Lot of PTR queries

Samioul · March 29, 2018, 12:02pm

I've just noticed that when I'm logged in the WebUI and stay on the Dashboard, a lot of PTR queries are sent by PiHole.
To reproduce, make sure no web session is opened and tail -f /var/log/pihole.log, then open a browser from a remote computer or mobile, go to http://pi.hole/admin, make sure to log in and then stay on Dashboard. I then see a lot of PTR queries, actually one for each client on my network, every 10 seconds :

Mar 29 13:33:56 dnsmasq[633]: 163 127.0.0.1/38778 query[PTR] 85.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:33:56 dnsmasq[633]: 163 127.0.0.1/38778 config 192.168.0.85 is NXDOMAIN
Mar 29 13:33:56 dnsmasq[633]: 164 127.0.0.1/38416 query[PTR] 20.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:33:56 dnsmasq[633]: 164 127.0.0.1/38416 config 192.168.0.20 is NXDOMAIN
Mar 29 13:33:56 dnsmasq[633]: 165 127.0.0.1/42040 query[PTR] 86.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:33:56 dnsmasq[633]: 165 127.0.0.1/42040 config 192.168.0.86 is NXDOMAIN
(... I've skipped a lot of other PTR queries...)
Mar 29 13:34:06 dnsmasq[633]: 177 127.0.0.1/47809 query[PTR] 85.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:34:06 dnsmasq[633]: 177 127.0.0.1/47809 config 192.168.0.85 is NXDOMAIN
Mar 29 13:34:06 dnsmasq[633]: 178 127.0.0.1/44107 query[PTR] 20.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:34:06 dnsmasq[633]: 178 127.0.0.1/44107 config 192.168.0.20 is NXDOMAIN
(...)
Mar 29 13:34:16 dnsmasq[633]: 184 127.0.0.1/60312 query[PTR] 85.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:34:16 dnsmasq[633]: 184 127.0.0.1/60312 config 192.168.0.85 is NXDOMAIN
Mar 29 13:34:16 dnsmasq[633]: 185 127.0.0.1/58148 query[PTR] 20.0.168.192.in-addr.arpa from 127.0.0.1
Mar 29 13:34:16 dnsmasq[633]: 185 127.0.0.1/58148 config 192.168.0.20 is NXDOMAIN*
(...)

Please note that I'm not using PiHole as my DHCP server, so I guess it needs to send PTR queries to try to get hostnames instead of IP addresses and use it in graphs / stats on the dashboard, but every 10 seconds is quite a lot (does it match stats refresh frequency ?).
I've checked my PiHole old logs from the "master" branch and this behavior seems to be new : in the master branch PTR queries seemed to happen only once per hour instead of every 10 seconds.

This is no big deal as these local queries are not forwarded to upstream DNS servers, plus it's now possible to disable query logging, and this might only happen if you don't use PiHole as DHCP server (not tested though), but it was just to share my observations.

mibere · March 29, 2018, 12:28pm

I don't know if it's normal or not, but I can confirm your observation. With one difference, my Pi-hole is also running as DHCP server.

BenoitSvB · April 10, 2018, 9:18pm

Dashboard reports 47% PTR querys!
Pihole is my DHCP server.

DanSchaper · April 11, 2018, 5:04am

PTR queries are attempts to find the name associated with the IP address.

85.0.168.192.in-addr.arpa from 127.0.0.1

That means the localhost is trying to find out the name for 192.168.0.85. Are you running anything like Avahi/mDNS/Bonjour on any of the clients or on the Pi-hole?

DL6ER · April 11, 2018, 7:12am

Yes, the Top Clients table is updated every 10 minutes.

We are aware of this and are working on it. Previously, we cached the host names in FTL but this is not possible at the moment. We are working on this within a new API so stay tuned!

Samioul · April 11, 2018, 10:39am

You meant every 10 seconds ?

Thanks for the answer, and as I said, it's no big deal. Plus I solved this "not-really-an-issue" by associating a hostname to every IP address used in my network through /etc/hosts on PiHole, thus I have hostnames in stats instead of IP addresses, and no more PTR queries appear.

DL6ER · April 11, 2018, 4:28pm

Oh yeah, sure, this is what I meant (edited above to avoid confusion for future readers).

Anyways, thanks for reminding me of this issue. I re-implemented host name resolving functionality in FTLDNS now so PHP won't be doing it any more, soon. It will be subject to further testing before it will enter the regular FTLDNS testing branch.

More details can be found here:

github.com/pi-hole/FTL

Internal name resolving functionality

pi-hole:FTLDNS ← pi-hole:FTLDNS-resolve

opened 04:25PM - 11 Apr 18 UTC

DL6ER

+207 -12

**By submitting this pull request, I confirm the following (please check boxes, …eg [X]) _Failure to fill the template will close your PR_:** ***Please submit all pull requests against the `development` branch. Failure to do so will delay or deny your request*** - [X] I have read and understood the [contributors guide](https://github.com/pi-hole/pi-hole/blob/master/CONTRIBUTING.md). - [X] I have checked that [another pull request](https://github.com/pi-hole/FTL/pulls) for this purpose does not exist. - [X] I have considered, and confirmed that this submission will be valuable to others. - [X] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [X] I give this submission freely, and claim no ownership to its content. **How familiar are you with the codebase?:** ## 10 --- This re-implements lots of already extensively tested code that was present in pre-FTLDNS for over a year. This implementation is only slightly different by ensuring that name resolution is done in a specific non-blocking way. Before saving to the database (every minute by default), FTLDNS tries to obtain host names for clients and forward destinations that first appeared within this minute. After garbage collection (once per hour by default), FTLDNS tries to re-obtain the host names for all clients that had at least one query in the selected time interval (24 hours by default). Host names of forward destinations are expected to not change. This removes the necessity for doing the name lookups on the client side (or on an intermediate level like PHP as is currently implemented).

system · May 2, 2018, 4:28pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.