Dnsmasq host-record setting not working?

I have this problem where my Mikrotik router keeps hitting the pi-hole with thousands of requests every day for www.mikrotik.com.

This is apparently due to the local TTL of 2 seconds, Change the TTL?

I noticed this setting in the man page for dnsmasq:

--host-record=[,....],[],[][,]

Add A, AAAA and PTR records to the DNS. This adds one or more names to the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may appear in more than one --host-record and therefore be assigned more than one address. Only the first address creates a PTR record linking the address to the name. This is the same rule as is used reading hosts-files. --host-record options are considered to be read before host-files, so a name appearing there inhibits PTR-record creation if it appears in hosts-file also. Unlike hosts-files, names are not expanded, even when --expand-hosts is in effect. Short and long names may appear in the same --host-record, eg. --host-record=laptop,laptop.thekelleys.org,192.168.0.1,1234::100

If the time-to-live is given, it overrides the default, which is zero or the value of --local-ttl . The value is a positive integer and gives the time-to-live in seconds.

The last sentence seemed to offer hope.

So I tried making the file /etc/dnsmasq.d/50-hosts.conf:
host-record=www.mikrotik.com,159.148.147.196,3600
..hoping and half-expecting it to work, but it didn't work. I am still getting the constant requests coming from the router.

Is there any way of getting this to work? Is this option supported by pihole-FTL?

Have you blocked this domain? The TTL of 2 seconds applies only to blocked or locally served domains. For that specific domain, the TTL provided by the nameserver is 7200 seconds.

dig www.microtik.com @1.1.1.1

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> www.microtik.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27247
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.microtik.com.              IN      A

;; ANSWER SECTION:
www.microtik.com.       7200    IN      A       159.148.147.205

;; Query time: 425 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Aug 01 12:40:43 CDT 2020
;; MSG SIZE  rcvd: 77
1 Like

Typo. The domain is www.mikrotik.com.

How come you got the full 7200 value? I always get how many seconds are left to live when I use dig.

Anyway, no the domain is not blocked (I double checked), but if only blocked domains have the local TTL of 2 seconds, how come this is a problem for the people in the previous discussion? Change the TTL?

Because he requested it for the first time.

hrko@ThinkPad-X230:~$ dig www.mikrotik.com

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.mikrotik.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47819
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;www.mikrotik.com.		IN	A

;; ANSWER SECTION:
www.mikrotik.com.	7200	IN	A	159.148.147.196

;; Query time: 212 msec
;; SERVER: 10.0.1.5#53(10.0.1.5)
;; WHEN: Sat Aug 01 20:36:48 CEST 2020
;; MSG SIZE  rcvd: 61

chrko@ThinkPad-X230:~$ dig www.mikrotik.com

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.mikrotik.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21391
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mikrotik.com.		IN	A

;; ANSWER SECTION:
www.mikrotik.com.	7199	IN	A	159.148.147.196

;; Query time: 2 msec
;; SERVER: 10.0.1.5#53(10.0.1.5)
;; WHEN: Sat Aug 01 20:36:49 CEST 2020
;; MSG SIZE  rcvd: 61

It seems to me that their problem is not related to local-ttl at all, but rather to their (Mikrotik?) router querying a certain domain in a certain interval.

If that's the case, no amount of TTL manipulation would change that.
You'd have to educate the client device that's issuing the queries in the first place.

A solution or rather workaround would be to have the router distribute Pi-hole as local DNS via DHCP while it keeps using is own upstream DNS servers. That way, you wouldn't see your router's excessive queries in Pi-hole's Query Log.

1 Like

That's strange. I can request a random domain I have never requested before and I do not get the full TTL value.

eg.

$ dig A exeter.ac.uk +all @1.1.1.1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18663
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;exeter.ac.uk.                  IN      A

;; ANSWER SECTION:
exeter.ac.uk.           7093    IN      A       144.173.6.226

;; Query time: 6 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Aug 01 19:51:52 BST 2020
;; MSG SIZE  rcvd: 69

Maybe it depends if it was cached at the Cloudflare server?

I'm not sure, maybe.

For the domain I checked (a different one) the name server reported the 7200 seconds. For the corrected domain (the one you listed), the TTL is slightly less.

dig www.mikrotik.com @1.1.1.1

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> www.mikrotik.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52360
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.mikrotik.com. IN A

;; ANSWER SECTION:
www.mikrotik.com. 6992 IN A 159.148.147.196

;; Query time: 20 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Aug 01 14:37:44 CDT 2020
;; MSG SIZE rcvd: 77