PiHole suddenly flooding with in-addr.arpa queries

typesk · July 24, 2019, 6:08pm

Expected Behaviour:

Queries list/stats did not have in-addr.arpa queries

Actual Behaviour:

I am getting roughly 5k lookups an hour

Debug Token:

https://tricorder.pi-hole.net/3h1mt9h3j5
Also put screenshots of my settings at the bottom of the post

I happened to update my router firmware. That went through fine, and after re-doing my router settings, I happened to check my PiHole to make sure everything was ok and that the network was using PiHole like before. But I noticed that, I suddenly had 30k lookups within that hour. 15k was from my main machine, other 15k was from the router IP (which was probably during the time that I was setting up the router after updating). It has since "settled" down, but it is still doing roughly 5k lookups an hour on average, which is way more than normal or anything I have ever experienced.

I am also not sure why an update in router firmware would change anything. The router isn't setup any different than it was before. Used the same settings.

I do believe I know what is causing the reverse-DNS lookups (even though it may seem to be a little excessive even for that), but that was there long before the router update and I never even noticed the reverse DNS in my logs before, ever.

Everywhere I read, it seems to say it is nothing to worry about. But it does make reading the log quite difficult (loading the queries for my main machine almost freezes the browser due to the number of lookups), and then it's mostly the reverse-DNS lookups so it's hard to see actual lookups.

If so, would blocking it from being logged be ok to do as mentioned here?:
https://www.reddit.com/r/pihole/comments/alfhec/these_inaddrarpa_ptr_requests_are_getting_out_of/efezjqi/

Though that seems like a last resort fix?

I also do not have conditional forwarding set in my pihole settings, which lot of other threads seem to mention. I also do not use DHCP with the pihole either. I use ddwrt to hand out IP Leases in the Services tab.

Here are my router settings:

Here are my pi settings:

jfb · July 24, 2019, 6:15pm

This would not be the expected behavior unless you have configured Pi-Hole to not process these queries as noted in the referenced article.

Since you don't see any of the code on the router firmware either before or after the change, all bets are off. Router firmware changes have caused a number of problems for users. As a first troubleshooting step, I would revert the firmware to an earlier version and see if the traffic is reduced.

This isn't as much a fix for the problem (which still exists) as it is a tool to allow you to eliminate this traffic from your Pi-Hole logs and dashboard.

DanSchaper · July 24, 2019, 6:22pm

These are queries that have always happened on the network. We previously didn't report them and only reported A/AAAA queries. We now report them as they are queries that Pi-hole is seeing, and knowing that they are happening is something that we feel is important. So the options become either ignoring them and going back to A/AAAA only reporting (leaving the underlying situation really unchanged and the PTR queries still occurring but not reported) or fixing the issue that is causing the PTR records to be queried and find out what application is not behaving as you would like. (Really it should be caching the response and not blasting out queries repeatedly.)

typesk · July 25, 2019, 3:23am

Well, I just confirmed which application was responsible. And looks like rebooting said application fixed it. Guess router change scared it or something.

system · August 15, 2019, 3:23am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.