Hello,
i get the DNSMASQ_WARN: Maximum number of concurrent DNS queries
standard = 150
Because of pihole-FTL.conf doesnt exist in pihole v6 anymore, where do i configure this value now?
In pihole.toml, i do not find this value. In GUI, i also didnt find anything regarding this
pihole-FTL --config
doesnt show also no value of this
the documentation seems not to be up to date
I am NOT using docker.
thanks.
Go to settings and toggle the expert mode on. Then go to all settings, misc settings and look for misc.dnsmasq_lines.
EDIT: Or you can do it via command line.
pihole-FTL --config misc.dnsmasq_lines dns-forward-max=xxxx
Where xxxx is the number you want to use.
'Maximum number of concurrent DNS queries reached' is often caused by a DNS loop, or by unresponsive or inaccessible upstream DNS servers, less frequently by individual misbehaving clients.
In all these cases, dns-forward-max does nothing to address the underlying issues.
It would be similar to throwing more wood in the broad direction of smoke instead of trying to find the fire. It does not eliminate the cause and at best would only delay the warning from appearing for a few milliseconds.
You should consider investigating why you see that message before you resort to increase that value.
That's what I did.
I integrated nmap into HomeAssistant, which regularly scans my private IP ranges to detect new devices. It also performs a DNS lookup.
A single DNS request won't trigger a max concurrent warning.
How many of those reverse lookups are sent on each invocation, and how often do those reverse lookups run?
All of those PTR lookups from your screenshot were served by Pi-hole's cache optimiser, which implies they have been forwarded upstream.
Where do you have them forwarded to?
at the moment, the scanner checks 3 private class-c ranges = 3x253 IPs
Because pihole is running on a rPi4 which is behind my router, i use Conditional forwarding. My FritzBox is the only device which can answer to these DNS-Requests.
When I have a look into query log, i suppose that each ip is requested each 10 minutes, appr.
Does your script run the PTRs for all IPs, or just for existing ones?
The PTR lookups don't seem to be enumerating IPs.
What's the purpose of running those reverse lookups anyway?
Even assuming that reverse lookups are issued for all 759 potential IPs: By themselves, those wouldn't be enough to trigger a max concurrent warning.
Does your router use Pi-hole as its upstream DNS?
Then you should consider to switch your router's upstreams back to your ISP'S default, as using Pi-hole as upstream would close a partial DNS loop for unknown domains, which could explain Maximum number of concurrent DNS queries messages.
Your Fritzbox only knows names for those IP addresses that it actually assigned,
Any reverse lookup for an IP address that isn't assigned by your Fritzbox would prompt your Fritzbox to forward them upstream to Pi-hole, which in turn forwards them to your Fritzbox, and so on in eternity or until timeout - or until Pi-hole's connection pool is exhausted or its rate limit kicks in.
for all IPs in ranges
-->
= detecting devices in network
As you know, fritzbox only can detect devices if they communicate with fritzbox (DHCP, Fritzbox = DNS-Server, etc), or if traffic from device is routet through fritzbox. A fritzbox does not scan the home network.
I have some measuring devices which only work with static IP, which have no DNS-skills, and do not start any communication on his own.
I think so. The 150 are the standard for a certain period of time. NMAP can easily get over when it queries 253 IPs, possibly still in parallel
of course, no!!! That would cause a loop!
That is exactly what is the case.
Because the fritzbox do not forward private ips to the internet, fritzbox throw away the request.
Reverse lookups do not detect any devices.
They just return DNS records as held by a DNS server.
A device can exist or be active without a DNS record, and a DNS record can exist regardless whether a device of that name or IP does exist or is active.
If you'd base judgement of device existence or presence on DNS results, you'd be guaranteed to deal with false positives as well as false negatives.
In the context of tracking device existence or presence, reverse lookups would only seem useful to stick a name to an active/existing IP.
Does that nmap tracker allow to configure reverse lookups for existing/active IPs only?
I just ran a quick nmap -oG - 192.168.1.0/22 -F -R --host-timeout 3s involving 1024 reverse lookups, without triggering any warnings in Pi-hole diagnosis.
I agree with you. With reverse lookups, you don't find the devices themselves, but rather DNS entries on the DNS server.
The idea of doing it this way isn't wrong, though. Essentially, you're connecting HomeAssistant to the DNS server's memory.
The idea is that there's an entity for each DNS entry in HomeAssistant.
Not sure what that screenshot is supposed to tell me?
There won't be.
Your Fritzbox will answer reverse lookups for non-existent/inactive devices it has seen at some time in the past that nmap won't detect and thus can't create an entity for.
When I compare results for `nmap' with and without reverse lookups, the results are identical for my network, apart from execution time:
$ sudo nmap -oG - 192.168.1.0/22 -F -T4 -R --host-timeout 5s
# Nmap 7.70 scan initiated Tue Mar 25 13:47:51 2025 as: nmap -oG - -F -T4 -R --host-timeout 5s 192.168.1.0/22
Host: 192.168.1.1 (fritz.box) Status: Up
Host: 192.168.1.1 (fritz.box) Ports: Ignored State: closed (100)
Host: 192.168.1.21 (ncsi.fritz.box) Status: Up
Host: 192.168.1.21 (ncsi.fritz.box) Status: Timeout
Host: 192.168.1.53 (pihole.fritz.box) Status: Up
Host: 192.168.1.53 (pihole.fritz.box) Ports: 22/open/tcp//ssh///, 53/open/tcp//domain///, 80/open/tcp//http/// Ignored State: closed (97)
# Nmap done at Tue Mar 25 13:48:10 2025 -- 1024 IP addresses (4 hosts up) scanned in 19.53 seconds
$ sudo nmap -oG - 192.168.1.0/22 -F -T4 --host-timeout 5s
# Nmap 7.70 scan initiated Tue Mar 25 13:48:37 2025 as: nmap -oG - -F -T4 --host-timeout 5s 192.168.1.0/22
Host: 192.168.1.1 (fritz.box) Status: Up
Host: 192.168.1.1 (fritz.box) Ports: Ignored State: closed (100)
Host: 192.168.1.21 (ncsi.fritz.box) Status: Up
Host: 192.168.1.21 (ncsi.fritz.box) Status: Timeout
Host: 192.168.1.53 (pihole.fritz.box) Status: Up
Host: 192.168.1.53 (pihole.fritz.box) Ports: 22/open/tcp//ssh///, 53/open/tcp//domain///, 80/open/tcp//http/// Ignored State: closed (97)
# Nmap done at Tue Mar 25 13:48:52 2025 -- 1024 IP addresses (3 hosts up) scanned in 10.03 seconds
As you can track neither existence nor presence by checking DNS entries, what is the purpose of doing those reverse lookups for all IPs every other minute, regardless if they active or not?
Are reverse lookup results matched against certain conditions? Which conditions?
What events would get triggered if a condition is met?
Would those events require action on your part? Which actions?
But this may all be besides your Max concurrent issue.
I wasn't able to trigger that message on my RPi 3A, so I am still reasonably confident that your observation wasn't caused by your nmap tracking, especially since you've confirmed you are not using Pi-hole as your router's upstream.
You can program almost anything in HomeAssistant. You just need an object to monitor. Objects in HomeAssistant are called entities, among other things.
A simple example: There was once a device called device2 active on the network that received an IP address from the DHCP server and thus registered with the DNS server.
Now you could instruct HomeAssistant to monitor the network to see when the device reappears and then trigger something, such as sending you a message.
So you need an entity for the DNS server entry.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.