In-addr.arpa Connected to Random Pi-hole--Bug, or did I miss something?

New to Pi-hole, so my apologies if I’m misunderstanding some behavior here.
Been having some internet issues the past day or so, and started digging through Query Logs out of curiosity. Sorry this request doesn’t exactly fit in your Expected/Actual Behaviour model.

Expected Behaviour:

I guess I expected to not land on a random Pi-hole Admin Console while searching in Google for reverse DNS Lookup IPs found in my Pi-hole logs.

Actual Behaviour:

I was looking through my Pi-hole Query logs when I came across a bunch of reverse DNS lookups from localhost. All the IPs ended in .in-addr.arpa, and stood out as either sequential or similar in structure to my own home network, with the octets mixed around. Since I recognized some as DNS IPs (9.9.9.9.in-addr.arpa), I tried to Google one of the other sequential IPs to figure out if it was another DNS server. Searched for “112.112.112.149.in-addr.arpa pi-hole” and one of the search results took me to the pi-hole admin console here: http://213.93.48.56/admin/
I landed on a random Pi-hole web Admin Console that is not my own, but I seem to be able to click around and mess with anything I want without logging in (there’s no “logout” option).
The IP resolves to a RIPE.net, but searching their site, it looks to be an IP in a range owned by an ISP in the Netherlands called Chello.
It appears that if I wanted to, I could click any of the “Danger Zone” buttons.

Debug Token:

I ran the Debug tool on both my Pi-hole, and the one I connected to, but both failed to upload and neither gave me a token, unless I’m missing it.

Whomever put that instance on the internet is breaking just about every single piece of advice and guidance of the Pi-hole team.

As for why you are seeing them, either you have your Pi-hole instance open to the world and people off your network are using it or you have a client on your network requesting it.

Note that 149.112.112.112 is a Quad9 DNS Server so seeing ARPA for 112.112.112.149.in-addr.arpa may happen if you use Quad9 as your upstream.

Thanks for the quick response.
I was expecting that the 112.112.112.149.in-addr.arpa was Quad9 because I also saw the 9.9.9.9.in-addr.arpa, and I am using Quad9. I wasn’t expecting that the second result in my Google search would land me on somebody’s Pi-hole Admin Console.
I was worried that being logged into my Pi-hole had somehow logged me into someone else’s Pi-hole, and wanted to make sure this wasn’t some bug that needed reporting.

With that cleared up, I have one additional question as I’m looking through these logs. I’m seeing one query from localhost blocked, and exactly one query from the hostname of my Pi-hole blocked to the same domain (mobjmp.com). Is that common for the Pi-hole itself to try to reach out to a site that gets blocked? (my setup is pretty much default, as I’ve only had this up and running for a few days).

Thanks again.

This domain is blocked by gravity and (Tools/Query lists) is on Steven Black’s lists. Pihole will not try to connect to blocked sites. So this query should have another real source.

The debug process will send a single query for a random domain from the list of blocked domains to check if blocking is working. That is the only time Pi-hole will query for something not explicitly requested by a client.

Edit: That process should have left a local log at /var/log/pihole_debug.log

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.