High numbers of Queries

Hi There,

I having two domain coming back over and over again every sec and more, (smartthings probably because of my Homebrige server) and Netgear (one AP).

I'm wondering, should I do something about it, like added a permanent redirection to the current IP? (hopping that they not gonna change they IP anytime soon)

also I'm wondering can you increase the DNS cache ? I think I read somewhere on the forum that it was with the max settings already but just asking.

2017-01-28T23:25:35 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:35 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:33 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:33 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:32 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:32 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:31 A www.netgear.com 10.0.0.1 OK Blacklist
2017-01-28T23:25:31 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:31 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:30 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:30 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:29 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:29 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:28 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:28 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:27 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:27 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:26 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:26 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:25 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:25 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:24 A www.netgear.com 10.0.0.1 OK Blacklist
2017-01-28T23:25:24 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:24 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:23 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:23 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:22 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:22 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:21 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:21 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:20 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:20 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:20 AAAA cl3.apple.com 10.0.0.1 OK Blacklist
2017-01-28T23:25:19 A graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:19 AAAA graph.api.smartthings.com localhost(127.0.0.1) OK Blacklist
2017-01-28T23:25:18 A www.netgear.com 10.0.0.1 OK

What is that log from? (something you made?)

If you can change their DNS settings, you can make them use something like 8.8.8.8 instead of Pi-hole. If you can't, then if it's not bothering you you can leave them be. You can also whitelist that domain if you don't want it inflating your blocked stats (though then it might deflate the blocked stats).

Why do you want to increase the DNS cache? Realistically it would not make a difference by raising it, unless you have a very special situation and know what you're doing.

It's not uncommon for IoT devices to call home, but that does seem like an excessive amount. Do the queries happen when interacting with the homebridge server (I'm not too familiar with it) or are they happening all the time?

We already set the cache to the maximum that dnsmasq allows, which is 10,000. Your browser and OS may also cache entries, but Pi-hole is currently set to the max that is capable with this resolver.

@Mcat12 I think this is Crtl+A, Ctrl+C on the Query Log page (the Blacklist text is the button).

What bothers me here is that the source of these queries seems to be localhost(127.0.0.1), i.e. the device on which you are running the Pi-hole is requesting this domain, not some other device.

Have you installed any other software on this device?

Thank you for the reply, basically the Homebridge is on the same device that the Pi_hole , and it's probe all the house sensor locally and send the data to the cloud of smartthings. I guess this is not a big deal anyway

So i set up a fresh debian droplet on DigitalOcean and I have a china IP domain with a ton of localhost(127.0.0.1) queries. Nothing was installed on this machine other than DO's initial Debian package, pi-hole & fail2ban. I have UFW blocking all except ssh because i use public key, disallow root, etc and no login so really not concerned there.

XXSOME.IP.XX.broad.xy.jx.dynamic.163data.com.cn

Searching online shows this to be a ssh brute force. Turning on UFW to only allow my IPs then this goes away. Also, blocking it in pi-hole with a wildcard does seem to pi-hole it too. Does something in ssh UseDNS side of things that routes this to localhost? I'm not that knowledgeable on it but thought I'd let others know that something external is calling localhost and not something internal.

Yes, SSH often will do reverse lookups unless disabled, sometimes that shows up in the auth.log, (or journal if you are using SystemD.)

Give that linked solution a try, you'll still log the attempts by IP for F2B, but it will cut down on the log spam.