search

pi-hole / FTL

The Pi-hole FTL engine
https://pi-hole.net
Other
1.38k stars 196 forks source link

pihole appears to rate limit the wrong client #2069

Open bp0 opened 1 month ago

bp0 commented 1 month ago

Versions

Pi-hole version is v5.18.3 (Latest: v5.18.3) web version is v5.21 (Latest: v5.21) FTL version is v5.25.2 (Latest: v5.25.2)

Platform

Expected behavior

Actual behavior / bug

After turning on a Samsung TV (192.168.2.108), it made ~29000 A/AAAA queries for logs.netflix.com. Pihole responded by rate limiting a different machine, 192.168.2.20, that had only made 67 queries. I don't know which was actually rate limited, maybe the log message is just incorrect?

Steps to reproduce

I'm not sure I can reproduce this exact situation.

Debug Token

Screenshots

image image

yubiuser commented 1 month ago

Your client 192.68.2.20 has been rate limited yesterday. But your screenshot of the top clients is likely from today? Note that the Top Client table uses a rolling 24h window, so it might not capture query spikes if the are in the past >24h. Lets check what your client did yesterday. Pleas provide the output of the following command

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(id) from queries where client='192.168.2.20' and timestamp BETWEEN strftime('%s','2024-09-21 10:11:07') and strftime('%s','2024-09-21 10:12:07')"
bp0 commented 1 month ago 
pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(id) from queries where client='192.168.2.20' and timestamp BETWEEN strftime('%s','2024-09-21 10:11:07') and strftime('%s','2024-09-21 10:12:07')"

0

bp0 commented 1 month ago

Your client 192.[1]68.2.20 has been rate limited yesterday. But your screenshot of the top clients is likely from today?

I see what you're saying. The TV was turned on in the evening yesterday (it is now "off" but the blocked query count is still rising, 33217 now). If the time in the log is right, and it is local time, and it is 24hour, then the block did happen in the morning, before the TV was turned on, so I have no idea what caused that or why that is the only message in the log and why the TV hasn't been rate limited as well?

Why was 192.168.2.20 rate limited at all?

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(id) from queries where client='192.168.2.20' and timestamp BETWEEN strftime('%s','2024-09-21 00:00:00') and strftime('%s','2024-09-22 00:00:00')"

1620 Doesn't seem like an unreasonable number for a whole day.

Close the issue if you like. As you say, if the block happened before the TV was turned on then the report is wrong. I'm still confused about what is going on.

yubiuser commented 1 month ago

I'm still confused about what is going on.

Me too. I'm not sure that the rate-limiting and turning on the TV are connected. What I don't understand is why it was blocked, but the database did not contain any entries in that time frame. 1620 sounds not like a lot. Esp. if we assume they are spread over the whole day. Do you know what client 192.168.2.20 is?

bp0 commented 1 month ago

Do you know what client 192.168.2.20 is?

Yes, it is a regular desktop PC running Pop OS.

DL6ER commented 4 weeks ago

What I don't understand is why it was blocked, but the database did not contain any entries in that time frame.

It may be a timezone issue. The browser may know that it is, e.g., some US time with +6 hours while the server may be using UTC. In this scenario the screenshot and the sqlite3 query would work in entirely different timeslots.

@bp0 Did this ever happen again?