Remove 150 concurrent DNS queries to bypass digital ID

Help
1

Context

I have created similar topic in the past but it got nowhere, this is a serious problem now coz of digital ID bs, and I am hoping to have a different outcome: Maximum number of concurrent DNS queries reached (max: 150)

Expected Behaviour:

Process non-blocked DNS requests no matter what.

Actual Behaviour:

With countries going with this “protect the kids” nonsense, websites and even posts on X no longer load unless you provide a document to identify yourself. Suuuuuuuuuuure.

The workaround assuming you run OPNSense or anything alike it:

  1. Setup VPN like Proton/Mullvad
  2. Create firewall aliases that resolve DNS like so https://raw.githubusercontent.com/antonme/ipnames/refs/heads/master/dns-twitter.txt
  3. Create NAT firewall rule that identify when you are trying to access x[.]com and forward the request from any of those DNS via the VPN instead of your home WAN
  4. Voila :slight_smile:

dns-twitter.txt has over 200 DNS entrances meaning, as soon as it is added to OPNSense, it tries to resolve them to create a URL Tables (IPs).

Pihole poops the bed and crash because of its 150 concurrent DNS queries.

The few queries it process, posts that required ID before, start working just fine but then everything goes down.

I have been running Pihole + Unbound recursive DNS since forever (its local DNS for all the Proxmox containers is really something else) and this 150 concurrent DNS queries always gave me hell coz of my Samsung smartTV.

But now this is a serious problem, and I am hopping to have a happier ending this time.

Pihole Setup

Is there any flag, anything I can add in here during installation to remove this 150 restriction?

I don’t mind If I have to reinstall it coz it is automated, otherwise, I will have to abandon Pihole after all these years. I am not having this digital ID crappy for real.

Thanks a ton

  - name: Copy config files to LXC container
    ansible.builtin.command: >
      pct push {{ lxc_id }} {{ item.src }} {{ item.dest }}
    loop:
      - { src: '/tmp/99-pihole.conf', dest: '/etc/sysctl.d/99-custom.conf' }
      - { src: '/tmp/pihole.toml', dest: '/etc/pihole/pihole.toml' }
      - { src: '/tmp/adlist.sql', dest: '/tmp/adlist.sql' }

  - name: Install Pi-Hole
    ansible.builtin.command: >
     pct exec {{ lxc_id }} -- bash -c "
     curl -sSL https://install.pi-hole.net | sudo -E bash /dev/stdin --unattended;
     "

  - name: Import lists and hotfixes
    ansible.builtin.command: >
     pct exec {{ lxc_id }} -- bash -c "
     pihole-FTL --config ntp.sync.interval 0;
     systemctl stop pihole-FTL;
     sqlite3 /etc/pihole/gravity.db < /tmp/adlist.sql;
     systemctl start pihole-FTL;
     sudo pihole -g
     "
2

I don't see how that would trigger a max concurrency warning in Pi-hole.

It seems your router is sending DNS requests for domains contained in dns-twitter.txt to Pi-hole? Does Pi-hole send those DNS requests back to your router?

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

sudo pihole -d

or if you run your Pi-hole as a Docker container:

docker exec -it <pihole-container-name-or-id> pihole -d

where you substitute <pihole-container-name-or-id> as required.

3

You’ve basically created a DNS burst storm — OPNSense resolving a couple hundred domains at once will smash Pi-hole pretty hard. It’s great for normal use, but not big spikes like that, especially with Unbound underneath doing extra work.

If you’re on Proxmox, honestly the easiest fix is just spin up another Pi-hole and spread the load between with a dnsdist server across the two, rather than hammering a single Pi-hole.

Nothing wrong with what you’re doing — just pushing it a bit harder than Pi-hole likes :+1:

4

It’s a normal OPNsense thing, because like he says :

It’s basically a conversion that takes place once in a while to update the Alias used in the Firewall Rule which contains all the needed data :wink:

5

Why not put dns-forward-max=somelargenumber in misc.dnsmasq_lines?

2 Likes
6

Thanks for reminding me!

Now I know where I have seen that setting the last couple of days : https://linux.die.net/man/8/dnsmasq

-0, --dns-forward-max=

Set the maximum number of concurrent DNS queries. The default value is 150, which should be fine for most setups. The only known situation where this needs to be increased is when using web-server log file resolvers, which can generate large numbers of concurrent queries.

:grimacing::+1::+1:

7

That would be the way to lift Pi-hole's default concurrent connection pool size.
BUT:

I'd recommend to investigate the trigger conditions prior to considering changing that value (click for details).

If the trigger condition could be controlled, doing so would be superior to just sacrifing more resources.

And even if it can't be controlled, I'd advise to increase that value with caution.
Routers may employ stateful firewalls, which may not be able to cope with a prolongued burst of unlimited UDP requests, which in turn may cause it to drop packets or even to lock up completely (my own router reboots in mid-operation when pushed over a certain threshold).

@Whisky's linked dns-twitter.txt currently contains 236 domains, which may prompt 236 A record requests from their router, and perhaps another 236 requests for AAAA records.
Running isolated tests with a single client query rates of 236 qps, 472 qps and 942 qps using dns-twitter.txt, I wasn't able to trigger a max concurreny warning.
And when raising query rates to 1,000qps, Pi-hole's rate limiting kicked in - before a max concurrency warning was triggered.

