How to exclude zabbix from query logs?

jacke · October 9, 2023, 11:11am

The issue I am facing:
The virtual machine stops working and when it works properly I have no way to view historical queries. Look at the 24h screen below, see how many log pages are created on Sunday only.

Details about my system:
I am having major problems with my pihole server. I use it as a DHCP and DNS distributor on a network of about 200 hosts. We also have Zabbix configured to monitor the servers and hosts. Unfortunately for some time now my pihole has been dying, no matter the hardware resources (Xenon gold's too.). I have the latest pihole on debian 12.

What I have changed since installing Pi-hole:
The problem looks like the graph below, suddenly everything stops working. I noticed that my network generates a very high number of queries between zabbix. The screen below is only from Sunday when our company is not working. Does anyone have any idea how to eliminate zabbix from the logs so that it doesn't overload the query logs etc.?

jfb · October 9, 2023, 2:52pm

You cannot completely remove zabbix from the logs, but you do have the option of removing the domain from the "top" lists. That may clean up your main dashboard a bit, but it won't solve your problem.

What is the output of the following commands from the Pi terminal?

echo ">stats >quit" | nc localhost 4711

echo ">top-clients >quit" | nc localhost 4711

echo ">top-domains >quit" | nc localhost 4711

echo ">top-ads >quit" | nc localhost 4711

jacke · October 9, 2023, 7:35pm

there is no problem with top domains etc.. i have ofcourse add this domain on API settings.
problem is poor query log support to find etc. for more than yesterday

Bucking_Horn · October 9, 2023, 7:52pm

We understand that.

For additional advice, please provide the output for above commands as requested.

jacke · October 9, 2023, 8:28pm

**root@hole:~# echo ">stats >quit" | nc localhost 4711**
domains_being_blocked 157605
dns_queries_today 1506084
ads_blocked_today 2179
ads_percentage_today 0.144680
unique_domains 20104
queries_forwarded 206566
queries_cached 1291206
clients_ever_seen 102
unique_clients 99
dns_queries_all_types 1506084
reply_UNKNOWN 11517
reply_NODATA 129024
reply_NXDOMAIN 47791
reply_CNAME 141937
reply_IP 1156247
reply_DOMAIN 6982
reply_RRNAME 180
reply_SERVFAIL 8
reply_REFUSED 0
reply_NOTIMP 0
reply_OTHER 0
reply_DNSSEC 2404
reply_NONE 0
reply_BLOB 9994
dns_queries_all_replies 1506084
privacy_level 0
status enabled


**root@hole:~# echo ">top-clients >quit" | nc localhost 4711**
0 92007 192.168.1.145 D85.local.contos.pl
1 86960 192.168.1.161 D111.local.contos.pl
2 78478 192.168.1.192 D84.local.contos.pl
3 70729 192.168.1.143 D93.local.contos.pl
4 67689 192.168.1.116 D53.local.contos.pl
5 67277 192.168.1.195 A58.local.contos.pl
6 45559 192.168.1.187 cs92-prod.local.contos.pl
7 43814 192.168.1.184 D108.local.contos.pl
8 41721 192.168.1.103 polar-cd102-prod.local.contos.pl
9 40286 192.168.1.146 D90.local.contos.pl

**root@hole:~# echo ">top-domains >quit" | nc localhost 4711**
0 116766 dns-master.local.contos.pl
1 52204 d87.local.contos.pl
2 16076 rebackup.local.contos.pl
3 9033 npi640709.local.contos.pl
4 8468 32.1.168.192.in-addr.arpa
5 8153 outlook.office.com
6 7988 npidcf762.local.contos.pl
7 5988 27.1.168.192.in-addr.arpa
8 5926 d111.local.contos.pl
9 5645 www.google.com

**root@hole:~# echo ">top-ads >quit" | nc localhost 4711**
0 344 csr.onet.pl
1 239 ls.hit.gemius.pl
2 213 delivery.clickonometrics.pl
3 209 gapl.hit.gemius.pl
4 179 wp.hit.gemius.pl
5 128 mask.icloud.com
6 116 onet.hit.gemius.pl
7 115 hub.com.pl
8 110 interia.hit.gemius.pl
9 98 gde-default.hit.gemius.pl

Bucking_Horn · October 9, 2023, 9:05pm

Sometimes, Pi-hole may prompt a client to excessively repeat DNS requests for a domain that's on one of its configured it blocklists.
Your top-ads count is pretty low in comparison to your days total, so we can rule this out.

I had presumed Zabbix to be some kind of monitoring component installed on a single central machine.

However, your API output suggests that there are quite a few clients responsible for the vast majority of DNS requests - those top ten amount to ~630k of your roughly 1.5 million requests for the last 24 hours.

Why are there so many clients requesting those names?
Would that be normal for Zabbix?

Also, what's your local/search domain?

And what's the output of

dig dns-master.local.contos.pl

system · October 30, 2023, 9:06pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.