Ever since my apple devices updated to iOS 15 and macOS 12, I have seen a spike in network traffic. Did my research here and on other forums and could relate the openthread.thread.home.arpa traffic to my Apple TV that is broadcasting thread requests. This seems to be normal behaviour and has been confirmed here.
I do notice some behaviour that is unexpected. Whenever there is a spike in query's, my router seems to get a rate limit:
Client 192.168.1.1 has been rate-limited (current config allows up to 1000 queries in 60 seconds)
Every time this happens, pi-hole seems to be not functioning for a while and I see a dip in queries. This also seems to mean that ads are not blocked, and my blacklist (which I use to help me focus on my work) is not working.
I'm seeing this as well, although it hasn't got to the point of hitting any rate limiting level.
I created a CNAME record this morning that points to the device it's looking for. It's too early for me to tell if that helped the problem but I will report back when I get enough data.
I can't find anything in the online documentation but there is a description on the pi-hole's settings page here: http://pi.hole/admin/cname_records.php
@robbertnoordhoek
So just to follow up, it looks like creating a CNAME pointer to the actual device stopped the openthread requests. However, now the target local domain is being requested twice as often.
i too have this issue, i believe its the thread network trying to communicate with other thread devices i.e homepod to eve lswitch. PiHole looks to be blocking this and i cant work out how to allow it.
As far as I know I only have one thread device, the Apple TV, so I don't know how to point all these requests to the right location. I do feel a bit clueless because my pi-hole keeps going from a working state to a non-working state; when my pi-hole limits my router, internet traffic seems to bypass the pi-hole because my router will pick the next DNS server in line as it is supposed to. Again I am not as techsavy as other people here so this is just an assumption.
If you can't find a way to stop the queries from the device, you can lift the rate-limit by by setting RATE_LIMIT=0/0 in /etc/pihole/pihole-FTL.conf followed by pihole restartdns
From your screen shot, Pi-hole is not blocking this. The query was forwarded to your upstream DNS resolver, which was unable to resolve it.
Another option (rather than removing the rate limit for the entire Pi-hole), is to assign a different DNS to the Apple TV and you won't see any of the queries in Pi-hole.
Same problem with me. I have several HomePod Minis. They spam my network with requests. SERVFAIL as response. Is there no reasonable solution here, it must be virtually all users with newer Apple devices affected. The behavior seems to occur as of iOS 15.2.
They aren't spamming your network. This appears to be normal traffic for the HomePod devices. I don't see any of these queries with any of my Apple devices, but I don't have HomePods.
For me the suggestion of @yubiuser worked. Network traffic rose to a booming 9 million (I kid you not), but now seems to be dropping after some days. After updating to 15.3 the numbers are dropping even more at a faster pace.
I like the suggestion of @jfb too, that could make the stats a bit more realistic. Would changing the Pi-hole to be the DHCP server and limiting specifically the Apple TV be also something?
I still don't understand the point (of Apple). Queries are made on the network every minute. All of which receive no meaningful answers (servfail). And that is normal (on the part of Apple). Pihole of course works as it should. I would only have hoped that one can put a stop to the behavior. A correct answer would be nice (IP, not servfail). 15.3 has still endless queries.
BTW: I use unbound. Would it help if I use a DNS server such as Google and do without unbound?
My answer: no, nxdomain is returned.
I still don't get the idea behind ...openthread.home.arpa....
Create a local DNS record in Pi-hole with the correct IP. I'm doing that and, while there are still many open thread queries, it isn't spamming the server with enough requests to set off alarms.
If you are using dnsmasq as the DHCP server, it may not be necessary as it tends to keep address constant (unless the MAC address changes). DHCP reservations work well too.
Edit:
Also, you can add a local CNAME in Pi-hole that points to the local host name of the devices.
I added a local CNAME...the answer is "NXDOMAIN". I still don't get the point. No pi-hole problem at all. I don't understand what these senseless queries are good for....
I don’t understand the point of it either. You shouldn’t gat an NXDOMAIN reply if you’ve done things right though. The target of the CNAME has to be a host name that Pi-Hole knows the answer to.
