Lot of PTR queries

I've just noticed that when I'm logged in the WebUI and stay on the Dashboard, a lot of PTR queries are sent by PiHole.
To reproduce, make sure no web session is opened and tail -f /var/log/pihole.log, then open a browser from a remote computer or mobile, go to http://pi.hole/admin, make sure to log in and then stay on Dashboard. I then see a lot of PTR queries, actually one for each client on my network, every 10 seconds :

Mar 29 13:33:56 dnsmasq[633]: 163 127.0.0.1/38778 query[PTR] 85.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:33:56 dnsmasq[633]: 163 127.0.0.1/38778 config 192.168.0.85 is NXDOMAIN
Mar 29 13:33:56 dnsmasq[633]: 164 127.0.0.1/38416 query[PTR] 20.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:33:56 dnsmasq[633]: 164 127.0.0.1/38416 config 192.168.0.20 is NXDOMAIN
Mar 29 13:33:56 dnsmasq[633]: 165 127.0.0.1/42040 query[PTR] 86.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:33:56 dnsmasq[633]: 165 127.0.0.1/42040 config 192.168.0.86 is NXDOMAIN
(... I've skipped a lot of other PTR queries...)
Mar 29 13:34:06 dnsmasq[633]: 177 127.0.0.1/47809 query[PTR] 85.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:34:06 dnsmasq[633]: 177 127.0.0.1/47809 config 192.168.0.85 is NXDOMAIN
Mar 29 13:34:06 dnsmasq[633]: 178 127.0.0.1/44107 query[PTR] 20.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:34:06 dnsmasq[633]: 178 127.0.0.1/44107 config 192.168.0.20 is NXDOMAIN
(...)
Mar 29 13:34:16 dnsmasq[633]: 184 127.0.0.1/60312 query[PTR] 85.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:34:16 dnsmasq[633]: 184 127.0.0.1/60312 config 192.168.0.85 is NXDOMAIN
Mar 29 13:34:16 dnsmasq[633]: 185 127.0.0.1/58148 query[PTR] 20.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:34:16 dnsmasq[633]: 185 127.0.0.1/58148 config 192.168.0.20 is NXDOMAIN*
(...)

Please note that I'm not using PiHole as my DHCP server, so I guess it needs to send PTR queries to try to get hostnames instead of IP addresses and use it in graphs / stats on the dashboard, but every 10 seconds is quite a lot (does it match stats refresh frequency ?).
I've checked my PiHole old logs from the "master" branch and this behavior seems to be new : in the master branch PTR queries seemed to happen only once per hour instead of every 10 seconds.

This is no big deal as these local queries are not forwarded to upstream DNS servers, plus it's now possible to disable query logging, and this might only happen if you don't use PiHole as DHCP server (not tested though), but it was just to share my observations.

I don't know if it's normal or not, but I can confirm your observation. With one difference, my Pi-hole is also running as DHCP server.

Dashboard reports 47% PTR querys!
Pihole is my DHCP server.

Screenshot_20180410-2315531440×2560 266 KB

PTR queries are attempts to find the name associated with the IP address.

85.0.168.192.in-addr.arpa from 127.0.0.1

That means the localhost is trying to find out the name for 192.168.0.85. Are you running anything like Avahi/mDNS/Bonjour on any of the clients or on the Pi-hole?

Yes, the Top Clients table is updated every 10 minutes.

We are aware of this and are working on it. Previously, we cached the host names in FTL but this is not possible at the moment. We are working on this within a new API so stay tuned!

You meant every 10 seconds ?

Thanks for the answer, and as I said, it's no big deal. Plus I solved this "not-really-an-issue" by associating a hostname to every IP address used in my network through /etc/hosts on PiHole, thus I have hostnames in stats instead of IP addresses, and no more PTR queries appear.

Oh yeah, sure, this is what I meant (edited above to avoid confusion for future readers).

Anyways, thanks for reminding me of this issue. I re-implemented host name resolving functionality in FTLDNS now so PHP won't be doing it any more, soon. It will be subject to further testing before it will enter the regular FTLDNS testing branch.

More details can be found here:
https://github.com/pi-hole/FTL/pull/253

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.