Pi-hole Reverse DNS queries every hour

I recently updated to Pi-Hole v5.2 and FTL v5.3.1.
After that update, I am seeing in my logs that every hour at the top of the hour, the localhost, my Raspberry Pi4, is making about ~1,290 Reverse DNS queries. This starts literally at the top of each hour and lasts for about the first 30 seconds.
I did notice that Pi-Hole is showing that it is listening on IPV6 although I turned off IPV6 on Pi-Hole as well as on my router. When I run pihole -d I see that it shows two IPV6 addresses with "does not match the IP found in /etc/pihole/setupVars.conf" after it and then a link to (Use IPv6 ULA addresses for Pi-hole) but my router does not have the option to use ULA (not sure what that is...). I am not sure if this is what is causing it or just a different issue altogether.

Here is my debug log

https://tricorder.pi-hole.net/w8t9oydzm3

Thanks for any help you can provide!

Pi-hole is making PTR requests once per hour for all recently (last two hours) active clients. How many active clients does the dashboard show and does this number make sense to you?

How do I check for only things from the past two hours?
The only way I know how to do this was just to go to tools -> network and then sort by last query. I have around roughly 40 - 50 and that lines up with what my router shows but not sure if there's a more precise way to check?

Hello,
Same issue for me : Pihole seems to query for PTR all the time.
"Never forward reverse lookup for private IP range" is checked, "Conditionnal forwarding" is unchecked, Tricorder -> ry472gri1k

Regards,

Check the conditional forwarding format in SetupVars.conf

Same for me here, before the update I've had 42 localhost queries every hour, now with the latest version there are more than 2500 every hour.

here is my debug token:
https://tricorder.pi-hole.net/60glqkykzv

@drewski
conditional forwarding is set to false in my setupVars.conf

Do you have any Apple computers or devices on your network?

Hello Dan. No Apple device on my network.
Drewski : My /etc/pihole/setupVars.conf looks good :

WEBPASSWORD=aBcD...
BLOCKING_ENABLED=true
ADMIN_EMAIL=my@email.com
WEBUIBOXEDLAYOUT=boxed
WEBTHEME=default-light
PIHOLE_INTERFACE=eth0
IPV4_ADDRESS=192.168.1.253/24
IPV6_ADDRESS=2a01:AAAA:BBBB:CCCC:DDDD:4cd5:47ee:c2a1
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
CACHE_SIZE=10000
DNSMASQ_LISTENING=single
PIHOLE_DNS_1=127.0.0.1#5335
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=false
REV_SERVER=false

It looks like you have a LOT of IPv6 reverse looksup happening. Do you have a lot of clients listed on the Network tab/section of the admin interface?

@DL6ER It looks like Pi-hole is answering IPv4 arpa from cache, but IPv6 arpa are being forwarded to upstream and coming back as NXDOMAIN. It doesn't appear that conditional forwarding is in use.

@vincent can you run pihole -d and post the URL token for us?

The common theme I'm seeing here is IPv6 globally unique addresses being used which is not a good practice for a LAN DNS server.

All the clients in the network page are well identified. But some of them get regularly new ipv6 addresses. I guess this is the normal behaviour of my router.

https://tricorder.pi-hole.net/ry472gri1k

This looks like correct behavior. What Pi-hole does is exactly equivalent to

dig -x <IPv6-address>

If the local FTL instance doesn't know the answer it will ask upstream. With conditional forwarding, this can be limited to not doing so for subnets (works equally well for IPv4 and IPv6), however, the default behavior is to sent unknown PTRs upstream.

Hi Dan,
yes, two MacBooks and a IPhone

If there are IPv6 addresses that have queried Pi-hole and you want to know the hostname associated to that IPv6 address then I think this is what you are going to see. Pi-hole doesn't have any way to know if a host has changed it's IPv6 address after it used Pi-hole. I know the recent Apple iOS added security features that changes IPv6 addresses to prevent identification and this is preventing us from identifying the clients.

It's up to you to decide if you want to disable those features or disable IPv6 until you can find a setup that works for your particular needs. I personally don't see a need for global IPv6 addressing on a LAN segment but that viewpoint has caused a number of IPv6 fans to call me various names and slurs so I now leave that decision up to the user.

yes, I'm with you about the IPV6 in a small LAN. The irritating thing for me is that these Localhost queries startet after the Pihole update yesterday. None of the Apple devices has gotten an update.

Hi Dan so I'm not too network saavy (just good at following guides and directions). So I have disabled ipv6 on my router as well as done pinole -r to reconfigure and deselected ipv6. However my diagnostic token shows that it's listening on ipv6.
Are you saying that this original issue I mentioned would be resolved if I disabled ipv6? If so, how can I ensure that happens? Like I said I thought I did that already but it seems something isn't sticking because if you look at my original post I saw in the diagnostic that pi-hole is listening on two IPV6 addresses but it's saying it doesn't match.

That's a detection to see when things are not listening when we expect them to. It's okay to be listening when there is no queries being sent. (It's listening on the IPv6 loopback address that always exists unless you disable IPv6 in the linux kernel.)

Edit: Listening on fe80 is fine, that's an internal address called a link-local, it's similar to 127.0.0.1 in IPv4 land.

so I show two under "IPv6 address(es) bound to the eth0 interface:". I see the fe80 like you mentioned as well as a fddb address. This should be reflected in the debug log.

So all that to say, what can/should I do to stop this practice of the pi-hole running these reverse DNS requests every hour?

I also have many Apple devices, but I have turned off "Private Address" for all of them.

You also recommended that I disable IPV6 when I asked about getting odd BOGUS results when DNSSEC is turned on (Getting BOGUS results only from specific domains - #2 by Coro). Apologies for not following up, but I ended up just turning off DNSSEC since turning off IPV6 on my router and Pi-Hole did not help.

I am also seeing this behaviour since (and only since) updating to the latest release two days ago.

The graph below gives an indication of the changed behaviour:

The PTR requests from the Pi-hole that spike every hour are both on IPv4 as well as IPv6 - in fact the majority are for IPv4. Edit: Correction - while the majority are from the IPv4 localhost (127.0.0.1), they are primarily for IPv6 addresses. The fact that this only started after updating Pi-hole suggests to me that something is not quite right with the update. I don't accept that the solution is to turn off IPv6 - that is a bandaid at best.

The behaviour renders the query log graphs mostly useless as the Pi-hole PTR requests dwarf everything else. Worse, anecdotally there is degraded network performance when these spikes occur - presumably because the pi-hole gets overloaded with queries and therefore DNS resolution is affected.

It would be greatly appreciated if this could be looked into.

2 Likes