I would disable this, and see if the PTR traffic volume is reduced.
Sorry for not replying sooner but I experienced an Internet outage last night until early this morning.
@McKenna_Jones, I dont see anything wrong with netstat.
Pi-hole (with PID=680) is for DNS listening on default ports 53 UDP/TCP for IPv4 & IPv6 as it should.
And 4711 TCP for the API.
I dont see other DNS daemons that could write to said logs.
@MVRLogins, something weird is going on with your setup.
The pihole-FTL binary, with PID=683, is listening in addition to the default ports, also listening on ports IPv4 47383, 9016 and 28481 UDP.
And the last one 28481 twice.
Any idea why ?
And the numbers in the Recv-Q column for the netstat output not being zero also is not a good sign:
pi@noads:~ $ man netstat
[..]
Recv-Q
Established: The count of bytes not copied by the user program
connected to this socket. Listening: Since Kernel 2.6.18 this
column contains the current syn backlog.
@ both, at fist I thought it might be that you had pihole-FTL and dnsmasq running alongside each other somehow and writing to different logs, but it appears not.
I would check for rouge config files that might hold directives to write to the daemon log:
sudo grep -v '#\|^$' -R /etc/dnsmasq.* | sort
And always take note which PID in the logs is writing what:
pi@noads:~ $ pidof pihole-FTL
12770
pi@noads:~ $ ps 12770
PID TTY STAT TIME COMMAND
12770 ? Sl 52:05 /usr/bin/pihole-FTL
pi@noads:~ $ ps -eo pid,command
PID COMMAND
[..]
12764 (sd-pam)
12770 /usr/bin/pihole-FTL
27990 [kworker/u2:0-ev]
[..]
Ow ps, below example from my setup:
pi@noads:~ $ sudo grep -v '#\|^$' -R /etc/dnsmasq.* | sort
/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.conf.dpkg-old:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.conf.old:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:dhcp-ignore-names=tag:wpad-ignore
/etc/dnsmasq.d/01-pihole.conf:dhcp-name-match=set:wpad-ignore,wpad
/etc/dnsmasq.d/01-pihole.conf:domain-needed
/etc/dnsmasq.d/01-pihole.conf:interface=eth0
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:server=149.112.112.10
/etc/dnsmasq.d/01-pihole.conf:server=9.9.9.10
/etc/dnsmasq.d/02-pihole-dhcp.conf:dhcp-authoritative
/etc/dnsmasq.d/02-pihole-dhcp.conf:dhcp-leasefile=/etc/pihole/dhcp.leases
/etc/dnsmasq.d/02-pihole-dhcp.conf:dhcp-option=option:router,10.0.0.1
/etc/dnsmasq.d/02-pihole-dhcp.conf:dhcp-range=10.0.0.11,10.0.0.254,24h
/etc/dnsmasq.d/02-pihole-dhcp.conf:domain=dehakkelaar.nl
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=xxx,nas
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=xxx,avr
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=xxx,monmc
Thanks for the help with this @deHakkelaar
Are the server entries below correct? 10.0.1.1 is my router.
I'm running cloudflared on the same pi as pihole so shouldn't the server be 127.0.0.1? That's what I have in the settings for pihole.
And the log facility line shows the correct log file, but dnsmasq is logging to daemon.log AND syslog!
pi@PiHole:/var/log $ sudo grep -v '#|^$' -R /etc/dnsmasq.* | sort
/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.conf.old:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:dhcp-ignore-names=tag:wpad-ignore
/etc/dnsmasq.d/01-pihole.conf:dhcp-name-match=set:wpad-ignore,wpad
/etc/dnsmasq.d/01-pihole.conf:domain-needed
/etc/dnsmasq.d/01-pihole.conf:interface=eth0
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:server=/1.0.10.in-addr.arpa/10.0.1.1
/etc/dnsmasq.d/01-pihole.conf:server=/localdomain/10.0.1.1
I disabled conditional forwarding and the PTR traffic in the logs is gone.
Now how do I see the hostnames of the devices in the logs without conditional forwarding?
Need to see why conditional forwarding is making dnsmasq fill the logs (daemon.log, syslong and pihole.log) so quickly.
You seem to use "Conditional Forwarding" to your router.
Is below "localdomain", the same domain as configured in your router settings ?
EDIT: our postings crossed 
Last desperate one for the logs, any other results besides below ones ?
pi@noads:~ $ sudo grep daemon.log -R /etc
/etc/logrotate.d/rsyslog:/var/log/daemon.log
/etc/rsyslog.conf:daemon.* -/var/log/daemon.log
If no results, I suspect something logged via systemd, like some failure/bug/misconfiguration.
This is a long shot though!
I have no Buster to investigate and am out of ideas
Maybe a dev can step in or someone else knows.
Try configure custom upstream DNS server to point to your router:
But dont use any other upstream DNS servers for Pihole!
And your router WAN DNS settings need to be defaulted to use ISP provided DNS servers.
EDIT: ow and this one:
pi@PiHole:/var/log $ sudo grep daemon.log -R /etc
/etc/logrotate.d/rsyslog:/var/log/daemon.log
/etc/rsyslog.conf:daemon.* -/var/log/daemon.log
pi@PiHole:/var/log $
So the DNS traffic would no go as follows:
client -> pihole -> router -> DNS provider ?
Yup .......
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.