Query TXT reply NODATA millions on router

Please follow the below template, it will help us to help you!

Expected Behaviour:

to run normal like it has for years

Actual Behaviour:

flooding the query with TXT and NODATA reply for Cisco.com and Adobe.com from router(?) until it fills up my sd card. log files can reach 22GB.
looks like

08:02:29: query[TXT] cisco.com from 10.0.0.1
08:02:29: exactly blacklisted cisco.com is NODATA
08:02:29: query[TXT] cisco.com from 10.0.0.1
08:02:29: exactly blacklisted cisco.com is NODATA
08:02:29: query[TXT] cisco.com from 10.0.0.1
08:02:29: exactly blacklisted cisco.com is NODATA
08:02:29: query[TXT] adobe.com from 10.0.0.1
08:02:29: forwarded adobe.com to 1.0.0.1
08:02:29: reply adobe.com is NODATA
08:02:29: query[TXT] adobe.com from 10.0.0.1
08:02:29: forwarded adobe.com to 1.0.0.1
08:02:29: reply adobe.com is NODATA
08:02:29: query[TXT] cisco.com from 10.0.0.1
08:02:29: exactly blacklisted cisco.com is NODATA
08:02:30: query[TXT] cisco.com from 10.0.0.1
08:02:30: exactly blacklisted cisco.com is NODATA
08:02:30: query[TXT] adobe.com from 10.0.0.1
08:02:30: forwarded adobe.com to 1.0.0.1
08:02:30: reply adobe.com is NODATA
08:02:30: query[TXT] adobe.com from 10.0.0.1
08:02:30: forwarded adobe.com to 1.0.0.1
08:02:30: reply adobe.com is NODATA
08:02:30: query[TXT] cisco.com from 10.0.0.1
08:02:30: exactly blacklisted cisco.com is NODATA
08:02:30: query[TXT] adobe.com from 10.0.0.1
08:02:30: forwarded adobe.com to 1.0.0.1
08:02:30: reply adobe.com is NODATA
08:02:30: query[TXT] cisco.com from 10.0.0.1
08:02:30: exactly blacklisted cisco.com is NODATA
08:02:30: query[TXT] adobe.com from 10.0.0.1
08:02:30: forwarded adobe.com to 1.0.0.1
08:02:30: reply adobe.com is NODATA

Things I have tried to do. Switch to unbound. flush logs, delete logs, completely uninstall and reinstall pihole, reset router. Changed wifi password to see if it was coming from another device (only thing ethernet into router is the pihole), reboot pi/router/modem.

I can not for the life of me figure out what is going on. Why is the router trying to access those sites and why is it TXT and why is it getting NODATA and why is it doing this millions of times. Nothing I do changes anything. Was literally hands off worked fine for years until recently. This is a normal installation on a raspberry pi connected via ethernet

Debug Token:

https://tricorder.pi-hole.net/aOBls5oc/

If I make my router the DNS but keep the DHCP on the router the querys for Cisco and Adobe stop. As soon as I switch it back to the Pihole it starts again right away.

if I type in

sudo service dnsmasq status -l

i get

Unit dnsmasq.service could not be found.

pi@raspberrypi:~ $ sudo systemctl status dnsmasq

Unit dnsmasq.service could not be found.

This is normal if you are using Pi-hole for DNS. Instead of dnsmasq, you are running pihole-FTL, which incorporates dnsmasq.

This is a problem in your router. Pi-hole is processing the DNS queries it receives, and the TXT record type is a valid request.

In the specific case of cisco.com, there is a valid TXT record.

https://dnsviz.net/d/cisco.com/dnssec/

If you dig for the TXT record for this domain, you see the following:

dig -t TXT cisco.com @1.0.0.1
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> -t TXT cisco.com @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54790
;; flags: qr rd ra; QUERY: 1, ANSWER: 57, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cisco.com.			IN	TXT

