Questionable IP addresses in query log

spain · May 30, 2019, 2:59pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

No random IP addresses in query log

Actual Behaviour:

I'm seeing random PTR requests in my query logs. They occur at very set intervals, which makes me think that it's a process within the Raspberry Pi that's triggering them. I've looked up some of these addresses and they point to locations such as India, China and Thailand.

Is this something Pi-hole is doing as part of its process or could it be something else on my Pi? I'm running Pi-hole in docker

The only port forwarding I have on the router is for two other Flask services running in their own Docker containers on the same Pi. I currently have the containers stopped.

Debug Token:

https://tricorder.pi-hole.net/wk1w1an4m7

DL6ER · May 30, 2019, 3:08pm

Please check your dashboard if these IPs show up as clients. If the lists get truncated (because you have more then ten clients), you may want to use this link instead: http://pi.hole/admin/api.php?getQuerySources=100&topClientsBlocked=100

Make sure you are logged into your Pi-hole dashboard with the same browser you use to access the link.

spain · May 30, 2019, 3:19pm

Sorry, just realized I pasted the query log for 127.0.0.1 instead of localhost, though both show a similar issue. Here is the one from localhost:

The link you sent shows the IPs of internal clients:

top_sources:
192.168.1.224:9332
192.168.1.235:4817
192.168.1.1:1344
192.168.1.211:1236
192.168.1.236:635
localhost|127.0.0.1:592
192.168.1.194:317
192.168.1.108:169
192.168.1.240:165
192.168.1.148:121
192.168.1.155:118
192.168.1.213:99
192.168.1.214:76
192.168.1.228:75
192.168.1.186:70
192.168.1.154:69
192.168.1.169:20
192.168.1.163:16
192.168.1.241:13
192.168.1.239:5
192.168.1.181:4
192.168.1.180:2
192.168.1.248:2
192.168.1.103:1
192.168.1.146:1

top_sources_blocked:
192.168.1.235:881
192.168.1.211:359
192.168.1.108:52
192.168.1.236:45
192.168.1.240:20
192.168.1.155:12
192.168.1.194:12
192.168.1.224:9
localhost|127.0.0.1:6
192.168.1.1:4

DL6ER · May 30, 2019, 3:25pm

They should be identical or did you set up something different than 127.0.0.01 for localhost in your /etc/hosts ?

Okay, so that's okay. The domains you were seeing are by no means random but correspond to the IPs of your internal clients. They should not be queried more than once per hour (or shortly after restarting the DNS server). Note that PTR queries work in "reverse" order, i.e., a query for the IP 192.168.1.1 will be 1.1.168.192.in-addr.arpa which is exactly what you're seeing.

spain · May 30, 2019, 3:47pm

I see 127.0.0.1 and localhost as having a different count of hits in the dashboard, so I'm assuming they are not identical. I didn't make any changes to /etc/hosts.

Ah! I didn't know they were in reverse. That makes total sense then. Thank you!

DL6ER · May 30, 2019, 3:51pm

Okay, one further question if you don't mind (just wanting to exclude this is a Pi-hole bug).
When you hover over the localhost link in the Top Clients table on the dashboard, what does it show as tooltip? Does it show ::1 or something else?

spain · May 31, 2019, 3:24pm

It shows 127.0.0.1

system · June 21, 2019, 3:24pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.