Query PTR from pivpn-clients

oncoming9445 · August 10, 2022, 12:31pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

The log should not be spammed with query-PTR every 30 sec (or less).

Actual Behaviour:

tail -f /var/log/pihole.log | grep PTR gives me

Aug 10 14:24:46 dnsmasq[59586]: query[PTR] lb._dns-sd._udp.141.255.5.10.in-addr.arpa from 10.207.244.2
Aug 10 14:24:46 dnsmasq[59586]: query[PTR] lb._dns-sd._udp.47.255.4.10.in-addr.arpa from 10.207.244.2
Aug 10 14:24:46 dnsmasq[59586]: query[PTR] lb._dns-sd._udp.6.0.0.192.in-addr.arpa from 10.207.244.2
Aug 10 14:24:46 dnsmasq[59586]: query[PTR] lb._dns-sd._udp.0.1.168.192.in-addr.arpa from 10.207.244.2
Aug 10 14:24:46 dnsmasq[59586]: query[PTR] lb._dns-sd._udp.0.244.207.10.in-addr.arpa from 10.207.244.2

And at the end of the day, my phone (that uses pivpn) gets "Top Client" with 90% of the queries.
About 22000 requests atm, and 2700, 2700, 2500, 2500, 2500 each are "lb._dns..." type of queries.

No other client has these many requests, so it leads me towards pivpn (wireshark) doing stuff...

This is a fresh install a few days ago. And i have added the unbound to do recursive dns lookups.
This guide: unbound - Pi-hole documentation

Maybe this is usual, but maybe you "dont show" these in logs?

Debug Token:

[Replace this text with the debug token provided from running pihole -d (or running the debug script through the web interface]

jfb · August 10, 2022, 1:57pm

This is not the expected behavior. Pi-hole responds to whatever queries come its way, and in this case you are getting mDNS queries, typically associated with the Apple Bonjour protocol.

oncoming9445 · August 10, 2022, 2:04pm

But i've had iPhone since forever, and on my old pihole-install i never saw this much.

(I had piHole on raspbian Stretch, and did a full reinstall to Bullseye recently).

But what should i do with this? Is there like, a fix? Or how can i proceed with investigation?

jfb · August 10, 2022, 2:26pm

I note that you are using unbound with Bullseye. May cause a problem (not specifically with mDNS, but with all queries).

You only show the filtered log for PTR. Please post a few lines that show an entire query, forward and reply. We're checking here to ensure your upstream DNS server is responding properly. It should look something like this with unbound:

Aug 10 00:43:37 dnsmasq[665]: query[PTR] lb._dns-sd._udp.0.0.168.192.in-addr.arpa from 192.168.0.135
Aug 10 00:43:37 dnsmasq[665]: forwarded lb._dns-sd._udp.0.0.168.192.in-addr.arpa to 127.0.0.1#5335
Aug 10 00:43:37 dnsmasq[665]: reply lb._dns-sd._udp.0.0.168.192.in-addr.arpa is NXDOMAIN

The expected reply is NXDOMAIN, since this domain does not exist on the internet. It's a local service.

I will note that with a house full of IOS devices, I see just a few hundred of these queries in a day:

sudo grep lb._dns-sd /var/log/pihole/pihole.log | grep query | wc -l
342

To check for unbound operation, please post the output of the following command from the Pi terminal:

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

oncoming9445 · August 11, 2022, 7:19am

Hello !
Yes i only grepped after "PTR", thats why I only posted it.

Heres the output of the "unbound operation".

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	forward-addr: 192.168.1.200
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	forward-addr: 1.1.1.1
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.1.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"

Today, the "grep lb._dns-sd"-command gives me an output of "13".

I did a reboot of my iPhone yesterday, after our messages. And i drasticly saw less queries in the log.

I have also (probably to late now) generated Debug Log. Here's the token for that.
https://tricorder.pi-hole.net/d5N6IqhR/

Bucking_Horn · August 11, 2022, 7:50am

Seems you are affected by WARNING: Raspbian October 2021 release bullseye + unbound.
For a fix, see e.g. Pihole + Unbound not working as it should - #12 by jfb.

oncoming9445 · August 11, 2022, 8:12am

Thank you!
I've done this now.

oncoming9445 · August 13, 2022, 9:51am

Sadly the issue remains, my iPhone (through vpn) is doing about 1100 queries in 24h (times 5) to these lb._dns stuff :/. Even after the above mentioned fix.

How can I further give you information that could help me?

jfb · August 13, 2022, 7:45pm

These are mDNS queries, related to the Apple Bonjour protocol. These are generated at the client, and your unbound configuration will not affect Pi-hole's ability to provide an answer to the queries.

The change you should have made to unbound is to remove this file and prevent repopulating:

/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	forward-addr: 192.168.1.200
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	forward-addr: 1.1.1.1

The Bonjour issue is not related to your unbound Pi-hole installation or configuration (it was a separate issue noted). If you run IOS and MacOS devices, you are going to get these queries, none of which Pi-hole can resolve. Examples from my dnsmasq log - at the time everybody in the house was sleeping:

Aug 13 04:04:02 dnsmasq[1212]: query[PTR] lb._dns-sd._udp.0.0.168.192.in-addr.arpa from 192.168.0.132
Aug 13 04:04:02 dnsmasq[1212]: forwarded lb._dns-sd._udp.0.0.168.192.in-addr.arpa to 127.0.0.1#5335
Aug 13 04:04:02 dnsmasq[1212]: reply lb._dns-sd._udp.0.0.168.192.in-addr.arpa is NXDOMAIN

The client is my iPad running IOS 15 latest.

system · September 3, 2022, 7:46pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.