Laptop crashing the whole network due to extensive DNS requests

Help
1

Hey all,

My whole home network went down for the second time and I cannot figure out why.

image
image1019×525 41.2 KB

That is my own laptop, but I have no way of knowing what is behind that or like why is my laptop doing this weird stuff.
I was hoping to find some data on Pi-Hole to explains why, the logs is helping much.
I running Linux desktop and this was never an issue so I am lost haha

When I first setup this Pi-Hole + Unbound Recursive DNS, I did cover the security topics, not leaking DNS, etc. I have this setup running for years flawlessly.

Thank you for any help.

image

image
image690×504 17.2 KB

image
image961×369 19.9 KB

image
image1274×285 47 KB

image
image1016×843 141 KB

2

So what did Pi-hole's logs reveal that has helped you, apart from the rate limit warning?
Please share your insights.

Also, please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

3

To be sincere idk, I mean, I did check the log but I couldn't find anything other than the usual requests, some requests with empty response, some fail, but I just couldn't figure things out.
I should have paid more attention with Pi-Hole telling me who could be behind all of that tho instead of waiting for the second time to happen.

Those graphics are from my OPNSense router which is also running Ntopng and Zenarmor (IDS/IDP).

I have a firewall rule to force everybody requesting DNS to be redirected to Pi-Hole and only Pi-Hole can go out, also, block any device with hard-coded DNS, DNS-over-TLS and DNS-over-HTTPS to bypass Pi-Hole, drop everything.
That is why the client is shown as Pi-Hole on Ntopng.
You will understand this bit in a second.

I have this Pi-Hole + Unbound Recursive + Firewall setup running for years, it is beautiful how everything just works with crazy fast internet even via WireGuard VPN sending all traffic via it (0.0.0.0/0)
I have primary and secondary so one can go down and the other will assume, not in this case of course. So I was not ready to deal with this problem twice haha

Since I knew my laptop was the one causing this thanks to Pi-Hole ( 192.168.1.20 )
I started looking around, checking my laptop network activities and I have been trying Brave browser over Firefox for a month now, well, it turns out that Brave like Chrome has a built-in mDNS which under the right circumstances could be the one flooding Pi-Hole with DNS requests.

Because of that firewall rule sending everything to Pi-Hole, it just "f that" haha like I would have done.
To have the internet back online, I had to actually reboot the OPNSense router and the ONT

I have since created a firewall rule to block my laptop from accessing mDNS altogether ( 224.0.0.251:5353 ). Firewall is doing its thing blocking everything so I hope that will solve the problem.

But again, this is guess atm, I am still monitoring my laptop which is running Linux so this isn't Windows doing Windows things.

image

Network isn't my strongest so I wonder if there is anything really Pi-Hole could have pointed out like an isolated historic of the device causing the problem so I could investigate other than the usual clients requests, idk.

To be clear, I am not pointing fingers at Pi-Hole + Unbound Recursive DNS, cannot live without it anymore, it is just a humble question while I am trying to find ways to better monitor my home network.

Token: https://tricorder.pi-hole.net/8zFseCjI/

Thank you for the help Bucking.

4

Did you perhaps redirect port 5353 to your Pi-hole as well?
Then you should revisit that rule.
mDNS requests are meant to work on a link, coexisting with DNS.
They use port 5353, which is distinctively different from port 53, so no proper mDNS request would make it to your DNS server.
(Some service discovery lookups used in wide area mDNS/SD can be directed to a unicast DNS server when an mDNS clients checks for the existence of services, but those should not appear more than once in a while).

You can just click on a bar in the graph to list the respective DNS queries associated with that time frame.

You can also click on a client (or client IP) listed in one of the Top Clients sections to see only the DNS queries associated with that IP.

Note that both of those options work on DNS queries processed during the most recent 24 hours.

For older queries, use Pi-hole's Long-term Data | Query Log, where you select your desired time frame first, and then take advantage of the Search field on the top hand right of the Recent Queries result list.

5

Nope, only the port 53 and everybody is forced to go via it.
Networking isn't my strongest, the only thing I read is that under the right circumstances, mDNS requests can flood a DNS server, especially in this case with thousands of requests.

Actually, I do remember my home network being nothing but slow and I remember my Samsung QLED TV being behind it, rebooting Pi-Holes VMs was enough to solve the problem. Since I have two instances, I can reboot them without stopping the network.
Anyway, I got both a local and a network firewall rule blocking mDNS on this laptop.

These are my rules to keep everything in order

image
image662×131 8.68 KB

image

I did that but idk, I couldn't find it much help but again it could be user error, 100%

I have since moved the problematic devices to OPNSense Firewall instead. Top Blocked Domains, Top Clients (blocked only).
I have a nginx running via kubernetes in my homelab with IP lists of the most blocked domains like Samsung crappy, Linux network check, Microsoft crappy (Xbox), etc, so Pi-Holes will just pass-through and let the Firewall blocks everything.

I confess that I never truly deeply explored Pi-Hole, it and Unbound Recursive DNS have been running for years with zero maintenance. I do check it once in awhile for updates, overall queries but that is all about it.

The only change I had to make recently since I started running VLAN now to have an IoT isolated network and etc, was to change the DNS from listening to local only to an interface because it was rejecting DNS requests from the VLANs.

Anyway, I think we are good now.
Thank you for the support.

7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.