;; ANSWER SECTION:
cisco.com.		875	IN	TXT	"fastly-domain-delegation-w049tcm0w48ds-341317-20210209"
cisco.com.		875	IN	TXT	"v=spf1 redirect=spfa._spf.cisco.com"
cisco.com.		875	IN	TXT	"MS=ms35724259"
cisco.com.		875	IN	TXT	"h1-domain-verification=rix5vuxntVpma4rTL2DbE3FDrrPjedhnRaqaHvghyod3egmZ"
cisco.com.		875	IN	TXT	"docker-verification=4c56633a-274e-4858-88a2-2aeceffcfd66"
cisco.com.		875	IN	TXT	"SFMC-o7HX74BQ79k7glpt_qjlF2vmZO9DpqLtYxKLwg87"
cisco.com.		875	IN	TXT	"identrust_validate=ZMG4IyVxNwmt3vKpPoFmxSuWW+4fMc/M4kCCnBaPUMYv"
cisco.com.		875	IN	TXT	"duo_sso_verification=sKMGaTln2vmQuKwaE4hKtTEY1UYn2JzAaxSZzGjkgJrKuZChN344mhIptyczoNBA"
cisco.com.		875	IN	TXT	"notion-domain-verification=7sz4S3LLtNIHZpYsgTTgOcRLlLrJ5JrmIgVcdRtGi1X"
cisco.com.		875	IN	TXT	"atlassian-domain-verification=672RcADvt8BPqsb9gCN2ZC5DoTAhUT8abC1blYKQxi/MHMaGoA/BuvjFMaWRtgd7"
cisco.com.		875	IN	TXT	"google-site-verification=lW5eqPMJI4VrLc28YW-JBkqA-FDNVnhFCXQVDvFqZTo"
cisco.com.		875	IN	TXT	"adobe-aem-verification=www-devint-cloud.cisco.com/24859/366173/9418f2a2-ef45-4788-9de9-91c7d19038b9"
cisco.com.		875	IN	TXT	"fastly-domain-delegation-e9a758d22183504af2d5ab4d9a9853da-20210127"
cisco.com.		875	IN	TXT	"926723159-3188410"
cisco.com.		875	IN	TXT	"google-site-verification=qPS9ZkoQ-Og1rBrM1_N7z-tNJNy2BVxE8lw6SB2iFdk"
cisco.com.		875	IN	TXT	"docusign=5e18de8e-36d0-4a8e-8e88-b7803423fa2f"
cisco.com.		875	IN	TXT	"google-site-verification=r-K1CIdXkgRWxZstUHtVyM2UfwflnGgr4AR9_Qhk28Q"
cisco.com.		875	IN	TXT	"airtable-verification=767e198a9ef8972b0bd4c2028f5070f3"
cisco.com.		875	IN	TXT	"google-site-verification=Vc0Pir22m1u9yw5HjXf6TYO6rlAI9EY8IVKUma-OqDY"
cisco.com.		875	IN	TXT	"atlassian-domain-verification=AYTzL6wSVsW0IdyQp7gwv6lwtHdpMATnb8QriqyJ0niAaZct9kdSlXvfuE4GcoxU"
cisco.com.		875	IN	TXT	"duo_sso_verification=6Q7pJwSZ3damWHBcB8TNd9I5oduLRAFDDhip2pTFaa3QoIZtZnCgzjyZr5teSOWS"
cisco.com.		875	IN	TXT	"asv=ac90e11808e87cfbf8768e69819b1aca"
cisco.com.		875	IN	TXT	"apple-domain-verification=qOInipPgso3W8cmK"
cisco.com.		875	IN	TXT	"QuoVadis=94d4ae74-ecd5-4a33-975e-a0d7f546c801"
cisco.com.		875	IN	TXT	"wiz-domain-verification=af241e6396696eedf1b361891435f6b21bdebb5621941d99279298c076b5bf5f"
cisco.com.		875	IN	TXT	"facebook-domain-verification=1zoxo8z7t013gpruxmhc8dkerq47vh"
cisco.com.		875	IN	TXT	"fastly-domain-delegation-im0VCGY5X0axEEmhXJb2-347911-20210310"
cisco.com.		875	IN	TXT	"onetrust-domain-verification=20345dd0c33946f299f14c1498b41f67"
cisco.com.		875	IN	TXT	"mZvHszGlmDhvPOUKL+6JMiw/VtckyOMKjcw1PLcjYowxM2PVLX2xG0ZSgdHRm8HXfaaGR2pMvhIrBX1tX3aKRQ=="
cisco.com.		875	IN	TXT	"google-site-verification=9MlQU9MMQ1jHLMUkONKe6QzZ-ZIGRv0BCD1_rY1Zdmc"
