I moved my RaspianOS to a new Raspberry Pi Zero 2 W board. I just moved the SD card in the new Pi and that's it. I issued pihole -r because the IP changed. I also redid the steps for configuring unbound following the steps from the documentation link. What I did manually is to edit the domain_name_servers= in the /etc/dhcpcd.conf file because the nameserver value wasn't propagating to that file.
Expected Behaviour:
pi.hole hostname shouldn't issue so many queries. I added some print screens as well.
Raspian OS Bullseye
Raspberry Pi Zero 2 W
Actual Behaviour:
After letting it run for a few hours I see in the dashboard that the top client that is making queries is the pi.hole hostname, which is the Raspberry Pi itself. I find this weird because I didn't change anything in the configuration, I just swaped the SD card and reconfigured to use the new IP provided by my router. And before this change the pi.hole hostname wasn't showing up in the "Top clients" list.
Another issue is that I see a :: client showing up in the clients panel.
Could you also share whether your Pi-hole's 192.168.5.18 or its virtual :: holds accountable for the 2,603 requests topping the list?
Hovering over the pi.hole name in that line form your dashboard's Top Clients should reveal that information.
That :: virtually is your pi.hole, as the network table states.
If you had DNSSEC enabled, that would nicely explain why you would see quite a few requests of types DS and DNSKEY originating form your Pi-hole.
You could use the following command to see some examples for that:
If your requests do not seem to be associated by DNSSEC, please share some lines from your debug log. A command like the following may help you with that:
(please adjust as necessary)
Now it's show only one request coming either from pi.hole or localhost and it's related to a domain that is written below in the post.
Yes, I had DNSSEC enabled for a few hours...I forgot about that. So that would explain the increase number of queries coming from Pi-hole?
I disabled it after seeing that almost all of the queries were marked as INSECURE so I didn't see any benefit using it, even though it should be better to use it.
I used the grep dnssec-query /var/log/pihole.log command but it doesn't output anything. That's because I disabled using DNSSEC, I assume.
I used the grep command and I found some troubling queries for some domains that I definitely didn't search for. The output of the command shows just one query. But I looked directly in the file and copied a few more lines. These queries are coming directly from the Raspberry Pi but I'm not using it actively, what I want to say, I'm not using it for browsing the web.
Jan 19 09:17:56 dnsmasq[31591]: query[A] despicablereporthusband.com from 127.0.0.1
Jan 19 09:17:57 dnsmasq[31591]: gravity blocked despicablereporthusband.com is 0.0.0.0
Jan 19 09:17:57 dnsmasq[31591]: query[A] despicablereporthusband.com from 192.168.5.18
Jan 19 09:17:57 dnsmasq[31591]: gravity blocked despicablereporthusband.com is 0.0.0.0
Jan 19 09:17:59 dnsmasq[31591]: query[AAAA] online-potwierdzenie.life from ::1
Jan 19 09:17:59 dnsmasq[31591]: gravity blocked online-potwierdzenie.life is ::
Jan 19 09:17:59 dnsmasq[31591]: query[AAAA] online-potwierdzenie.life from fe80::220e:31fb:80d3:447a
Jan 19 09:17:59 dnsmasq[31591]: gravity blocked online-potwierdzenie.life is ::
Those queries were not issued by me but somehow they came from the Raspberry Pi's IP. I'm a bit concerned because those are some weird domains and I don't understand why the Pi issued them.
Nothing to worry about
Those are the very domains Pi-hole's debug script has used to verify Pi-hole is correctly blocking domains (note that it will randomly pick different blocked domains for each run):
*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] despicablereporthusband.com is 0.0.0.0 on lo (127.0.0.1)
[✓] despicablereporthusband.com is 0.0.0.0 on wlan0 (192.168.5.18)
[✓] doubleclick.com is 142.250.180.206 via a remote, public DNS server (8.8.8.8)
Jesus Christ those are weird domain names.
So to conclude, the increase query requests coming from the Pi-hole IP where because of the DNSSEC requests which is to be expected. So I'm going to leave that alone so I don't get my hands tangled in weird things I don't fully understand.
Thank you again for your help @Bucking_Horn!
