Massive number of root NS queries

The issue I am facing:
I'm getting hundreds to thousands of queries for '.' from my router every minute.

Details about my system:
Two PiHoles on Raspberry Pi 0s (Pi-hole v5.16.2 FTL v5.22 Web Interface v5.19) with Unbound also on the Pis. Nothing in Docker.

Router is Opnsense, with the DNS servers set to the piholes.Turned off DNSSEC and rebind protection, as I saw that mentioned in other threads.

What I have changed since installing Pi-hole:
Recent change was moving from pfSense (did not have this issue) to Opnsense.

How did you configure OPNsense to make use of Pi-hole:
As an upstream DNS server, or as a local DNS server as distributed by DHCP?

And what DNS resolver is running on OPNsense?

Also, pease upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Debug: Ep8Gyhqh

OPNsense: set PiHole as DNS via DHCP. Unbound is also configured so static IPs can be looked up.

In the past 24 hours both PiHoles have over 8 million queries reported between the two of them.

I thought the DNS queries where originating from your router?
Does that mean that your Pi-holes are bouncing those DNS requests among each other?

Often, excessive amounts of DNS requests are caused by some sort of a DNS loop.

Your debug log shows that you've enabled Pi-hole's Conditional Forwarding to your router's IP.
That could close a partial DNS loop if your router would also be using Pi-hole as an upstream DNS resolver (in addition to distributing it as a local DNS resolver via DHCP).

Is your router configured to use at least one of your Pi-holes as one of its upstreams?

'.' root DNS queries would be common for a recursive resolver, or for a DNSSEC validating resolver.
Pi-hole could also sending DNS requests for '.' if DNSSEC is enabled.
However, your debug log shows DNSSEC to be disabled.

unbound is a recursive resolver, but it would usually send those requests to the root DNS server, not to Pi-hole .

You wouldn't perhaps redirect DNS at your router's firewall?

In any case, you should try if disabling Pi-hole's Conditional Forwarding would mitigate your issue.

Sorry, I worded that poorly. Opnsense has sent about 8 million queries to the PiHoles in the past 24 hours, the vast majority of which are for '.'

I tried disabling conditional forwarding, but that didn't too anything. I'm going to try some more things with unbound this evening.

Just to make sure: As you have two Pi-holes, did you disable CF on both?

Please answer my questions to investigate a potential DNS loop:

Also, let's see some numbers about your top requested domains by client.
Please run the following statement on your Pi-hole machines:

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db -header -column "SELECT domain, client, count(domain) \
FROM queries WHERE timestamp>=strftime('%s', DATETIME('now','-1 day')) \
GROUP BY domain, client ORDER BY 3 DESC LIMIT 10;"

It would also be interesting how Pi-hole actually answers such a request for '.'.
Run from your Pi-hole at 192.168.12.3, what is the output of

dig . @192.168.12.3

And how did that dig register in the log:

sudo tail -n100 /var/log/pihole/pihole.log | grep '192.168.12.3.*\. '

Yes, I disabled CF on both Pi-holes.

The router is not configured to use either Pi-hole as an upstream, they are assigned through DHCP. The Pi-holes use their own local instance of Unbound for their upstreams (127.0.0.1#5335).

Query results:

domain                         client          count(domain)
-----------------------------  --------------  -------------
.                              192.168.12.1    5382107      
connectivitycheck.gstatic.com  192.168.16.175  68329        
connectivitycheck.gstatic.com  192.168.12.1    42545        
timesa.myrheem.com             192.168.12.1    35504        
resource.myrheem.com           192.168.12.1    23163        
timesa.myrheem.com             192.168.16.170  19217        
resource.myrheem.com           192.168.16.170  18863        
ntp.exnet.com                  192.168.12.156  17184        
ntp2a.mcc.ac.uk                192.168.12.156  17165        
1.uk.pool.ntp.org              192.168.12.1    17164 

Dig output:

; <<>> DiG 9.16.37-Raspbian <<>> . @192.168.12.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1938
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;.				IN	A

;; AUTHORITY SECTION:
.			3600	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2023041600 1800 900 604800 86400

;; Query time: 100 msec
;; SERVER: 192.168.12.3#53(192.168.12.3)
;; WHEN: Sun Apr 16 09:29:10 EDT 2023
;; MSG SIZE  rcvd: 103

Running:

sudo tail -n100 /var/log/pihole/pihole.log | grep '192.168.12.3.*\. '

Returned nothing. However,

sudo tail -n100 /var/log/pihole/pihole.log | grep '192.168.12.3'

Returned Apr 16 09:29:10 dnsmasq[1128]: query[A] . from 192.168.12.3

Ah, I forgot that I'm using additional logging options for my installation, and the grep I've asked you to run would require those. Sorry for that.

Anyway, the dig output looks as expected.

It would seem that only your router at 192.168.12.1 is sending requests for '.'.
But even if the sheer amount of those requests dwarves the combined number of all others - there's something dodgy in general about the requests your router sends.