cisco.com.		875	IN	TXT	"pendo-domain-verification=5995ba9c-9bf8-43d8-9e5a-309856760011"
cisco.com.		875	IN	TXT	"facebook-domain-verification=qr2nigspzrpa96j1nd9criovuuwino"
cisco.com.		875	IN	TXT	"intercom-domain-validation=8806e2f9-7626-4d9e-ae4d-2d655028629a"
cisco.com.		875	IN	TXT	"fastly-domain-delegation-z9slsbDdX0-368365-2021-05-14"
cisco.com.		875	IN	TXT	"amazonses:7LyiKZmpuGja4+KbA4xX3lN69yajYKLkHH4QJcWnuwo="
cisco.com.		875	IN	TXT	"miro-verification=53bf5ccd47cb6239fe5cf14c3b328050dd5679ac"
cisco.com.		875	IN	TXT	"google-site-verification=V3t2K3dvr9fcd1YWwwanSmebEOO_UNTP06HR2_gUO5M"
cisco.com.		875	IN	TXT	"atlassian-domain-verification=UwP1ncfiphlFs+wRx8wIBSXDScwNL7Jrw7tq2rnYz3+9T5+Md9eTDRgNPCikxtOx"
cisco.com.		875	IN	TXT	"mixpanel-domain-verify=2c6cb1aa-a3fb-44b9-ad10-d6b744109963"
cisco.com.		875	IN	TXT	"pendo-domain-verification=c9d2fba1-7d94-4cf9-a6fb-310883c8bb15"
cisco.com.		875	IN	TXT	"duo_sso_verification=pG21Oj5OPCxRPsWXsfbauWT9oua82cKtYUPAmsQvovKNq3xqWEcsEMEAhtXy8AFr"
cisco.com.		875	IN	TXT	"google-site-verification=WmdDuSXl3PMb-48qcY6VUbW9kzNPe46zn9uDwgB2wX0"
cisco.com.		875	IN	TXT	"amazonses:mX+ylQj+fJAfh9pr03yIR7YvjKZ1bOo5ABegqM/5pvI="
cisco.com.		875	IN	TXT	"duo_sso_verification=IYdVUIrb2L95JVejSXV3hfsJVDZolQKKOPBztlD6TIgfCRSKeMuf8WgbQuFLD4aL"
cisco.com.		875	IN	TXT	"sending_domain731003=25e34fadea88da7e64f0fab1e32d094f1f1e0fb2b97622deac2521f7a2c5b2bc"
cisco.com.		875	IN	TXT	"duo_sso_verification=AxenLdoqIXzjl2RJzE1BlOfkawDbDFlnbyvjAt8vcjKHBkvYwEMySDRk5QmBd66v"
cisco.com.		875	IN	TXT	"pendo-domain-verification=c9796502-c914-4e50-892d-e426f2ac68e9"
cisco.com.		875	IN	TXT	"docusign=95052c5f-a421-4594-9227-02ad2d86dfbe"
cisco.com.		875	IN	TXT	"stripe-verification=8e54fae7680b23aad6d5e3417be73a043f7e45cd2767272dbe0c9c6eac903291"
cisco.com.		875	IN	TXT	"workplace-domain-verification=Uhv7QPQ22nbuD3vG0jspf7R6LruYoS"
cisco.com.		875	IN	TXT	"atlassian-domain-verification=7JYRlY9ijBijTJ0YS5a8/58DU7OfKAHMYRufcy0TC57j2mNceH8rg4ajRzErc22Z"
cisco.com.		875	IN	TXT	"adobe-idp-site-verification=c900335b8b825859b51473b9943a3880ae795df47426483b0a67630377a902f5"
cisco.com.		875	IN	TXT	"c900335b8b825859b51473b9943a3880ae795df47426483b0a67630377a902f5"
cisco.com.		875	IN	TXT	"amazonses:QbUv5pPHGQxRy1vKA0J7Y/biE9oR6MTxOTI1bZIfjsw="
cisco.com.		875	IN	TXT	"atlassian-domain-verification=2ldosmg0o2Mhpyok1OISaSGygWU9zk6fLLWdoczXtHap9luhaHA/pwEaj2Tk6ROK"
cisco.com.		875	IN	TXT	"atlassian-domain-verification=Gt2demeKDLmtNc9kPZhaAHFA37DEIcmFGUd6LARvB4yjLG70s3WZhaJJ15y499sb"
cisco.com.		875	IN	TXT	"adobe-aem-verification=www-idev-cloud.cisco.com/24859/366204/1b990ef7-ff88-4938-bdd9-8458cc152f57"

