Include log entry in pihole-FTL.log when client hits rate limit

Greetings!

I've spent 15+ hours since February trying to figure out why my home server was losing DNS resolution randomly, when I finally came upon the blog entry from February 16th that introduced rate limiting by default. I must have completely missed when this was introduced, and was beside myself once I figured out that was the issue. I think this is a good feature! However, the absence of a log entry in pihole-FTL.log caused me a not-insignificant amount of troubleshooting. Is there any way an error message could be produced in pihole-FTL.log to warn admins that specific clients are hitting the rate limit? Something like

Client <name/ip> has exceeded <number> queries over <number> <timeframe>

would work well.

Thanks for all the great work so far!

Not being able to change the rate limiting is a huge, huge problem for a project I'm doing. I'm building a cloud based pi server that is supporting several hundred kids behind a NAT firewall at an undeserved city middle and high school.

I estimate requests will be around 5000 requests a minute from what will appear like one client.

Please make this a customizable numbernor completely disabled as an option. School has no budget for tech and can't just build out servers they can't afford on prem in a server room that doesn't exist. A scalable cloud based solution is the only way we can do it and that makes all the clients appear to be a single one.

Rate limits are fully customizable.

https://docs.pi-hole.net/ftldns/configfile/#rate_limit

2 Likes

Sorry, you are totally right, and I totally panicked. Options are clearly spelled out in the documentation, I read this while on the road and panicked. Would still be great to have a log notice if we hit the limit, but glad you are 10 steps ahead of me in making this easily configured. Thanks for the swift reply!

1 Like

I didn't initially put the solution in my Reddit PSA, so sorry about that!

In the currently released version of Pi-hole, if one enables additional debug logging, then there is a message printed to the log that the query is rate limited:

Have been talking about this with @DL6ER and agree that it could be a little more transparent, so we're actually now looking at making it so that this message is logged for the first refused query of each client that has hit the rate limit.

This commit is currently in the release/v5.9 branch of ftl, which is in the beta testing stage currently.

We're also toying with the possibility of changing that log message to read something along the lines of:

Client [IP] has reached the configured limit of [n] queries per [x] mins. Queries will be refused until [hh:mm]

2 Likes

Is the last part really meaningful? What if the end time is on the next day? What if it is several days away? As far as I read the source code, FTL reads intervals in second precision and that can easily be several days. I'd vote for

Client [IP] has reached the configured limit of [n] queries per [x] mins.

Not even sure if it should say "N per X mins" or rather "N within X seconds". Note the difference "per" (rate) and "within" (total).

No, possibly not - and certainly not set in stone. Just chucking it against the wall to see what sticks. The general point I'm trying to get across with the wording is "If you're wondering why your client is unable to perform DNS lookups - this is why - normal operation should resume again soon™"

but only if the client is able to continue working normally. I see this as a precaution against clients going completely crazy (like with millions of queries in less than an hour). It is also important to avoid DoS attach against your Pi-hole. The database will grow when being filled with several dozens of millions of queries in a short time. Until they fill the entire card and this will start causing issues in all kind of places.

I updated the code to add something like

[2021-08-03 20:36:53.815 328989M] Rate-limiting 192.168.2.106 for 24 seconds

to pihole-FTL.log. Such a line will be added once per interval and client.

This has been implemented in the latest version of Pi-hole

A post was merged into an existing topic: iCloud Private Relay

8 votes have been moved.