PTR queries flood

Ail · October 16, 2021, 11:20am

Environment:

Linux raspberrypi 5.10.63-v7l+ #1457 SMP Tue Sep 28 11:26:14 BST 2021 armv7l GNU/Linux
unbound
DHCP from pihole
Mesh wifi network with one IP pointing to the pihole (192.168.1.250), network with other services(nas, cameras), pc and a router. Everything pointing to the pihole as a DNS.

As of a few days ago Pihole started logging millions of PTR entries every day (20-30mln daily, all answered with SERVFAIL). The problem is that the Pihole slows down, then CPU gets to 100% (so resolving takes 10s) and after a few hours logs use up all of the free disk space and everything crashes until I manually clean up logs and db.

What I tried:

disabled conditional forwarding
disabled mDNS on all clients
pihole -r
tried using ANALYZE_ONLY_A_AND_AAAA=true
tried rm /etc/pihole/pihole-FTL.db
looked for the source of queries but with no luck
removed all adlists and got new ones
changed DNS servers (from unbound to normal DNS.WATCH etc)
disabling rate limiter (wifi reaches the limit in ~1s)

pihole -d
https://tricorder.pi-hole.net/3wxA4iKr/

Is there any way to actually fix this?

jfb · October 16, 2021, 2:35pm

Please show a few examples of the PTR requests, with query, forward and reply. This is shown in /var/log/pihole.log.

Also, you have duplicate entries in your setupVars.conf file. Manually edit this file, remove the duplicate entries and restart Pi-hole.

*** [ DIAGNOSING ]: Setup variables
    CONDITIONAL_FORWARDING=false
    DHCP_ACTIVE=true
    DHCP_START=192.168.1.150
    DHCP_END=192.168.1.200
    DHCP_ROUTER=192.168.1.220
    DHCP_LEASETIME=8760
    PIHOLE_DOMAIN=redacted
    DHCP_IPv6=false
    DHCP_rapid_commit=false
    ADMIN_EMAIL=
    WEBUIBOXEDLAYOUT=boxed
    WEBTHEME=default-darker
    DNSMASQ_LISTENING=local
    DNS_FQDN_REQUIRED=true
    DNS_BOGUS_PRIV=true
    DNSSEC=false
    REV_SERVER=false
    DNS_FQDN_REQUIRED=true
    DNS_BOGUS_PRIV=true
    BLOCKING_ENABLED=true
    PIHOLE_INTERFACE=br0
    IPV4_ADDRESS=192.168.1.200/24
    IPV6_ADDRESS=
    PIHOLE_DNS_1=127.0.0.1#5335
    PIHOLE_DNS_2=127.0.0.1#5335
    QUERY_LOGGING=true
    INSTALL_WEB_SERVER=true
    INSTALL_WEB_INTERFACE=true
    LIGHTTPD_ENABLED=true
    CACHE_SIZE=10000
    DNS_FQDN_REQUIRED=true
    DNS_BOGUS_PRIV=true

sudo nano /etc/pihole/setupVars.conf

sudo service pihole-FTL restart

Ail · October 16, 2021, 2:59pm

Thanks, deleted the duplicated entry.

They all look like this:

Oct 16 16:57:37 dnsmasq[25564]: query[PTR] 121.248.66.18.in-addr.arpa from 192.168.1.250
Oct 16 16:57:37 dnsmasq[25564]: forwarded 121.248.66.18.in-addr.arpa to 127.0.0.1
Oct 16 16:57:37 dnsmasq[25564]: forwarded 121.248.66.18.in-addr.arpa to 127.0.0.1
Oct 16 16:57:37 dnsmasq[25564]: reply error is SERVFAIL
Oct 16 16:57:37 dnsmasq[25564]: query[PTR] 121.248.66.18.in-addr.arpa from 192.168.1.250
Oct 16 16:57:37 dnsmasq[25564]: forwarded 121.248.66.18.in-addr.arpa to 127.0.0.1
Oct 16 16:57:37 dnsmasq[25564]: forwarded 121.248.66.18.in-addr.arpa to 127.0.0.1
Oct 16 16:57:37 dnsmasq[25564]: reply error is SERVFAIL
Oct 16 16:57:37 dnsmasq[25564]: query[PTR] 121.248.66.18.in-addr.arpa from 192.168.1.250
Oct 16 16:57:37 dnsmasq[25564]: forwarded 121.248.66.18.in-addr.arpa to 127.0.0.1
Oct 16 16:57:37 dnsmasq[25564]: forwarded 121.248.66.18.in-addr.arpa to 127.0.0.1
Oct 16 16:57:37 dnsmasq[25564]: reply error is SERVFAIL

All of them point to:
|[123.248.66.18.in-addr.arpa]
|[121.248.66.18.in-addr.arpa]
|[9.248.66.18.in-addr.arpa]
|[119.248.66.18.in-addr.arpa]

fresh pihole -d:
https://tricorder.pi-hole.net/fRb1nSQs/

jfb · October 16, 2021, 5:25pm

This IP is an Amazon Cloudfront IP.

18.66.248.123

I would take a look in the offending client and see what software is running that is generating these queries.

Ail · October 16, 2021, 7:40pm

I think I found the problem. None of the client were making any amazon calls (disconnected all but 7APs and CCTV). Most of the calls were coming from outside the network (probably DNS spoofing). DNS was rejecting them all (wrong checksum). After sealing any inbound access from outside the network it seems to be working fine so far.

So for anyone having similar problem:
"sudo tcpdump -n port not 22" and look for strange IP addresses asking for resolutions.

Lawrence_P · October 19, 2021, 8:54pm

In one of my past configs, I used a DNSMasq layer above my Pihole's to respond to DNS queries. I'd like to have pihole not only respond to A and CNAME records, but also respond to local queries for PTR records. The DNSMasq in Pihole can serve this function, but must be configured to do so just like A records and CNAMEs. Often, firewalls, client software, etc requests PTR records for local devices. Can we just allow Pihole to create PTR records automatically for identified devices? Feature request! And offer the function of creating PTR records in the "Local DNS Records". Do A record entries create PTRs? That might be the method. Just asking.

Bucking_Horn · October 20, 2021, 9:21am

Not quite.
Pi-hole already creates the respective PTR records, e.g. when you add Local DNS Records.

However, this is unrelated to OP's issue - they were seeing PTR requests for public IP addresses from certain clients.
They were able to eliminate those requests by

Lawrence_P · October 20, 2021, 3:52pm

Yeah, I figured that out after adding some. One possible bug here was I used the custom entries file and they don't properly show up in the UI. I also like the idea of automation to add hostnames from Netbios.

Lawrence_P · October 20, 2021, 3:56pm

Just to illustrate the benefit of adding in my DHCP environment A and PTR records. Dramatic drop in PTR requests. See attached.

system · November 10, 2021, 3:56pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.