The issue I am facing:
Every hour I get PRT in.addr.arpa domain lookups, I noticed that the addresses it's trying to lookup are my own local address or quad9 dns address, but they are being queried backwards, the address starts with the last octect first, third octect second and so on. Below is an example
2020-08-10 23:00:00 PTR 38.0.20.172.in-addr.arpa localhost OK (forwarded) NXDOMAIN this address is really 172.20.0.38 |2020-08-10 22:00:01|PTR|112.112.112.149.inaddr.arpa|localhost|OK (cached)|DOMAIN (0.2ms)|Blacklist| this address is really 149.112.112.122 and its qaud9 dns address
|2020-08-10 22:00:01|PTR|1.0.20.172.in-addr.arpa|localhost|OK (forwarded)|NXDOMAIN (46.4ms)| this address is really 172.20.0.1
2020-08-10 22:00:01 PTR 100.7.20.10.in-addr.arpa localhost OK (forwarded) NXDOMAIN (40.4ms) this address is really 10.20.7.100
Does anyone know why this is happening and how I can fix it?
Details about my system:
Dedicated RPI with Pi OS lite, running latest Pi-hole version
There is nothing to fix. PTR (reverse IP lookups) follow this format - listing the IP in reverse.
A client is asking "what is the name of the client located at this IP shown in reverse"
Pi-hole does a round of these hourly to determine the names of the network clients and DNS resolvers. The DNS resolver names are used to display the names on the "queries answered by" pie graph on the dashboard.
These queries are normal network traffic and nothing you should be blacklisting. You want these queries to be answered.
Damn! I should have read Wikipedia before I asked. I'm still curious about something. In the queries I also have
PTR 1.1.168.192.in-addr.arpa localhost OK (forwarded) NXDOMAIN
I know it says "NXDOMAIN" but when I do an nslookup of that same address I get the following into nslookup 1.1.168.192 192.168.1.1.in-addr.arpa name = node-81s.pool-1-1.dynamic.totinternet.net
Should I be concerned that the reverse IP does resolve to something on the internet?
Also the secondary qaud9 dns backwards resolves to China Telecom
@Bucking_Horn no it isn't, but what I'm still not to clear is, when the Pi-Hole does its hourly PTR request for 1.1.168.192, does it just try to resolve the host name IP locally or does it also try to resolve it externally? Wondering about externally because the entry below says forwarded, forwarded where?
PTR 1.1.168.192.in-addr.arpa localhost OK (forwarded) NXDOMAIN
@jfb I get why they need to get answered, but should my local PTR answer always with NXDOMAIN. I don't know if the NXDOMAIN comes from me not using the Pi-Hole as my DHCP server or they way I have set the DNS on my router
Yes, Pi-hole forwards reverse lookups for its known clients to its upstream DNS servers, routinely once every sharp hour.
Public upstream servers do not know names for devices on your local network, with the notable exception of public IPv6 addresses, in which case your ISP may have assigned a generic name that at least your ISP's DNS servers are aware of.
If you did enable Conditional Forwarding or configure Pi-hole to use your router as its only upstream DNS server, your router may run a local DNS server that very well knows hostnames for your devices - if your router is acting as DHCP and local DNS server. Some routers lack the latter, so won't be able to supply local hostnames, even if they are doing DHCP.
You can prevent local hostname or local IP address information to leave your Pi-hole by checking Never forward non-FQDNs for hostnames or Never forward reverse lookups for private IP ranges for IP addresses on Pi-hole's Settings | DNS pane respectively.
Note that at least the latter has to be unchecked if you want local hostname resolution when using your DHCP server/router as Pi-hole's only upstream.
If you'd run Pi-hole as your network's only DHCP server, Pi-hole would know all its clients' hostnames, so there would be no need for forwarding requests.
@Bucking_Horn no to conditional, and no to pihole to use my router as upstream. In my case I set my router to use the pihole as its only DNS resolver and manually added the pihole IP to each DHCP for DNS resolver.
I have an edgerouter and I believe it can do dnsmasq, i'll look into it. Maybe someone here even has a guide on how to implement the Pi-hole with an edge router