Since I changed the DNS on three switches away from Google DNS and pointed it to Pi-hole yesterday I notice they have queried 11.0.192.168 over 60,000 times since last night!
Not only does the IP address look a bit suspect (last two blocks same as the beginning of a Class C private network address) but one search seemed to indicate that IP address was located in Washington and belongs to the DoD!
I have managed to put Google DNS Servers back into only two of their configs but I can't even log on to the last switch yet.
I notice though the queries to 11.0.192.168 have dropped off and now only show the one router I can't logon to querying it.
[EDIT ON] Managed to logon to the last switch and change back to Google DNS and now the queries to 11.0.192.168 have ceased...phew! [EDIT OFF]
Well that's definitely sorted out the excessive number of queries from the switches.
But I notice I still have a couple of devices calling that same 11.0.168.192 (yeah I was dyslexic earlier on when I wrote the IP address all over the place probably swayed by the number of times I have actually typed 192.168.etc) both related to each other.
I have a Fingbox and Domotz box that call this same IP address every 15 minutes or so which is a whole lot better than a few hours previously when it was hammering away like a demented woodpecker!
Still wondering why/where/how this IP address came from in the first place...
Well I had to go to 500 lines just to go back to when the switch was querying that IP address so I've snipped enough lines to show you what was happening before I moved the DNS away from the Pi and back to Google.
.122 was the switch.
.60 is the Domotz box
.153 is the Fingbox
.60 and .153 are still querying 11.0.168.192 @15 mins or so.
Hope this helps?
Oct 3 15:33:16 dnsmasq[598]: forwarded 11.0.168.192.in-addr.arpa to 8.8.4.4
Oct 3 15:33:16 dnsmasq[598]: query[PTR] 11.0.168.192.in-addr.arpa from 192.168.0.112
Oct 3 15:33:16 dnsmasq[598]: forwarded 11.0.168.192.in-addr.arpa to 8.8.4.4
Oct 3 15:33:16 dnsmasq[598]: query[PTR] 11.0.168.192.in-addr.arpa from 192.168.0.112
Oct 3 15:33:16 dnsmasq[598]: forwarded 11.0.168.192.in-addr.arpa to 8.8.4.4
Oct 3 15:33:16 dnsmasq[598]: query[PTR] 11.0.168.192.in-addr.arpa from 192.168.0.112
Oct 3 15:33:16 dnsmasq[598]: forwarded 11.0.168.192.in-addr.arpa to 8.8.4.4
Oct 3 15:33:16 dnsmasq[598]: query[PTR] 11.0.168.192.in-addr.arpa from 192.168.0.112
Oct 3 15:33:16 dnsmasq[598]: forwarded 11.0.168.192.in-addr.arpa to 8.8.4.4
Oct 3 15:36:39 dnsmasq[598]: query[PTR] 11.0.168.192.in-addr.arpa from 192.168.0.153
Oct 3 15:36:39 dnsmasq[598]: forwarded 11.0.168.192.in-addr.arpa to 8.8.4.4
Oct 3 15:36:44 dnsmasq[598]: query[PTR] 111.0.168.192.in-addr.arpa from 192.168.0.153
Oct 3 15:36:44 dnsmasq[598]: forwarded 111.0.168.192.in-addr.arpa to 8.8.4.4
Oct 3 15:38:51 dnsmasq[598]: query[PTR] 11.0.168.192.in-addr.arpa from 192.168.0.60
Oct 3 15:38:51 dnsmasq[598]: forwarded 11.0.168.192.in-addr.arpa to 8.8.4.4
Oct 3 15:38:51 dnsmasq[598]: query[PTR] 111.0.168.192.in-addr.arpa from 192.168.0.60
Oct 3 15:38:51 dnsmasq[598]: forwarded 111.0.168.192.in-addr.arpa to 8.8.4.4
Oct 3 15:51:39 dnsmasq[598]: query[PTR] 11.0.168.192.in-addr.arpa from 192.168.0.153
Oct 3 15:51:39 dnsmasq[598]: forwarded 11.0.168.192.in-addr.arpa to 8.8.4.4
Oct 3 15:51:44 dnsmasq[598]: query[PTR] 111.0.168.192.in-addr.arpa from 192.168.0.153
It's all double-dutch to me. Its taken me an hour just to save the log file and share a folder to get the info onto another laptop!
The two clients are asking "what is the name of the client located at IP 11 on this LAN". The query is being forwarded to Google, and they don't know anything about your network so they can't answer the question.
Map the IP to a client name in the Local DNS Records tab of Pi-hole. And, in the settings > DNS > advanced, check the box next to "Never forward reverse lookups for private IP ranges"
Then, Pi-hole will be able to answer these requests.
Thanks very much for the reply jfb but you're going to have to be gentle with me as I'm new to all this!
I've only just figured out that the IP address that I thought looked a bit suspect and located to DoD in Washington is in fact my router IP address backwards!
So...I've found and unticked the 'Never forward reverse lookups for private IP ranges' but notice in doing so it says 'Note that enabling these two options may increase your privacy slightly, but may also prevent you from being able to access local hostnames if the Pi-hole is not used as DHCP server' which in my case it isn't but I have left the box above that 'Never forward non-FQDN's' checked in any case.
Not sure what impact if any this might have?
And where you refer to the 'Local DNS received r a' tab of Pi-hole is this the same as the 'Local DNS Records' tab in the sidebar menu of Pi-hole or something else?
Sorry for making this hard work but as I said this is all new to me and I appreciate your help & support.
Is there anywhere to cast a vote or something for those that have helped as I feel I'm taking here and not giving anything back?
OK jfb...I think I've followed you so far as being on a private network I do not have a FQDN.
I've entered .11 into the Local DNS Server tab along with what I think is its 'domain' name or Host ID which is simply the model of router that it presents on its status page.
I should also enter .112 / .113 / .114 into the Local DNS Server tab as if I use Pi-hole as their DNS they hammer away at the 11.0.168.192 address also but not sure they even have a domain/Host ID? Looking in the ARP table of my router I can see the IP entries for all three but nothing that would indicate a domain or actual name?
I've done a lot or reading but struggle with making sense of it all and a little knowledge can be a dangerous thing as we all know!
Any domain names mapped to IP on the Pi (either with the Local DNS records or directly into /etc/hosts on the Pi) will be resolved by Pi-hole to the designated IP. It does not have to be a local IP, but generally they are. Mapping local clients allows Pi-hole to show the client name in the query log (instead of just an IP), and also allows other clients on the network to get the name with a PTR request.
You can add as many local clients as you like. Examples from the hosts file on my Pi:
Last question on this subject I promise...can I make up any old name to put in the Local DNS Record in Pi-hole or does it have to be the name presented by the device?
Some devices don't offer up their DNS name it seems.
