Pi-hole generates a lot of data traffic

Help
#1

Hi guys,

I have been a happy Pi-hole user for a year now. The Pi-hole runs exclusively (i.e. no other services run) on a raspberry pi 1b+ connected over cable to my Asus router. All DNS requests are routed through the Pi-hole.

I have recently started observing that the Pi-hole is generating gigabytes of DNS data volume on a daily basis. I cannot remember having seen this behavior in the past; also my parents' Pi-hole only generates a few MB a day. Thinking that I might have broken the raspberry pi OS, I reinstalled it today, updated it, installed Pi-hole and the "problem" is still there.

My question is: is this normal? What is your experience?

Thank you and best regards
Tim

#2

Pi-hole itself should not generate any DNS volume to external DNS servers by itself. Hourly, Pi-hole polls your internal network for client names, but that should be just a few queries.

Clients that use Pi-hole for DNS can generate essentially unlimited DNS traffic, but this would be highly unusual, particularly if you are seeing gigabytes daily.

Where are you seeing this high data volume reported?

Also, please generate a debug log, upload it when prompted and post the token here.

#3

Thank you for the quick response. I generated a debug log and uploaded it:
https://tricorder.pi-hole.net/gas9wi04xz

The information I get is from my router. I have uploaded a screenshot here: https://s12.directupload.net/images/210110/ng4qd7l3.png

To verify this data volume, I also run "watch -n1 -d ip -s link show eth0" on the raspberry and got this:

Are you able to spot the problem?

#4

I don't think this is DNS traffic, but let's check. What are the outputs of the following commands from the Pi terminal:

echo ">stats >quit" | nc localhost 4711

cat /etc/resolv.conf

#5 
echo ">stats >quit" | nc localhost 4711
domains_being_blocked 58501
dns_queries_today 9251
ads_blocked_today 2297
ads_percentage_today 24.829748
unique_domains 1648
queries_forwarded 5874
queries_cached 1080
clients_ever_seen 3
unique_clients 3
dns_queries_all_types 9251
reply_NODATA 247
reply_NXDOMAIN 24
reply_CNAME 1994
reply_IP 5903
privacy_level 0
status enabled

pi@raspberrypi:~ $ cat /etc/resolv.conf

# Generated by resolvconf
nameserver 192.168.1.1
#6

The volume you are seeing is not due to Pi-hole activity. The number of dns queries you show is very small (less than 10K). At 100 bytes each, that's 1 million bytes.

The Pi itself is using the router as nameserver, so the DNS queries from any other software running on the Pi is not going to Pi-hole. Even then, there is no way this is going to generate GB of DNS traffic.

#7

So, to sum up:

  • there is nothing unusual;
  • there is no reason to worry
  • the volume my router is reporting may be off

Am I interpreting your words correctly? If so, can you think of any other tests I can conduct or would you consider the case closed? Thank you so much for your support!

#8

Yes to all.

#11

Yes as far as Pi-hole's DNS server is concerned.

I may misread this as I am not familiar with the software generating those stats, but I wonder why your router screenshot would suggest that your Pi-hole host is establishing connections to Youtube, Amazon and Skype? Pi-hole would never contact those IPs.
Is that pic really showing Pi-hole traffic?

(Also note that in this forum, you can paste images directly into your posts - no need to upload and link them to a third party site. Saves some clicks as well. :wink: )

#12

Thank you for responding. I was also wondering why the router is showing this information.
Thank you also for your image hint – I am new to the forum :slight_smile:

Despite the suspicion that the ASUS Router is giving false information, there is one thing that still bothers me. The screenshot I posted yesterday clearly shows that the Pi-hole downloaded 18 MB which is not a lot but it still is about 20 times higher than jfb's estimation. I am, however, not sure if this traffic includes the "apt get update & upgrade" before installing Pi-hole or not, so I will keep an eye on it.

97fz5gws
97fz5gws1694×412 128 KB

#13

Pi-hole updates gravity every Sunday morning between 0300 and 0500 your local time. That process downloads domains from your subscribed adlists. This is not DNS traffic, it's a bit of data.

If you look in the log file, you will see the activity during that gravity update:

cat /var/log/pihole_updateGravity.log

#14

A post was split to a new topic: Data traffic from Pi-hole host