Bad domains wouldn't continue to be queried and forwarded
Actual Behaviour:
I've got a domain that keeps being queried and forwarded in my logs. I can see the queries ramp up for several hours at a time and there's hours long table top graphs in my dashboard.
It may have dipped down because I started reconfiguring and restarting stuff to see if I could fix it.
Watching tail pihole.log I see things like this (site name changed):
Jun 13 12:44:28 dnsmasq[4682]: query[A] www.a-site-that-is-down.com from 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: forwarded www.a-site-that-is-down.com to 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: query[A] www.a-site-that-is-down.com from 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: forwarded www.a-site-that-is-down.com to 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: query[A] www.a-site-that-is-down.com from 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: forwarded www.a-site-that-is-down.com to 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: reply error is SERVFAIL
Then occasionally Maximum number of concurrent DNS queries reached (max: 150)
If I ping the site I get cannot resolve www.a-site-that-is-down.com: Unknown host
The site is for an old podcast I was subscribed to that is no longer. I unsubscribed yesterday, but these requests keep showing up - perhaps from cached entries? Not sure.
I believe this behavior started after I switched from "Define Pi-hole’s IP address as the only DNS entry in the router" to "Advertise Pi-hole’s IP address via dnsmasq in the router" (via How do I configure my devices to use Pi-hole as their DNS server?) because I wanted per-host tracking.
I'm running a Netgear R8000 with AdvancedTomato. I can share config settings for that if it's helpful.
Have you considered using the Pi-Hole as DHCP server? This will provide you per-host tracking and also avoid any loops between the router and the Pi-Hole, which appears to be case now.
Yeah, but I hesitated because I figured Tomato probably did a good job and I had everything all configured. I also have an unsecured guest wifi network that may add a layer of complexity? (That's already not working after I made this switch, so perhaps I may as well keep going.)
Give it a try. If it works, you are set. If not, then revert to what you were using previously. DHCP doesn't require much and I don't think one platform will do it better than another.
For the guest network, can you separately configure the DNS? If so, put that on a commercial DNS and let the guests see ads. Those people you trust you can put on your Pi-Holed network.
Ok, I gave it a shot. Started to see DHCP leases created. Stream of queries looked like this:
Jun 13 16:18:21 dnsmasq[24269]: forwarded api.folivora.ai to 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: query[A] gs.apple.com.akadns.net from 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: forwarded gs.apple.com.akadns.net to 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: query[A] a1108.gi3.akamai.net from 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: forwarded a1108.gi3.akamai.net to 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: query[A] e5977.e9.akamaiedge.net from 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: forwarded e5977.e9.akamaiedge.net to 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: query[A] 1.courier-push-apple.com.akadns.net from 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: forwarded 1.courier-push-apple.com.akadns.net to 192.168.1.1
Jun 13 16:18:22 dnsmasq[24269]: query[A] zd.map.fastly.net from 192.168.1.1
Jun 13 16:18:22 dnsmasq[24269]: forwarded zd.map.fastly.net to 192.168.1.1
And also saw a lot of Maximum number of concurrent DNS queries reached (max: 150)
And I had trouble connecting.
So I figured I'd set most things back to basics for now.
Interface listening behavior set to Listen on all interfaces, permit all origins
Never forward non-FQDNs - checked
Never forward reverse lookups for private IP ranges - checked
Use DNSSEC - unchecked
Conditional forwarding - checked, with router info filled in.
This is working.
So far I've got about 6000 queries every 10 minutes.
The tail of pihole.log looks like this:
Jun 13 16:40:01 dnsmasq[27228]: forwarded db._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] lb._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded lb._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] lb._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded lb._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] b._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded b._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] b._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded b._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] db._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded db._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] db._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded db._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] lb._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Sooooo...
Something doesn't seem right
I'd still like to get per-host tracking, but the effort to get everything dialed is seeming less worthwhile.