using router for DHCP. Resolv.conf points to 127
I am not sure what to change unless theres a misconfiguration somewhere but I rarely make any router changes and Ive been running pihole on this router for a few years now... thxs again

darco · May 4, 2024, 5:51pm

I noticed in the debug log that the IPv4 address from my previous setup still shows even after reboots?https://imgur.com/a/qVDPHwB

CallMeCurious · May 4, 2024, 6:47pm

You could try a pihole -r and repair the build. That would likely fix that issue.

darco · May 4, 2024, 7:47pm

Ive done a few -R in the past week and its still there

CallMeCurious · May 4, 2024, 7:58pm

Check this thread. Another dietpi user have a similar issue with the ip. While not the same perhaps the solution is?

Alsoo curious what your df -h looks like today. Is the log still filling up?

rdwebdesign · May 4, 2024, 8:08pm

Your previous log is completely empty (apparently there was an upload issue).

Please, generate a new debug log and post the token URL.

darco · May 4, 2024, 8:39pm

Well the IP to the server/web are fine...so ill just leave as is.Thanks for the link,
Pihole is running like a champ....and I havent done anything yet.

root@DietPi:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/root       3.5G  2.3G  1.1G  69% /
devtmpfs        446M     0  446M   0% /dev
tmpfs           480M  976K  479M   1% /dev/shm
tmpfs           192M   18M  175M  10% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           1.9G  4.0K  1.9G   1% /tmp
log2ram          60M  204K   60M   1% /var/log
/dev/mmcblk0p1  127M   33M   94M  26% /boot
tmpfs            50M     0   50M   0% /var/hdd.log

darco · May 4, 2024, 10:29pm

https://tricorder.pi-hole.net/teAwzdBa/