;; Query time: 19 msec
;; SERVER: 1.0.0.1#53(1.0.0.1) (TCP)
;; WHEN: Sun Oct 15 11:16:06 CDT 2023
;; MSG SIZE  rcvd: 4579

Pi-hole is doing as instructed - looking for the TXT record for the requested domain.

The problem is "why is the router making all these TXT queries". I would visit the forums for your router.

Have you recently updated any firmware or software for your router? Are all your external ports on the router (particularly port 53) closed?

Another thing we should look at. Are all the queries to your Pi-hole shown as originating from your router, or do you see individual clients or IP's in your query log and dnsmasq log?

What are the outputs of the following from the Pi terminal:

echo ">stats >quit" | nc localhost 4711

echo ">top-clients withzero (15) >quit" | nc localhost 4711

echo ">top-domains >quit" | nc localhost 4711

echo ">top-ads >quit" | nc localhost 4711

I have nextcloud installed on the pi as well, ports 80,443 are open but ssl. they've been running together for years without any issues until recently. I haven't upgraded or changed the firmware that I know of

doesnt seem to matter if i use pi/router as the dhcp either

Please provide the outputs I requested.

So I had the router doing dns/dhcp and ran what you asked for which was is the first ones. And then I switched the dns/dhcp to the pihole and immediately it started with Cisco/adobe and hasnt stopped

pi@raspberrypi:~ $ echo ">stats >quit" | nc localhost 4711
domains_being_blocked 882107
dns_queries_today 411
ads_blocked_today 79
ads_percentage_today 19.221411
unique_domains 161
queries_forwarded 238
queries_cached 93
clients_ever_seen 9
unique_clients 9
dns_queries_all_types 411
reply_UNKNOWN 9
reply_NODATA 71
reply_NXDOMAIN 79
reply_CNAME 120
reply_IP 125
reply_DOMAIN 2
reply_RRNAME 0
reply_SERVFAIL 2
reply_REFUSED 0
reply_NOTIMP 0
reply_OTHER 0
reply_DNSSEC 0
reply_NONE 0
reply_BLOB 3
dns_queries_all_replies 411
privacy_level 0
status enabled

pi@raspberrypi:~ $ echo ">top-clients withzero (15) >quit" | nc localhost 4711
0 291 10.0.0.136 paulzinni1.home
1 59 10.0.0.182
2 14 127.0.0.1 localhost
3 14 10.0.0.225
4 11 10.0.0.54
5 10 10.0.0.191
6 9 10.0.0.22
7 2 10.0.0.250
8 1 10.0.0.220 wlan0.home

pi@raspberrypi:~ $ echo ">top-domains >quit" | nc localhost 4711
0 54 wpad.home
1 18 sync-v2.brave.com
2 16 brwa4fc7764b772.home
3 10 www.cnn.com
4 10 ssl.gstatic.com
5 10 signaler-pa.clients6.google.com
6 8 rv2500a-39a9391a-device.aylanetworks.com
7 6 cdn-checkout.joinhoney.com
8 6 www.google.com
9 6 mail.google.com

pi@raspberrypi:~ $ echo ">top-ads >quit" | nc localhost 4711
0 38 self.events.data.microsoft.com
1 18 mesu.apple.com
2 5 skydrive.wns.windows.com
3 3 cdn.cookielaw.org
4 3 c.amazon-adsystem.com
5 3 sessions.bugsnag.com
6 2 lightning.cnn.com
7 2 z.cdp-dev.cnn.com
8 2 activity.windows.com
9 2 mail-ads.google.com

pi@raspberrypi:~ $ echo ">stats >quit" | nc localhost 4711
domains_being_blocked 882107
dns_queries_today 1688
ads_blocked_today 106
ads_percentage_today 6.279621
unique_domains 279
queries_forwarded 1441
queries_cached 140
clients_ever_seen 11
unique_clients 11
dns_queries_all_types 1688
reply_UNKNOWN 13
reply_NODATA 1171
reply_NXDOMAIN 109
reply_CNAME 183
reply_IP 204
reply_DOMAIN 3
reply_RRNAME 0
reply_SERVFAIL 2
reply_REFUSED 0
reply_NOTIMP 0
reply_OTHER 0
reply_DNSSEC 0
reply_NONE 0
reply_BLOB 3
dns_queries_all_replies 1688
privacy_level 0
status enabled

