HA makes too many DNS queries

LucidityCrash · May 27, 2025, 10:44pm

I have done many searches but not really found an answer but …
I run AdGuard home on my OPNSense Router with its Unbound DNS server backing it and I’ve noticed that HA accounts for 30% of the requests handled in a 24hr Period and practically twice as much as the next top client, talking approaching 50K requests a day.

Looking at the AdGuard logs I can see dns requests for things as frequently as every 10 seconds, depending on the integration.
Then I put logging up to debug on the hassio_dns service and I can see that the requests do seem to be coming in via that container.
Grabbing a shell on that container and running DNS requests I can see the response is cached and additional requests don’t make it through to the AdGuard DNS server.
Grabbing a shell on the Homeassistant shell and making DNS requests through it have the same result.

so why do my integrations not seem to use that cache and make a dns request every time ?

Tamsy · May 28, 2025, 12:22am

Maybe connected to THIS and the workaround HERE?

LucidityCrash · May 28, 2025, 12:35am

The DNS request that is hitting the AdGuard server is for an AAAA record not an A Record.
and for a lot of hosts there is no AAAA record, obviously responses with no answer are not cached.

Given I’ve got ipv6 disabled the request for AAAA records first puzzles me, but at least I understand what is going on.

LucidityCrash · May 28, 2025, 12:47am

not quite the same behaviour and I’m discounting the PTR requests. This is looking up my jellyfin server for example.

Tamsy · May 28, 2025, 1:12am

Means it seems to be a mDNS issue with HA, probably. Weird indeed.

LucidityCrash · May 28, 2025, 2:36am

not mDNS. Static ip leases in dhcpd with addresses registed in unbound.

it is simply down to ipv6. Seems like HAOS doesn’t disable the ipv6 stack even if you disable ipv6 in the ui ( there is also still a link local ipv6 address assigned ) . And due to the way Linux does name resolution it send out 2 DNS requests if the ipv6 stack is enabled one for the A record and one for the AAAA record.

despite being in this game for far too long I’ve only recently ( 2 years now ) got an ISP that provides ipv6 connectivity and never really did much with ipv6 … need to work out how to get the ipv6 entries into unbound.

or patch the coredns plugin so I can disable the AAAA lookup, or disable ipv6 lookups in AdGuard.

Tamsy · May 28, 2025, 3:34am

In unbound.conf:

....
    # May be set to no if you don't have IPv6 connectivity
    do-ip6: yes
....

LucidityCrash · May 28, 2025, 7:44am

That’s already on, in the ipv4 space there is an option for Register ISC DHCP4 Leases in Opnsense which is what gets a lot of my hostnames into unbound but there isn’t an ipv6 version of that option and even if there was the ipv6 DHCP6 service isn’t handing out addresses for the LAN hosts. The WAN interface gets a /56 and then the LAN interface tracks that and each host in the LAN gets a /64 by some means I’m not really 100% sure on.

In the mean time I use a lot of static overrides for things I have running in Docker that I front with NGinx Proxy Mananger so I can create ipv6 versions of those which should help massively.

Edit : Ah I see that the whole dhcp dns situation has also moved in version 25 of opnsense and dnsmasq is the dhcp and local dns server of choice now - even more stuff to research

HenryLoenwind · May 28, 2025, 7:18pm

That’s not quite right.

Got answer:
    HEADER:
        opcode = QUERY, id = 41, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        s2.(mine).net.(mine).net, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  (mine).net
        ttl = 1080 (18 mins)
        primary name server = ns2.(mine).net
        responsible mail addr = root.(mine).net
        serial  = 2024052901
        refresh = 3600 (1 hour)
        retry   = 3600 (1 hour)
        expire  = 1209600 (14 days)
        default TTL = 1080 (18 mins)

Got answer:
    HEADER:
        opcode = QUERY, id = 43, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        s2.(mine).net, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  (mine).net
        ttl = 1080 (18 mins)
        primary name server = ns2.(mine).net
        responsible mail addr = root.(mine).net
        serial  = 2024052901
        refresh = 3600 (1 hour)
        retry   = 3600 (1 hour)
        expire  = 1209600 (14 days)
        default TTL = 1080 (18 mins)

Here you have an NXDOMAIN (because of the searchpath giving a bad domain name) and a NOERROR (because there’s no AAAA record for that server). Both come with a ttl of 1080, i.e. should be cached for that long.

Even completely bogus names come with a ttl (and refresh, retry, expire):

Got answer:
    HEADER:
        opcode = QUERY, id = 49, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        doesnotexist, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  (root)
        ttl = 86382 (23 hours 59 mins 42 secs)
        primary name server = a.root-servers.net
        responsible mail addr = nstld.verisign-grs.com
        serial  = 2025052801
        refresh = 1800 (30 mins)
        retry   = 900 (15 mins)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

The only case when there’s no caching data is when the nameserver cannot be contacted. I’m not sure what the nameserver replies when it’s alive but has no internet—I’m not taking down my connection to test that edge case.

PS: So, if those AAAA NXDOMAINs are not cached, then either those domains have tiny TTLs, or something is wrong with the lookup provider implementation.

LucidityCrash · May 28, 2025, 7:52pm

hmmm … learning new stuff I’ve always just taken for granted.

BTW what tool are you using to get that output.

Edit: never mind its just nslookup with debug on … never really used that
main difference that I can see is that most of the ones I’ve got issue with are local machines and they only exist in the unbound dns on my opnsense router and unbound is not an authorative name server so there are no authority records

so I get

Server:		192.168.1.254
Address:	192.168.1.254#53530

------------
    QUESTIONS:
	myhost.mydomain.net, type = AAAA, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
*** Can't find myhost.mydomain.net: No answer