Multiple PTR requests from clients and pihole

I've noticed recently that there are a lot of PTR queries in my log, and I am not sure what they are, or why I now suddenly see them?
for example:

May 21 00:00:46 dnsmasq[3830]: query[PTR] 36.210.58.216.in-addr.arpa from 192.168.0.142
May 21 00:00:46 dnsmasq[3830]: forwarded 36.210.58.216.in-addr.arpa to 1.0.0.1
May 21 00:00:46 dnsmasq[3830]: dnssec-query[DS] 210.58.216.in-addr.arpa to 1.0.0.1
May 21 00:00:46 dnsmasq[3830]: reply 210.58.216.in-addr.arpa is no DS
May 21 00:00:46 dnsmasq[3830]: validation result is INSECURE
May 21 00:00:46 dnsmasq[3830]: reply 216.58.210.36 is lhr25s11-in-f4.1e100.net
May 21 00:00:46 dnsmasq[3830]: reply 216.58.210.36 is lhr25s11-in-f4.1e100.net
May 21 00:00:46 dnsmasq[3830]: reply 216.58.210.36 is lhr25s11-in-f36.1e100.net
May 21 00:00:46 dnsmasq[3830]: reply 216.58.210.36 is lhr25s11-in-f36.1e100.net

However, I also see PTR queries at semi-regular intervals from the pi-hole itself:

May 21 03:00:00 dnsmasq[3830]: query[PTR] 100.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.100 is rich-phone.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 142.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.142 is philips-tv.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 191.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.191 is HarmonyHub.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 128.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.128 is sky-box.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 111.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.111 is sonoff-sensor-node-lounge.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 48.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.48 is sonoff1-bedside-lamp.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 163.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.163 is sonoff-sensor-node-bedroom.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 3.0.168.192.in-addr.arpa from 127.0.0.1
May 21 03:00:00 dnsmasq[3830]: DHCP 192.168.0.3 is rich-laptop.local
May 21 03:00:00 dnsmasq[3830]: query[PTR] 1.0.0.1.in-addr.arpa from 127.0.0.1
May 21 03:00:01 dnsmasq[3830]: forwarded 1.0.0.1.in-addr.arpa to 1.0.0.1
May 21 03:00:01 dnsmasq[3830]: validation result is INSECURE
May 21 03:00:01 dnsmasq[3830]: reply 1.0.0.1 is one.one.one.one
May 21 03:00:01 dnsmasq[3830]: query[PTR] 1.1.1.1.in-addr.arpa from 127.0.0.1
May 21 03:00:01 dnsmasq[3830]: forwarded 1.1.1.1.in-addr.arpa to 1.0.0.1
May 21 03:00:01 dnsmasq[3830]: validation result is INSECURE
May 21 03:00:01 dnsmasq[3830]: reply 1.1.1.1 is one.one.one.one

If I understand fully, the queries from Pihole are asking for the device names?
But im not sure why, for example client 192.168.0.142 is making the queries all of a sudden (its a Philips smart TV), what does the insecure validation result mean?
Im a little concerned / confused as to what is happening here.
I ran pihole -d, but when I choose yes to upload to tricorder, I receive an error message:
There was an error uploading your debug log
Also been having problems with my unbound install, could there be any relation?
No changes to hardware, or setup etc, and I update to latest Pi-hole yesterday, along with a sudo apt update && sudo apt upgrade
Only update I have not done is dist-upgrade

This IP (216.58.210.36) is registered to Google, so some function of the device wants to know the name of that IP address.

NetRange:       216.58.192.0 - 216.58.223.255
CIDR:           216.58.192.0/19
NetName:        GOOGLE
NetHandle:      NET-216-58-192-0-1
Parent:         NET216 (NET-216-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS15169
Organization:   Google LLC (GOGL)
RegDate:        2012-01-27
Updated:        2012-01-27
Ref:            https://rdap.arin.net/registry/ip/216.58.192.0

OrgName:        Google LLC
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2000-03-30
Updated:        2018-10-24

Using unbound for a reverse dig:

dig -x 216.58.210.36

; <<>> DiG 9.10.3-P4-Raspbian <<>> -x 216.58.210.36
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16966
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;36.210.58.216.in-addr.arpa. IN PTR

;; ANSWER SECTION:
36.210.58.216.in-addr.arpa. 86400 IN PTR lhr25s11-in-f4.1e100.net.
36.210.58.216.in-addr.arpa. 86400 IN PTR lhr25s11-in-f36.1e100.net.
36.210.58.216.in-addr.arpa. 86400 IN PTR lhr25s11-in-f36.1e100.net.
36.210.58.216.in-addr.arpa. 86400 IN PTR lhr25s11-in-f4.1e100.net.

;; Query time: 983 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 21 10:50:03 CDT 2019
;; MSG SIZE rcvd: 151

Do you have DNSSEC enabled on your Pi-Hole? If so, disable that, as it is not needed when you do DNSSEC with unbound.

Interesting that my TV is querying Google?!
Why are they showing as PTR requests?
I've never seen this before.

In regards to unbound, I disabled DNSSEC (unticked the box) and set a custom DNS as per the guide, and I see constant SERVFAIL errors, effectively rendering my internet connection dead.
If I choose 'regular' upstream DNS servers, such as Cloudflare and enable DNSSEC, everything works as expected.
If I use a custom DNS in pihole settings, and add the below to unbound config, it works. No errors

forward-zone:
    name: "."
    forward-addr: 1.1.1.1
    forward-addr: 1.0.0.1

The TV isn't querying Google (as in "get me the IP address of google.com"), it is looking for the name of the domain at the IP address shown in the PTR request.

TV's generally have poorly implement OS, so it's hard to say why the TV is looking for this information.

1 Like

Typically what a pointer record helps with is a client that has an IP address that it knows, like 8.8.8.8, but needs to be able to display the name for the user to see, like google.com. PTRs are reversed because the process is reversed, instead of knowing a domain name and looking for the IP, it knows the IP and needs to find the domain name.

2 Likes

Ah ok, makes sense on the TV, the os is rather clunky.
Why would pihole all of a sudden need to start querying the names of my clients? All have static ips assigned, with pihole acting as DHCP.

They most likely have always been happening on the network, it wasn't until a recent release that we actually displayed the queries. Previously we only displayed A and AAAA queries.

Ah ok, did not know that! Did it not log them at all. Anywhere?
Any thoughts on the unbound issue?

The non-A or AAAA queries were not processed by FTL, but were still resolved by dnsmasq. I don't use unbound, so not sure about that issue.

I don't think so. Your unbound installation is not working, but this is a separate piece of software from Pi-Hole and unrelated to your PTR requests.

OK, I guess the last thing I can try is a dist-upgrade
Failing that I will revert back to using the standard upstreams.