Seeing lots of RDNS lookups in my pihole from Pialert

[thefunkygibbon]

Seeing it a LOT recently... see the image of my pihole connections on a busy class C network.

the orange colour is pialert... about 1100 queries in each 10 min window.

queries are like this usually

is there a setting to stop this happening, is there any downside in disabling this? is it expected behaviour?

also, whilst i'm here, is there any way of getting rid of all the IPv6 / 0.0.0.0/ random MAC address items which show up as devices within Pialert? i dont want them there, they have no use to me, it just clutters up my list of actual devices on my home network.

[jokob-sk]

Hey @thefunkygibbon ,

It looks like you have Name discovery (Pholus scan) scheduled every 10 minutes. I recommend having it execute on new device discovery or once a day to minimize this kind of traffic.

I'll need more details regarding the second request.

Thanks in advance, J

[thefunkygibbon]

thanks, but i've checked my pholus options and its not ticked and seemingly set to 4am in the cron

[jokob-sk]

Hi there,

Could you please let me know what kind of settings you have enabled?

Thanks, J

[thefunkygibbon]

tbh i'm not sure what has been enabled over defaults. but looking at the conf file the only ones with "enabled" in the section are nmap (cron timer is set to 2am daily) and pihole as well as the normal arp

[jokob-sk]

HI!

PiHole and Arp-Scan do pretty much the same thing. Can you try to disable arp-scan or increase the delay between scans?

[jokob-sk]

Closing as no response

[thefunkygibbon]

sorry, i was on holiday last week. I turned arp-scan off a couple of hours ago, restarted the container and... still seeing the same figures per 10min interval :-(

[thefunkygibbon]

also, just turned off nmap too just in case. still getting the activity

[jokob-sk]

Hey!

I'd recommend disabling all plugins and enabling them one by one. Or try the divide and conquer algorithm.

This still looks like Pholus name resolver queries. I know you said you disabled it, but can you double-check? I'd recommend posting the whole config (after removing sensitive info) so I can have a look at exactly what's enabled.

[thefunkygibbon]

well at the moment i'm literally only using pihole!
i'll post the config... 2 mins

[jokob-sk]

You can try the dev image to see if the issues is fixed there. I recommend creating a backup of everything first:

version: "3"
services:
  pialert:
    container_name: pialert
    image: "jokobsk/pi.alert_dev"
    network_mode: "host"
    restart: always
    volumes:
      - ${APP_DATA_LOCATION}/pialert_dev/config:/home/pi/pialert/config
      - ${APP_DATA_LOCATION}/pialert_dev/db:/home/pi/pialert/db
      - ${LOGS_LOCATION}/:/home/pi/pialert/log
    environment:
      - TZ=Europe/Berlin
      - HOST_USER_ID=1036
      - HOST_USER_GID=1000
      - PORT=20211

[thefunkygibbon]

https://sharetext.me/vbtblan1aq

[jokob-sk]

Thanks for that!

Can you try to disable DHCP_ACTIVE?

DHCP_ACTIVE=False

[thefunkygibbon]

ok i'll try that later tonight. my pihole IS my dhcp server too though, is that going to be a problem or not get as much details as it would if it was set to true?

[thefunkygibbon]

using the dev build. not touched config yet. pihole requests are down to about 250-300 per 10 mins instead of 1000

[jokob-sk]

That's good to hear.

DHCP_ACTIVE is removed in the dev build completely (and moved into the DHCPLSS plugin). It was used to map a PiHole-specific dhcp.leases file. The level of detail you get with the PiHole DB mapping approach is the same, as far as I can tell (I'm not the original author of that part of the code, but refactoring it in the next release), so no information is lost.

Do you think for a network monitoring app this amount of traffic is warranted or still an issue?

[thefunkygibbon]

i mean, I appreciate that a network monitoring app will cause an amount of traffic on the network, but i was just baffled that it would send so much to the dns server, especially since they are arp/rdns requests which won't ever get a valid response from a dns server. I get that this isn't technically your project. but would there not be a bit of code which could say something along the lines of "don't try to reverse lookup any internal/arpa addresses and/or an option to not attempt any ipv6 if you are not using ipv6 on your network, it seems that most of mine (currently) is ipv6 lookups

[jokob-sk]

I'm happy to fix it if I knew what to look for. Would the excessive use of the dig command be causing the problem?

You can of course have a look at the code yourself.

[thefunkygibbon]

hi, i'm not entirely sure to be honest. It's a bit beyond my paygrade as I'm not a developer etc.

[jokob-sk]

Hey!

According to Google, it does. You can try to adjust the dig parameters on the DIG_GET_IP_ARG setting. This might be improved when reworking some of the scanners (Internet IP, dig name resolution) into plugins. Closing the issue for now as to be improved later.