I've noticed recently that there are a lot of PTR queries in my log, and I am not sure what they are, or why I now suddenly see them?
for example:
May 21 00:00:46 dnsmasq[3830]: query[PTR] 36.210.58.216.in-addr.arpa from 192.168.0.142
May 21 00:00:46 dnsmasq[3830]: forwarded 36.210.58.216.in-addr.arpa to 1.0.0.1
May 21 00:00:46 dnsmasq[3830]: dnssec-query[DS] 210.58.216.in-addr.arpa to 1.0.0.1
May 21 00:00:46 dnsmasq[3830]: reply 210.58.216.in-addr.arpa is no DS
May 21 00:00:46 dnsmasq[3830]: validation result is INSECURE
May 21 00:00:46 dnsmasq[3830]: reply 216.58.210.36 is lhr25s11-in-f4.1e100.net
May 21 00:00:46 dnsmasq[3830]: reply 216.58.210.36 is lhr25s11-in-f4.1e100.net
May 21 00:00:46 dnsmasq[3830]: reply 216.58.210.36 is lhr25s11-in-f36.1e100.net
May 21 00:00:46 dnsmasq[3830]: reply 216.58.210.36 is lhr25s11-in-f36.1e100.net
However, I also see PTR queries at semi-regular intervals from the pi-hole itself:
May 21 03:00:00 dnsmasq[3830]: query[PTR] 100.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.100 is rich-phone.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 142.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.142 is philips-tv.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 191.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.191 is HarmonyHub.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 128.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.128 is sky-box.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 111.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.111 is sonoff-sensor-node-lounge.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 48.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.48 is sonoff1-bedside-lamp.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 163.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.163 is sonoff-sensor-node-bedroom.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 3.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.3 is rich-laptop.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 1.0.0.1.in-addr.arpa from 127.0.0.1
May 21 03:00:01 dnsmasq[3830]: forwarded 1.0.0.1.in-addr.arpa to 1.0.0.1
May 21 03:00:01 dnsmasq[3830]: validation result is INSECURE
May 21 03:00:01 dnsmasq[3830]: reply 1.0.0.1 is one.one.one.one
May 21 03:00:01 dnsmasq[3830]: query[PTR] 1.1.1.1.in-addr.arpa from 127.0.0.1
May 21 03:00:01 dnsmasq[3830]: forwarded 1.1.1.1.in-addr.arpa to 1.0.0.1
May 21 03:00:01 dnsmasq[3830]: validation result is INSECURE
May 21 03:00:01 dnsmasq[3830]: reply 1.1.1.1 is one.one.one.one
If I understand fully, the queries from Pihole are asking for the device names?
But im not sure why, for example client 192.168.0.142 is making the queries all of a sudden (its a Philips smart TV), what does the insecure validation result mean?
Im a little concerned / confused as to what is happening here.
I ran pihole -d, but when I choose yes to upload to tricorder, I receive an error message: There was an error uploading your debug log
Also been having problems with my unbound install, could there be any relation?
No changes to hardware, or setup etc, and I update to latest Pi-hole yesterday, along with a sudo apt update && sudo apt upgrade
Only update I have not done is dist-upgrade
Interesting that my TV is querying Google?!
Why are they showing as PTR requests?
I've never seen this before.
In regards to unbound, I disabled DNSSEC (unticked the box) and set a custom DNS as per the guide, and I see constant SERVFAIL errors, effectively rendering my internet connection dead.
If I choose 'regular' upstream DNS servers, such as Cloudflare and enable DNSSEC, everything works as expected.
If I use a custom DNS in pihole settings, and add the below to unbound config, it works. No errors
The TV isn't querying Google (as in "get me the IP address of google.com"), it is looking for the name of the domain at the IP address shown in the PTR request.
TV's generally have poorly implement OS, so it's hard to say why the TV is looking for this information.
Typically what a pointer record helps with is a client that has an IP address that it knows, like 8.8.8.8, but needs to be able to display the name for the user to see, like google.com. PTRs are reversed because the process is reversed, instead of knowing a domain name and looking for the IP, it knows the IP and needs to find the domain name.
Ah ok, makes sense on the TV, the os is rather clunky.
Why would pihole all of a sudden need to start querying the names of my clients? All have static ips assigned, with pihole acting as DHCP.
They most likely have always been happening on the network, it wasn't until a recent release that we actually displayed the queries. Previously we only displayed A and AAAA queries.