How to stop all of the PTR queries

uckybay · August 2, 2019, 1:10am

Please follow the below template, it will help us to help you!

Expected Behaviour:

A small number of PTR requests

Actual Behaviour:

A large amount of PTR requests coming from two windows 10 machines

Debug Token:

https://tricorder.pi-hole.net/zm12y2gfpx

I have two machines on my home network running windows 10. Neither one have Bounjour installed, but they are both sending out hundreds of PTR queries per hour. Nothing else on my network is doing this, only the windows 10 pcs. Do you know how I can stop this from happening? I flushed my logs a few hours ago, so the debug file won't show all of the requests over the past 24 hours.

What else should I be looking for to keep this from happening? It's annoying and really increasing the load.

jfb · August 2, 2019, 1:17am

Not all PTR requests are for DNS Service Discovery (DNS-SD) which is the protocol used by Bonjour.

What are some examples of the PTR requests from the WIN 10 machines from the Pi-Hole log located at /var/log/pihole.log ?

From your debug log, if you are excluding these in response to what you are seeing, these are not DNS-SD requests:

API_EXCLUDE_DOMAINS=1.1.168.192.in-addr.arpa,98.1.168.192.in-addr.arpa,99.1.168.192.in-addr.arpa,197.1.168.192.in-addr.arpa,190.1.168.192.in-addr.arpa,15.1.168.192.in-addr.arpa,138.1.168.192.in-addr.arpa

You have the option of configuring your Pi-Hole to not analyze PTR requests (they won't show in the logs, but will still be occuring on the network).

ANALYZE_ONLY_A_AND_AAAA=true

uckybay · August 2, 2019, 9:23am

Thanks.

Here is a small snippet of the requests from one of the windows 10 machines. You can see the frequency at which it is happening.

uckybay · August 2, 2019, 9:43am

Here is a small snippet from the log file. Something doesn't appear to be playing nice, but I can't nail down what it is. 40% of my queries are PTR queries all coming from 2 clients on a 32 client network.

The IP's that are being looked up most frequently are:
192.168.1.1 - this is my main router. Netgear R6400
192.168.1.99 - old linksys router being used as an access point
192.168.1.98 - old linksys router being used as an access point

Perhaps I should reserve the IP's for these routers and give them a client name...?

Tntdruid · August 2, 2019, 11:55am

Add

ANALYZE_ONLY_A_AND_AAAA=true

To your pihole-FTL.conf

jfb · August 2, 2019, 12:01pm

These are not DNS-SD requests. They are routine PTR - a client asking for the name of the client at the referenced IP.

Since the traffic is uniquely from your two WIN10 clients, I would look on some WIN10 forums for some insight on the elevated traffic volume. Even if you don't display this traffic in your Pi-Hole, it will still exist on your network and it appears that your goal is to reduce the traffic.

uckybay · August 2, 2019, 5:32pm

I will look around and see what I can find. If I find anything, I will report back here. 40% of the total queries shouldn't be coming from 2 machines. I know it's not a pi-hole issue, but I figured someone here would have some insight.

Thanks!

system · August 23, 2019, 5:32pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.