Hourly spike in .addr.arpa queries resulting in rate limiting

Help
1

Please follow the below template, it will help us to help you!

If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using nginx, apache2 or another reverse proxy, or there is some other aspect of your install that is customised) - please use the Community Help category.

Expected Behaviour:

No hourly spikes in queries from router, no rate limited warnings.

Actual Behaviour:

Every hour i get hundreds of queries from the router (192.168.4.1) in the form:

Jun 9 00:33:46 dnsmasq[201]: config 192.168.7.15 is NXDOMAIN
Jun 9 00:33:46 dnsmasq[201]: query xx.x.xxx.xxx.in-addr.arpa from 192.168.4.1
Jun 9 00:33:46 dnsmasq[201]: config 192.168.7.16 is NXDOMAIN
Jun 9 00:33:46 dnsmasq[201]: query xx.x.xxx.xxx.in-addr.arpa from 192.168.4.1
Jun 9 00:33:46 dnsmasq[201]: config 192.168.7.17 is NXDOMAIN
Jun 9 00:33:46 dnsmasq[201]: query xx.x.xxx.xxx.in-addr.arpa from 192.168.4.1
Jun 9 00:33:46 dnsmasq[201]: config 192.168.7.18 is NXDOMAIN
Jun 9 00:33:46 dnsmasq[201]: query xx.x.xxx.xxx.in-addr.arpa from 192.168.4.1
Jun 9 00:33:46 dnsmasq[201]: config 192.168.7.19 is NXDOMAIN
Jun 9 00:33:46 dnsmasq[201]: query xx.x.xxx.xxx.in-addr.arpa from 192.168.4.1

This then generates a rate limited warning. I am unsure if this is normal behavior but assume not due to the hourly warning in pihole.

Based on what I have read from the forums this may be behavior related to identifying client names but I thought that would only happen if conditional forwarding was enabled?

Debug Token:

https://tricorder.pi-hole.net/8jR0wxV7/

Notes: Very sorry if I have posted in the wrong spot or have duplicated. I have searched and found some relevant posts but was unable to solve my issue. In most I found the fix was to disable conditional forwarding but in my case it is not enabled (i think) - that section is default from install.

I am using nginx as a reverse proxy but tested with it disabled so I don't think it is relevant to my issue.

I have limited options in my eero router settings but have configured the DNS server in the eero to point at the pihole address and it does appear to work. Adds are blocked on all devices. Is it possible I have generated a partial DNS loop?

2

Those reverse lookups seem to be in a systematic ascending order, which may hint at a process probing for all IPs in your network.
Would you run any monitoring software in your network?

Your debug log shows your router's DHCP server to operate on an (unusual) 192.168.4.0/22 network, and it is distributing two DNS servers from that range:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 6 seconds)
   Scanning all your interfaces for DHCP servers and IPv6 routers
   
   * Received 303 bytes from 192.168.4.1 @ eth0
     Offered IP address: 192.168.6.22
     DHCP options:
      Message type: DHCPOFFER (2)
      netmask: 255.255.252.0
      router: 192.168.4.1
      dns-server: 192.168.6.22
      dns-server: 192.168.5.164
      broadcast: 192.168.7.255
      ntp-server: 192.168.4.1
         --- end of options ---

192.168.6.22 is your Pi-hole machine.
What DNS server is running on 192.168.5.164?
Could that be issuing those reverse lookups?

3

Hi and thankyou very much for the response. A great pickup and something I really should have put in my original post sorry. That is a second pihole running as a backup on a raspberry pi. I did experience the same symptoms with that one disconnected so I had ruled it out but sorry, should have included that info.

Regarding the odd range, that was the default on my eero routers but agree it is unusual.

I don't have any network monitoring software running but maybe this is something these routers do hourly?

4

Worked out the culprit! Home assistant is the source of these frequent queries. Bucking_Horn was correct and looks like it's some kind of scanning/device discover thing HA is doing.