Pi-hole running hot + rate limiting

Help Community Help
1

The issue I am facing:
Over the weekend, I rebuilt my setup on a Pi 4 w/ a 64-bit version of Pi OS w/ recursive DNS via Unbound.

Upon rebooting, I'm finding that I immediately get warnings from DNSMASQ and the Tailscale IP assigned to the device gets rate-limited. In addition, the device seems to run hot frequently (~145 F).

I'm only using one additional list in addition to StevenBlack's master list, so I wouldn't have expected that this would generate quite as many requests.

I'm thinking about moving away from the recursive setup and using one of Cloudflare's resolvers - which I ran for several years in a prior setup and are generally fast - but wanted to know if there are config changes that might improve the conditions I'm seeing.

Details about my system:
Pi 4 w/ 64-bit Raspberry OS

Output of uname -a is the following:

Linux raspberrypi 6.6.20+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.20-1+rpt1 (2024-03-07) aarch64 GNU/Linux

What I have changed since installing Pi-hole:

No changes to the standard setup except installing Unbound.

The debug token is provided for review.

2

I think this temperature is pretty normal for a Pi4. Even in idle it's quite high.
And: You use a Ferrari but just need a bicycle :slight_smile:

I use a Pi2+ running PiOS
Linux 6.6.16-v7+ #1732 SMP Tue Feb 13 13:08:08 GMT 2024 armv7l GNU/Linux
with PiHole + Unbound @ 40°C / 104°F

You can throttle down the system clock and/or use a cooling fan or metal case.

Cheers

1 Like
3

It very well could be normal - a concerning prospect - my recently decommissioned Pi 3 didn't exhibit this kind of behavior during the entire time I used it.

This particular board started out as a RetroPie and was in a case that included a fan in addition to the heatsinks, so I'll see if that makes a difference. The official Pi 4 case doesn't help much in this regard, but as I said, the 3 w/ the official case never gave me this particular trouble.

I'm also thinking Unbound may be more trouble than it's worth, as what was a 100 Mb/s connection is routinely in the 20's with tremendous latency (~500ms). Fortunately, reverting that change doesn't require taking the entire software stack apart and reassembling from scratch.

4

as @wd9895 said - temp seems fine. Mine running Pihole/Unbound currently is 58°C.

This seems off, I would suggest re-installing Unbound.

5

Your debug log shows Maximum number of concurrent DNS queries reached warnings as well as rate limiting messages for 100.103.119.45 (the IP address that is associated to your tailscale interface).

Those messages may suggest that you've created a DNS loop.

What is the complete output of the following command from the Pi terminal:

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

DNS would only be involved in determining the speedtest domain's IP address.
It has has absolutely no impact on download speeds - once that IP address is known, the download communication is via that IP.

1 Like
6 
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/remote-control.conf:remote-control:
/etc/unbound/unbound.conf.d/remote-control.conf:  control-enable: yes
/etc/unbound/unbound.conf.d/remote-control.conf:  control-interface: /run/unbound.ctl

Reading a bit more, it appears this issue isn't new and is likely the result of an error in how Pi OS configures Unbound.

It's entirely plausible I may have copied this part incorrectly during that initial setup. I presume the official documentation has been updated to address this issue?

7

The grep statement is indeed intended to check for that unbound misconfiguration, but your system is not affected (no resolvconf_resolvers.conf pointing to the machine itself).

This makes it more likely that your tailscale network would be involved somehow.

This would be further supported if you'd be able to confirm that Pi-hole is working if you disable tailscale.

8

This appears to have been the root cause. While there remains a small hit to download speed with Pi-hole running, numbers are routinely the 80-90 Mb/s range with low ping latency - in line with what I saw before.

Operating load/temps are also back in the green/blue @ ~130F.