Seeing query, forwarded, and "reply error is SERVFAIL" repeatedly in logs

Expected Behaviour:

Bad domains wouldn’t continue to be queried and forwarded

Actual Behaviour:

I’ve got a domain that keeps being queried and forwarded in my logs. I can see the queries ramp up for several hours at a time and there’s hours long table top graphs in my dashboard.

Here’s an example of one from 1am to 11am:

It may have dipped down because I started reconfiguring and restarting stuff to see if I could fix it.

Watching tail pihole.log I see things like this (site name changed):

Jun 13 12:44:28 dnsmasq[4682]: query[A] www.a-site-that-is-down.com from 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: forwarded www.a-site-that-is-down.com to 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: query[A] www.a-site-that-is-down.com from 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: forwarded www.a-site-that-is-down.com to 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: query[A] www.a-site-that-is-down.com from 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: forwarded www.a-site-that-is-down.com to 192.168.1.1
Jun 13 12:44:28 dnsmasq[4682]: reply error is SERVFAIL

Then occasionally Maximum number of concurrent DNS queries reached (max: 150)

If I ping the site I get cannot resolve www.a-site-that-is-down.com: Unknown host

The site is for an old podcast I was subscribed to that is no longer. I unsubscribed yesterday, but these requests keep showing up - perhaps from cached entries? Not sure.

I believe this behavior started after I switched from “Define Pi-hole’s IP address as the only DNS entry in the router” to “Advertise Pi-hole’s IP address via dnsmasq in the router” (via How do I configure my devices to use Pi-hole as their DNS server?) because I wanted per-host tracking.

I’m running a Netgear R8000 with AdvancedTomato. I can share config settings for that if it’s helpful.

Thanks

Debug Token:

https://tricorder.pi-hole.net/rmzkfjjkaq

Have you considered using the Pi-Hole as DHCP server? This will provide you per-host tracking and also avoid any loops between the router and the Pi-Hole, which appears to be case now.

Yeah, but I hesitated because I figured Tomato probably did a good job and I had everything all configured. I also have an unsecured guest wifi network that may add a layer of complexity? (That’s already not working after I made this switch, so perhaps I may as well keep going.)

But if it will work, I’m happy to go for it.

Give it a try. If it works, you are set. If not, then revert to what you were using previously. DHCP doesn’t require much and I don’t think one platform will do it better than another.

For the guest network, can you separately configure the DNS? If so, put that on a commercial DNS and let the guests see ads. Those people you trust you can put on your Pi-Holed network.

1 Like

Will do and will report back. Thanks for the insight.

:laughing:

It feels like such a betrayal to my fellow humans!

Ok, I gave it a shot. Started to see DHCP leases created. Stream of queries looked like this:

Jun 13 16:18:21 dnsmasq[24269]: forwarded api.folivora.ai to 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: query[A] gs.apple.com.akadns.net from 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: forwarded gs.apple.com.akadns.net to 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: query[A] a1108.gi3.akamai.net from 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: forwarded a1108.gi3.akamai.net to 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: query[A] e5977.e9.akamaiedge.net from 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: forwarded e5977.e9.akamaiedge.net to 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: query[A] 1.courier-push-apple.com.akadns.net from 192.168.1.1
Jun 13 16:18:21 dnsmasq[24269]: forwarded 1.courier-push-apple.com.akadns.net to 192.168.1.1
Jun 13 16:18:22 dnsmasq[24269]: query[A] zd.map.fastly.net from 192.168.1.1
Jun 13 16:18:22 dnsmasq[24269]: forwarded zd.map.fastly.net to 192.168.1.1

And also saw a lot of Maximum number of concurrent DNS queries reached (max: 150)

And I had trouble connecting.

So I figured I’d set most things back to basics for now.

In Tomato - Basic > Network:

Under Advanced > DHCP/DNS:

On Pi-Hole I’ve got:

  • DHCP off
  • Upstream DNS Servers set to Cloudflare
  • Interface listening behavior set to Listen on all interfaces, permit all origins
  • Never forward non-FQDNs - checked
  • Never forward reverse lookups for private IP ranges - checked
  • Use DNSSEC - unchecked
  • Conditional forwarding - checked, with router info filled in.

This is working.

So far I’ve got about 6000 queries every 10 minutes.

The tail of pihole.log looks like this:

	Jun 13 16:40:01 dnsmasq[27228]: forwarded db._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] lb._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded lb._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] lb._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded lb._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] b._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded b._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] b._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded b._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] db._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded db._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] db._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: forwarded db._dns-sd._udp.0.1.168.192.in-addr.arpa to 192.168.1.1
Jun 13 16:40:01 dnsmasq[27228]: query[PTR] lb._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.1

Sooooo…

  1. Something doesn’t seem right
  2. I’d still like to get per-host tracking, but the effort to get everything dialed is seeming less worthwhile. :woman_shrugging:

Any wisdom?

I would turn this off. It can result in a lot of loop traffic, particularly with DNS-DS requests like shown in your log.

That seems to have brought things back to normal.

So now – should I be more ambitious? Try to get per-host tracking going? Or be happy it’s working and move on with my life.

Depends on your pain tolerance. I would try the Pi-Hole as DHCP again and see if it jumps back to problem status.

Pain tolerance was somewhere in the middle. I put a couple minutes into, things started going bananas, so I switched back.

If someone, someday, gets a sweet setup with Tomato Firmware I hope they search this forum, find this, post their settings, and let me know!

:crossed_fingers:

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.