The 1.uk.pool.ntp.org would be about the only domain I'd expect a router to request, in order to sync time, though a few requests per day should be enough for that purpose.

Furthermore, it almost seems as if your router would mimic requests as sent by other clients in your network.
connectivitycheck.gstatic.com is usually requested by Android devices, and I have no idea what those *.myrheem.com would be about.

Do you know why your router would request resolution for those domains?

Is your router configured to offer a guest network, perhaps, or some other sort of VLAN?

Good point about what you'd expect a router to actually send, I hadn't thought about the bigger picture here before. It seems like this is probably the issue people commonly run into where the router appears to be the only client. E.g. my phone sends a request, it goes to the router, which sends it to Pi-hole, but it appears in Pi-hole as the router making the request.

I have a few Google/Android devices, so that makes sense. Rheem is my water heater.

So then I guess that raises the question of if all the '.' queries are actually from my router or not.

I had Unbound enabled to load in DHCP reservations, but the only DNS clients are the two Pi-holes. My devices list the Pi-Holes as their DNS servers too. However, when I disable Unbound in OPNsense, I lose DNS resolution on all devices. I've confirmed that everyone can talk to the Pi-holes and get responses, even across VLANs (LAN and IoT). So maybe this is an issue with OPNsense? I didn't have any of these issues in pfSense, but I like the FOSS aspect of OPNsense more.

Fixed it. User error - I had Unbound configured incorrectly on OPNsense.
Solution:

• Do not set any DNS servers under System - Settings - General.
• Leave 'Allow DNS server list to be overridden by DHCP/PPP on WAN' unchecked
• I have 'Do not use the local DNS service as a nameserver for this system' checked, but not sure if it's needed.
• Set the Pi-holes as the DNS servers for each VLAN in Services - DHCPv4.
• The Pi-holes can either use local instances of Unbound or point back to the OPNsense instance.
• I think pointing back at OPNsense may work better for local hostname resolution but I'm not sure.

Glad you solved it.

Exactly.
That would happen when your router is using Pi-hole as its upstream.
It is the reason why I asked whether your router would be configured to use at least one ot your Pi-holes as one of its upstreams.

I guess those DNS settings under System - Settings - General are configuring your your OPNsense router's upstreams.

That would suggest that all your network's DNS requests would ultimately end up being handled by your router's unbound instance.
That would happen if your router intercepts and redirects DNS requests to ist own DNS resolver.
It is the reason why I asked whether your router's firewall would reditrect DNS.

If such a redirection rule is in place, you want to make sure that all of your Pi-holes IP addresses are exempted from it. You'd close a DNS loop if they were not.

From what I could glance from the information you shared and supplied, clients from your main home network seem to have been using your intended setup by and large.

But some routers may allow to configure VLANs, which often would default to distributing the router as local DNS server via DHCP. This seems to be the case for routers offering only a single, pre-configured guest VLAN. It would then depend on the router whether it'd support VLAN-specific DNS server configuration.
This is why I asked about VLANs and guest networks.

It seems you've worked around this by configuring your router's VLANs to use your Pi-holes as DNS resolver.

I can't really advise on your router's configuration options, as I am not familiar with OPNSense. You'd likely get better answers consulting their documentation and support channels.

Configuring both of your Pi-hole's to use your OPNsense unbound as their sole upstream would allow for more effective caching, but at a higher latency, and with that unbound becoming a single point of failure.
Two DNS requests for the same domain going to each of your Pi-holes would be resolved only once by your OPNsense unbound, but the response would take a tiny bit longer to reach your Pi-holes.

Your OPNsense unbound would only be aware of local DNS names if your router would inject respective DNS records into unbound upon DHCP lease negotiation, and/or if it would support creating DNS records for local devices explicitly.

If that would be the case, either using unbound as Pi-hole's sole upstream or enabling Pi-hole's Conditional Forwarding should allow you to resolve local names as known by OPNsense.

I guess those DNS settings under System - Settings - General are configuring your your OPNsense router's upstreams.

That would happen if your router intercepts and redirects DNS requests to ist own DNS resolver.
It is the reason why I asked whether your router's firewall would reditrect DNS.

Yeah, I think this was unfortunately me not quite understanding what I was doing and not realizing it.

Your OPNsense unbound would only be aware of local DNS names if your router would inject respective DNS records into unbound upon DHCP lease negotiation, and/or if it would support creating DNS records for local devices explicitly.

If that would be the case, either using unbound as Pi-hole's sole upstream or enabling Pi-hole's Conditional Forwarding should allow you to resolve local names as known by OPNsense.

OPNsense can inject DHCP leases and reservations into Unbound. Good call about potential points of failure and latency though. At some point I'll play around with using Unbound on the Pi-holes + their Unbound instances + conditional forwarding vs. using the OPNsense Unbound instance as the Pi-hole's upstream but for now I'm just happy that I have things working the way I expect them to.

Thank you for all your help with what ended up not being a Pi-hole issue, I appreciate it!

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.