Pihole running on a VM - lots of requests from VM host to pihole

Help
1

Hi,

I have pihole v6.0.6 running on a Ubuntu 22.04 VM (not docker) on a Windows host.
pihole is also my DHCP server (I have the ISP router's DHCP server disabled).

  • Windows host: 192.168.1.220
  • pihole VM: 192.168.1.222

The issue I am facing is that the host is sending PTR requests to pihole for 222.1.168.192.in-addr.arpa continuously. It is hitting the rate limit (2,000 queries / 60 seconds) every minute, there would be many more requests otherwise.

image
image1253×704 67.9 KB

I have static IPs on both the windows host and the ubuntu VM. The Ubuntu VM uses 1.1.1.1 and 8.8.8.8 as its DNS servers:

user@piHole:~$ cat /etc/netplan/01-netcfg.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      dhcp4: no
      addresses:
        - 192.168.1.222/24
      gateway4: 192.168.1.1
      nameservers:
        addresses: [1.1.1.1, 8.8.8.8]

user@piHole:~$ nslookup google.com
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   google.com
Address: 142.250.200.78
Name:   google.com
Address: 2a00:1450:4003:80d::200e

On the Windows host server, I have the DNS set to pihole's IP (192.168.1.222).

Debug Token: https://tricorder.pi-hole.net/HWUUjta5/

Can anyone help me identify what's wrong and fix it? Since I don't think this is the expected behavior.

Thanks!

2

@DiWiT Try this suggestion.

It appears that your Windows host (192.168.1.220) is repeatedly issuing reverse DNS (PTR) queries for its own IP address (222.1.168.192.in-addr.arpa) to your Pi-hole server (192.168.1.222), leading to rate-limiting issues. This behavior is often due to the Windows system attempting to resolve its own IP address, possibly for network identification or logging purposes.​

:hammer_and_wrench: Steps to Mitigate the PTR Query Flood

  1. Assign a Static Hostname in Pi-hole's DHCP Settings:
  • Navigate to Pi-hole's admin interface.
  • Go to Settings > DHCP.
  • Under Static DHCP leases, assign a hostname to the Windows host's MAC address.
  • This ensures that reverse DNS lookups for 192.168.1.220 return a valid hostname, potentially reducing repeated queries.​Pi-hole Userspace
  1. Disable Conditional Forwarding (if enabled):
  1. Adjust Pi-hole's Logging Behavior:
  • Edit the Pi-hole FTL configuration file:
sudo nano /etc/pihole/pihole-FTL.conf
  • Add the following line to limit logging to A and AAAA queries:
ANALYZE_ONLY_A_AND_AAAA=true
  • Save the file and restart Pi-hole's DNS resolver:
sudo pihole restartdns
  1. Check for Duplicate MAC Addresses:
  • Ensure that the virtual network adapter of your Ubuntu VM has a unique MAC address different from the Windows host.
  • Duplicate MAC addresses can cause network confusion, leading to excessive ARP and DNS traffic.​
  1. Review Windows Host's Network Configuration:
  • On the Windows host, check for any services or applications that might be causing repeated reverse DNS lookups.
  • Use tools like Process Monitor or Wireshark to identify processes generating these queries.​
  1. Implement DNS Query Rate Limiting:
  • In Pi-hole's admin interface, go to Settings > DNS.
  • Adjust the Rate Limit settings to a level that balances between preventing abuse and allowing legitimate traffic.​

By following these steps, you should be able to mitigate the excessive PTR queries from your Windows host to the Pi-hole server. If the issue persists, consider exploring further network diagnostics or consulting Windows-specific forums for additional insights.​

3

1- was already done
2- was already disabled
3- this just disables logging, does not fix the issue
4- the host and the VM don't have the same MAC addresses
5- nothing obvious on the host that can be generating those requests, haven't run wireshard though
6- this does not fix the issue

Also, this does not seem to be happening all the time, it happens for an hour or 2, then stops for a while... then comes back, and so on.

image
image548×297 15.1 KB