Those tests would suggest that the router by itself is not likely to trigger a max concurrency warning.
What those isolated tests don't account for are other factors like DNS loops or a very busy network - those may well tip the balance to saturate and exceed Pi-hole's concurrent connection pool.

If a DNS loop would be involved, that should be removed, regardless how much it would actually contribute to Whisky's observation.

But there's another thing to consider:
My tests revealed that in my case, quite a few of the dns-twitter.txt domains were blocked by Pi-hole, e.g. startup.mobile.yandex.net (by Pi-hole's default list), syndication.twitter.com (by one of my custom blocklists) or twitter-verificationsupport.xn--55qx5d.cn (by a custom regex).

The point here is that
a. you want all of those domains to resolve, so your router can handle their respective IPs
b. you don't want your router to block or reroute whatever IP your Pi-hole is configured to reply for a blocked domain

For b. in particular, you may trigger unintended side effects, e.g. Pi-hole's default 0.0.0.0 reply -when used without sanity checks- could be misinterpreted by your firewall as pointing to the firewall itself.

Therefore, I'd recommend a different approach to tackle Whisky's issue:
If possible, you should send DNS requests for domains from dns-twitter.txt to a non-filtering, public DNS server instead of your Pi-hole.
This should guarantee your router receives the correct IPs, and also prevent it from triggering Pi-hole's max concurrency limit.

8

How I wished this existed years ago!!
You have no idea how many dozens of time my whole home network would go down even during WFH because of my Samsung SmartTV so yeah, I have had a hate and love relationship with Pihole because of this limit since forever.

IMHO, no tool or service should have such options hidden, IIRC, Miscellaneous is new feature released with V6.

Oh well…

OPNSense blocks any public DNS, any DoT, any DoH.

  1. Only Piholes + Unbound (same LXC container) can go out to request DNS
  2. If you set 8.8.8.8 or 8.8.8.8:443 on your phone, OPNSense firewall rules detects that and forces it back into Pihole
  3. Nobody can bypass that, all because my Samsung smartTV has Google DNS hardcoded
  4. I prefer to keep Unbound Recursive DNS to do what it does, I don’t wanna touch public DNS

Even tho the post is flagged as Solved, I will keep updating it as go.

Like I said, this problem gave me so much hell that I only went back to Pihole coz of its mDNS, I don’t wish anybody to have the hell I have had because of this enforced limitation.
Hopefully somebody can find this post someday.

Thank you all for all the help and support :slight_smile:

1 Like
9

Note about dns-forward-max:

This option was never hidden. Users could always change it, but it was always considered a dnsmasq advanced option.

Pi-hole (including all previous versions) was able to use dns-forward-max option by adding a config file, as shown on this old post.

That's the new part (since Pi-hole v6).

Now, besides using the old method (using additional config files) you can also use misc.dnsmasq_lines to add a few configuration lines.

1 Like
10

This was never made public.

I have asked this before and I always kept getting the same answer, 150 is it if you like it or not.

You will find post after post here, Reddit, you name it, my post back in 2024 with this same problem and there is no response other than the usual “150 is it”

Seeing how important this feature is, it should not be this obscure.

Moving everything to OPNSense Unbound + blocklist, is not longer a problem.
But I prefer to have a dedicated DNS setup.

Thank you so much for this.

I have set it to 400, OPNSense can process the whole list now, there are no more Errors, Pihole instances no longer die taking the whole goddamn network down with it as usual.

resolving 256 hostnames (143 addresses) for DNS_Twitter took 17.91 seconds

When accessing x[.]com, OPNSense Mullvad VPN is the one processing all the requests, everything else goes via WAN.

Anyway, I am thankful to finally find a solution for this, and bitter coz of all the hell I had due to this limit when the solution was this ridiculous simple and yet not made available properly.

I am not a DNS expert, I would never have looked into dnsmasq which Pihole uses to do its thing. I would expect this to be set on Pihole level for obvious reasons.

So yeah, I am pissed, I am gonna touch some grass.

Thank you all

1 Like
13

Pi-hole isn't involved with mDNS at all.
mDNS is a distinctively different protocol, using different ports, negotiating names with same-link peers instead of a server.

Check your bookmarks - you have been given that information years ago.
The following is quoting answers from the topic you created in 2024:

2 Likes
15

Something wrong is not right, I replied with:

I didn't know I could increase that which I am doing now!!!!

But the problem was never solved, not until I followed sawsanders suggestion, and it worked right away.
Have I made a noob mistake back then??
It is possible.

Pihole makes things simpler, and it just works so why I wanted to give this drama one last try before trying something else.

Technitium DNS Server requires a zone to be created and then point 10.19.0.10 to jellyfin.home.arpa within that zone with some extra flags.

Coz of going all in into hosting my stuff/homelab, I started exploring Pihole more than just AD blocking.
”It is always DNS” is more and more no longer just a meme on the internet lmao

Thank you so much for the reply.

17

FYI =>

If you really need mDNS features then there are two main tools for your Linux/*BSD devices :

There might be others by now, but I think the above ones are the well known ones :slight_smile: