Rate-limiting error

thomasmstein · August 11, 2024, 10:43am

Problem

I am running pi-hole on a Raspberry Pi 4 for 3 ½ years now.

I noticed recently that one of my PC regularly gets rate-limited often after coming back from sleep mode. All other PC/devices seem to be fine.

I cannot work out what the reason could be.
Thanks for any help

Sample section from the log

[2024-08-11 18:41:40.763 2405M] Rate-limiting 192.168.15.17 for at least 28 seconds
[2024-08-11 18:42:08.645 2405/T2441] Ending rate-limitation of 192.168.15.17

That repeats itself several times

Debug Token:

I have created and uploaded a debug log.
[https://tricorder.pi-hole.net/Q3AlqiYE/]

Bucking_Horn · August 11, 2024, 12:16pm

Let's try to get a hold of the domains that client is requesting to trigger the rate limit.
Run from your Pi-hole machine, what's the output of:

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT domain, count(domain) FROM queries \
WHERE timestamp > strftime('%s','2024-08-11 18:40') AND timestamp < strftime('%s','2024-08-11 18:43') \
AND client = '192.168.15.17' \
GROUP BY domain ORDER BY 2 DESC LIMIT 15;"

thomasmstein · August 13, 2024, 1:57am

Thanks for your reply.

I am still puzzled.

I ran that query on the pihole-FTL.db but no results for that time bracket. I checked the db for another time bracket where rate-limiting took place with the same result. I would have thought that pi-hole should log those requests / domains?

This is currently showing in the Pi-hole diagnosis

2024-08-12 10:48:59 RATE_LIMIT Client 192.168.15.17 has been rate-limited (current config allows up to 1000 queries in 60 seconds)

I generated another debug log but I couldn't find that particular event?

Debug token

https://tricorder.pi-hole.net/T8RiQIm8/

Bucking_Horn · August 13, 2024, 3:56am

What timezone is your Pi-hole machine using?

You may have to add that timezone's UTC offset to both time strings, e.g. for UTC+01:00 change it to '2024-08-11 18:40:00+01:00'.

thomasmstein · August 14, 2024, 12:44pm

Apologies, my bad. I checked through the Web Interface showing local time (I am on AEST) and I did not realise that the logs had different timestamp formats and pihole-FTL.db is using UTC. Now it makes sense.

IP Pi-hole: 192.268.15.9

For the original event time (UTC)

2024-08-11 08:40:00' to '2024-08-11 08:43' (UTC)

9.15.168.192.in-addr.arpa|876
dns.msftncsi.com|9
59.244.102.104.in-addr.arpa|9
154.80.135.149.in-addr.arpa|8
a1887.dscq.akamai.net|7
wpad.lan|6
222.192.117.40.in-addr.arpa|6
x.com|5
versioncheck-bg.addons.mozilla.org|5
v10.events.data.microsoft.com|5
r10.o.lencr.org|5
incoming.telemetry.mozilla.org|5
edge.microsoft.com|4
desktop-assistant-sub.osp.opera.software|4
ctldl.windowsupdate.com|4

I just checked for another rate limiting event 2024-08-14 20:29:37 (AEST)

'2024-08-14 10:28' to '2024-08-14 10:30' (UTC)

9.15.168.192.in-addr.arpa|1427
wpad.lan|1
prod.detectportal.prod.cloudops.mozgcp.net|1
incoming.telemetry.mozilla.org|1
detectportal.firefox.com|1
config.edge.skype.com|1
api.mixpanel.com|1

Thanks!

PS: I can get to more than 7000 requests within 10 minutes mainly after wake up from sleep.
9.15.168.192.in-addr.arpa|7357

jfb · August 14, 2024, 2:54pm

Just a note - hitting a rate limit is not an error. It is a warning that a programmed limit has been reached. Pi-hole is notifying you that it has done what it has been programmed to do.

jfb · August 14, 2024, 3:53pm

Is the requesting client getting an answer to this request?

What is the output of the following command run from both the Pi terminal and the terminal or command prompt on the client in question:

nslookup 192.168.15.9

Note - you posted that the Pi was at 192.268.15.9, but it is at 192.168.15.9 per your debug log.

system · September 4, 2024, 7:10pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.