Excessive amount of DNS queries from client localhost for domain enp2s0

hgrant · November 10, 2023, 10:07am

Expected Behaviour:

No queries from client 'localhost' for domain 'enp2s0' in the given scenario.

Actual Behaviour:

Been running a pi-hole / dnscrypt-proxy combo in Linux (Pop OS) on a Linux / Windows 11 dual boot box for about a week now, and noticed the following behavior once the connection to the Internet is lost (router down for example).
In that scenario, DNS queries like the following are constantly taking place at an excessive rate (~ 9.500/hr), being logged as follows:

Time					Type	Domain	Client		Status					Reply
2023-11-10 01:40:00 	AAAA	enp2s0	localhost	OK (cache)	INSECURE	NXDOMAIN (0.1ms)
2023-11-10 01:40:00 	A		enp2s0	localhost	OK (cache)	INSECURE	NXDOMAIN (0.1ms)
2023-11-10 01:40:00 	AAAA	enp2s0	localhost	OK (cache)	INSECURE	NXDOMAIN (0.0ms)
2023-11-10 01:40:00 	A		enp2s0	localhost	OK (cache)	INSECURE	NXDOMAIN (0.1ms)
2023-11-10 01:40:00 	AAAA	enp2s0	localhost	OK (cache)	INSECURE	NXDOMAIN (0.1ms)
2023-11-10 01:40:00 	A		enp2s0	localhost	OK (cache)	INSECURE	NXDOMAIN (0.1ms)

'enp2s0' being the primary (and only enabled) network interface.

In pihole.log it looks like this:

Nov 10 01:40:00 dnsmasq[12158]: query[AAAA] enp2s0 from 127.0.0.1
Nov 10 01:40:00 dnsmasq[12158]: config enp2s0 is NXDOMAIN
Nov 10 01:40:00 dnsmasq[12158]: query[A] enp2s0 from 127.0.0.1
Nov 10 01:40:00 dnsmasq[12158]: config enp2s0 is NXDOMAIN
Nov 10 01:40:00 dnsmasq[12158]: query[AAAA] enp2s0 from 127.0.0.1
Nov 10 01:40:00 dnsmasq[12158]: config enp2s0 is NXDOMAIN
Nov 10 01:40:00 dnsmasq[12158]: query[A] enp2s0 from 127.0.0.1
Nov 10 01:40:00 dnsmasq[12158]: config enp2s0 is NXDOMAIN
Nov 10 01:40:00 dnsmasq[12158]: query[AAAA] enp2s0 from 127.0.0.1
Nov 10 01:40:00 dnsmasq[12158]: config enp2s0 is NXDOMAIN
Nov 10 01:40:00 dnsmasq[12158]: query[A] enp2s0 from 127.0.0.1
Nov 10 01:40:00 dnsmasq[12158]: config enp2s0 is NXDOMAIN

So my questions are:
Why does it do that (trying to resolve the NIC's name as a domain?!), and how to prevent it?
The pi-hole is almost flooded by those queries, sporadically a diagnostic message is being recorded stating just that.

Remarks:

Apart from this issue, the pi-hole is just running fine as far as I can tell - no problems at all.
Once the Internet connection is back up again, the problem immediately goes away.
I'm alternatively running another pi-hole / dnscrypt-proxy on the same machine in a Docker container under Windows 11 (utilizing the Windows Subsystem for Linux) with a very similar configuration, which doesn't exhibit this behavior at all.

Debug Token:

https://tricorder.pi-hole.net/TwfS4Jl5/

jfb · November 10, 2023, 4:01pm

*** [ DIAGNOSING ]: Operating system
[✗] Distro:  Pop
[✓] dig return code: 0
[i] dig response: "Raspbian=10,11,12 Ubuntu=20,22,23 Debian=10,11,12 Fedora=36,37,38 CentOS=8,9"
[✗] Error: Pop is not a supported distro (https://docs.pi-hole.net/main/prerequisites/)

What is the output of the following from the OS terminal:

cat /etc/os-release

As you noted, the queries are looking for the IP of your ethernet interface name. Your interface is:

enp2s0 (192.168.0.2)

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_INTERFACE=enp2s0

Any queries from the loopback could be from Pi-hole itself, or from any other apps or software running on the Pi-hole host OS.

Have you looked at all the software running on the host OS?

Another option you have - map this interface name to an IP in a hosts file on the Pi-hole OS. Then, Pi-hole will be able to provide and answer and this may silence the repeated queries.

You can do this with the Pi-hole Local DNS option (on the web admin GUI) or in /etc/hosts on the host OS.

buntspexxt · November 10, 2023, 4:07pm

Just found this for pop:

hgrant · November 10, 2023, 4:42pm

Thanks for your reply.

cat /etc/os-release returns:

NAME="Pop!_OS"
VERSION="22.04 LTS"
ID=pop
ID_LIKE="ubuntu debian"
PRETTY_NAME="Pop!_OS 22.04 LTS"
VERSION_ID="22.04"
HOME_URL="https://pop.system76.com"
SUPPORT_URL="https://support.system76.com"
BUG_REPORT_URL="GitHub · Where software is built"
PRIVACY_POLICY_URL="Privacy"
VERSION_CODENAME=jammy
UBUNTU_CODENAME=jammy
LOGO=distributor-logo-pop-os

which to my knowledge is the most recent version.

I'll give the hosts file modification a try, let's see what it does.

The interesting thing about this issue is that it only happens when there's no Internet access from that host.

hgrant · November 13, 2023, 8:23am

Alright, the hosts entry did the trick.
Question of what is causing these queries remains of course, but for now I don't care ...

Case closed.

system · December 4, 2023, 6:27pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.