pi@raspberrypi:~ $ echo ">top-clients withzero (15) >quit" | nc localhost 4711
0 1496 10.0.0.1
1 385 10.0.0.136 paulzinni1.home
2 76 10.0.0.210 Pixel-5.home
3 69 10.0.0.182
4 16 127.0.0.1 localhost
5 14 10.0.0.225
6 11 10.0.0.54
7 10 10.0.0.191
8 9 10.0.0.22
9 2 10.0.0.220 wlan0.home
10 2 10.0.0.250

pi@raspberrypi:~ $ echo ">top-domains >quit" | nc localhost 4711
0 950 adobe.com
1 671 cisco.com
2 78 wpad.home
3 26 sync-v2.brave.com
4 23 brwa4fc7764b772.home
5 14 www.cnn.com
6 14 ssl.gstatic.com
7 12 signaler-pa.clients6.google.com
8 11 www.google.com
9 9 mail.google.com

pi@raspberrypi:~ $ echo ">stats >quit" | nc localhost 4711
domains_being_blocked 882107
dns_queries_today 2402
ads_blocked_today 108
ads_percentage_today 4.496253
unique_domains 280
queries_forwarded 2147
queries_cached 146
clients_ever_seen 11
unique_clients 11
dns_queries_all_types 2402
reply_UNKNOWN 13
reply_NODATA 1872
reply_NXDOMAIN 112
reply_CNAME 185
reply_IP 211
reply_DOMAIN 3
reply_RRNAME 0
reply_SERVFAIL 2
reply_REFUSED 0
reply_NOTIMP 0
reply_OTHER 0
reply_DNSSEC 0
reply_NONE 0
reply_BLOB 4
dns_queries_all_replies 2402
privacy_level 0
status enabled

sorry I sent that and for some reason it didn't go through

What is the output of the following now, without making any changes or resetting any history:

echo ">querytypes >quit" | nc localhost 4711

pi@raspberrypi:~ $ echo ">querytypes >quit" | nc localhost 4711
A (IPv4): 24.79
AAAA (IPv6): 2.42
ANY: 0.00
SRV: 0.00
SOA: 0.03
PTR: 1.14
TXT: 63.08
NAPTR: 0.00
MX: 0.00
DS: 0.00
RRSIG: 0.00
DNSKEY: 0.00
NS: 0.02
OTHER: 0.07

SVCB: 0.08
HTTPS: 8.38

so right now I have the router "use isp" for the dns, but I have the DHCP box on the router unchecked. On the Pi I have DHCP checked. looking at the querys it seems to be blocking and on my devices it seems to be blocking... but its not doing the cisco/adobe. no f'in idea why that seems to be working when I dont have the pihole address in the dns on the router.

How do I use Pi-hole's built in DHCP server (and why would I want to)? according to this page, I only have to make pihole my DHCP server and it'll work. I wonder by making it my DHCP server AND pointing my router to use it as a DNS server as well it was creating some sort of loop?

If you are using your Pi-hole as DHCP, none of your network clients should be using the router for any part of the DNS process.

Where have you set the router to use Pi-hole for DNS? In the WAN section?

The way I use to have it setup for years was in the "internet" setup section on netgear it asks "Domain Name Server (DNS) Address"
Get Automatically from ISP
Use These DNS Servers
where you would check the box and put in the pihole address.
and then under the LAN setup I would uncheck the box that said "Use router as DHCP Server"
then on the pihole I would check the box that says "DHCP server enabled"

currently under "internet" setup I have the box checked that says "get auto from ISP", under LAN setup I have the box unchecked still that says "Use router as DHCP Server" and on the pihole I have the box checked "DHCP server enabled"

not sure how that is different but its not spamming cisco/adobe like it was before. As soon as I check the box "Use These DNS Servers" with the pihole address it starts spamming again.

Again I used those settings for years, my brother uses the same settings with no issues. No idea why it started all the sudden.

I don't either, but I would consult the router forums.

Sorry for this stupid question, but how would you ever word that question in a router forum? and as long as the pihole is doing the DHCP its ok if I dont have the router pointed to my pihole for DNS? I really appreciate your time

"DNS TXT queries for cisco.com"

"Excessive TXT queries"

Etc.

Yes.

well do. seems to be holding steady for now. thank you again for your time.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.