All the requests are coming from my router, which uses pi-hole as its DNS server. And the pi-hole IP is not accessible from the outside. So, I don't think it's an open relay. Is there any way to test this?
Since around 10:00 today the queries dropped down from about 12.000 in an hour to 200. I think I restarted the container... hell I'm getting old, I can't remember 
These are the top domains permitted:
| Domain | Hits | Frequency |
|---|---|---|
| lb._dns-sd._udp.0.1.168.192.in-addr.arpa | 892923 | |
| b._dns-sd._udp.0.1.168.192.in-addr.arpa | 4639 | |
| db._dns-sd._udp.0.1.168.192.in-addr.arpa | 4639 | |
| brw7429afa0a022.local | 1275 | |
| iphonex-robby.local | 574 | |
| imap.gmail.com | 275 | |
| www.luckyorange.com | 245 | |
| local | 225 | |
| confluence-connect.gliffy.net | 193 | |
| kv601-prod.do.dsp.mp.microsoft.com | 176 |
Doesn't look suspicous to me... or what do you think?