My query log shows thousand of PTR requests a day to the same IP address ending in ".in-addr.arpa"
xx.xx.xx.in.addr.arpa (I x'd out numbers)
Is this normal? What does it mean? Should I be concerned?
It looks like it's normal, although over a thousand seems excessive. https://support.opendns.com/entries/21737244-What-is-in-addr-arpa-
I have the same issue. Reverse DNS requests are indeed normal but these are my top domains on the main page:
214.0.47.59.broad.bx.ln.dynamic.163data.com.cn Hits: 2176
214.0.47.59.in-addr.arpa Hits: 1088
31.116.31.116.in-addr.arpa Hits: 1014
The next one on the list is google with only 61 hits.
I did a search on these ip-addresses and they are from "known brute force attackers".
Anything we can do about this? I know this is not a pi-hole related issue but pi-hole is making it obvious that this is happening.
I have these addresses too but mine are:
SOME IP.broad.xy.jx.dynamic.163data.com.cn
SOME IP.broad.xy.jx.dynamic.163data.com.cn
So i set up a fresh debian droplet on DigitalOcean and I have a china IP domain with a ton of localhost(127.0.0.1) queries. Nothing was installed on this machine other than DO's initial Debian package, pi-hole & fail2ban. I have UFW blocking all except ssh because i use public key, disallow root, etc and no login so really not concerned there.
XXSOME.IP.XX.broad.xy.jx.dynamic.163data.com.cn
Searching online shows this to be a ssh brute force. Turning on UFW to only to allow my IPs then this goes away. Also, blocking it in pi-hole with a wildcard does seem to pi-hole it too. Does something in ssh UseDNS side of things that routes this to localhost? I'm not that knowledgeable on it but thought I'd let others know that something external is calling localhost and not something internal.
take a look at fail2ban.
Reviving this as I saw a sharp spike in request on my network about an hour ago:
Here is a sample:
2018-12-12 10:59:02 PTR 183.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:02 PTR 184.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:02 PTR 185.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:02 PTR 186.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:01 PTR 174.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:01 PTR 175.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:01 PTR 176.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:01 PTR 177.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:01 PTR 178.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:01 PTR 179.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:00 PTR 167.37.13.10.in-addr.arpa mac.local
2018-12-12 10:59:00 PTR 168.37.13.10.in-addr.arpa mac.local
They all originate from my desktop mac.
Anyone tips on how to proceed?
I currently do not understand how and where fail2ban could help me...
Those are reverse lookups for the address 10.13.37.xxx. When a program or a daemon on the client tries to access another node on the network by IP address it will often try to do a reverse lookup so that it can display the FQDN of the node instead of just displaying the bare IP address.
1 Like
Ah, thnx! I did not recognize my local network address-space (10.13.37.xxx) 
Still kinda funky that my Mac suddenly wanted to scan the whole range (Which should be limited to 255 ip's) for, what seems to be, at least ten times.
Thank you for your quick help, as always, @DanSchaper
Hi
I get around 1500 requests from localhost to some ip-address.in-addr.arpa, the IP-addresses are all different but each shows up every hour. What could this be?
1 Like
This is likely normal network traffic. Please post a section of your pihole log at /var/log/pihole.log showing these transactions.
1 Like
I started getting these when I turned on Conditional Forwarding.
Do you have that on? Does it stop when you turn that off? (It does for me)
1 Like
I wanted to just back up what snakedog116 mentioned. Doing this did stop those requests, at least for now.
If you enable Conditional Forwarding and the DNS server you point to can not answer the ARPA reverse lookups then bad things will happen.
1 Like
Hi- fairly new to pihole.
Have two piholes running in series- the first providing DHCP and general ad blocking to almost everything on my network;
and a secondary pihole which refers to the the first pihole for DNS (thus inherits the blocking rules in the first), which has a "block everything" rule implemented, along with explicit whitelisting of specific sites and OS patching/repository sites for a machine used by the kids (which has DHCP locked to the second pihole)
- thus locking it down to selected whitelisted educational sites, and OS updates and patches.
Seen a stack of these in-addr.arpa lookups showing on the secondary pihole, reading the comments above, i should probably whitelist these?
(And yes- this is my first post here.. hello:-) )
(And apologies for the thread revival!)