HA spamming PTR DNS lookups?

Came here via search, as I am encountering ‘similar’ issues. I run pi-hole on a separate Pi as of last weekend. The graphs are going crazy on requests coming from Hassio.local (on another Pi3). Top request seem to come all from integrations (tado + telegrambot in my case). Also a lot of ESPhome devices show up (even though most are disconnected / tests).


The following graph show how Hassio overshadows all the other requests on my network.

As @nickrout mentions above, it doesn’t harm and probably the behaviour has been like that, before Pi-hole was deployed. Still I found it obscure, and would love to have Hassio behave normal / decent :wink:

Any thoughts?

Well so much for this whole thing not causing any harm. Woke up to my Nest Hello stating its offline, look in Unifi and its most definitely online. Look at the device rating and it states DNS Timeout. Go to my pihole and its as if its crashed, FTL Service is not running etc. After reboot everything is back up and running but I see the following graph and these massive numbers:
Top is Home Assistant, second place is my UDM.
image
Obviously the blue is HA.

The only thing I can think of is discovery for something in HA just spamming these requests. I am going to comment out that line in my config and see if I continue to see these requests.
image

Disabled discovery, saw this chart spike right back up after the restart of HA. So what the heck…

Went to the ubuntu machine running docker with HA and did a tcp dump and screen flies by scrolling with PTR requests. My little PiZero seems to somehow be keeping up with these requests almost without an issue the majority of the time (probably because being served up from cache) but still. If it crashes from time to time, this will start driving me crazy trying to figure this out.

Starting to think maybe this has something to do with the DNS docker container that runs along side HA? The only time I see this seems to “calm down” is after a full restart of Ubuntu. I don’t believe I started seeing this issue until after that container was starting to be used. Looking at the docker stats, this container is constantly using 1.3 to 2% of CPU all the time with network usage at 1.46MB.

Going to try and stop the container to see if requests die off. Not sure what the repercussions to HA are though so guess Ill find that out as well.

Update: So, while looking at the containers in docker, I saw that AdGuardHome was running. I had installed this to test it out before deploying in another instance of HA for my parents. I had disabled the start at boot, but somehow it was re enabled. I can literally flip back and forth between enabled and disabled and watch the flood of requests go out for PTR records.

So it seems, this is tied probably to either AdGuardHome or maybe even PiHole running along side of HA. Going to install tcpdump on my PiZero so I should be able to confirm if that traffic appears to be “normal” from there as well.

Update 2: AAND PiHole on my PiZero is making some PTR requests, but nothing in the crazy volume I saw when AdGuardHome is running with HA. This leads me to believe the problem is either AdGuardHome or having it installed along side of HA with the DNS container. After I removed AdGuardHome, the DNS container is no longer using a bunch of CPU and Net I/O is tiny compared to what it was.

I was going to try and install PiHole along with HA but it wont start due to the DNS port already being in use (Maybe remnants of AGH?). Since I already run an instance of PiHole outside of my HA, I dont think I am going to look into that portion any further, but hopefully this helps anyone else that comes across this weird nuisance.

Good investigations.

Although why would you run two instances of pihiole on your network, similarly why pihole and adguard?

Although why would you run two instances of pihiole on your network

Some people do this who have more than 1 raspberry Pi, they have a 2nd PiHole Pi running as a failover (secondary) DNS server.

That way if your primary DNS goes down, you still have working internet.

Pihole + Adguard seems to be a bad combo by the looks of it, I’ve not tried adguard but I’ll be sure to make sure PiHole is disabled if I ever try it. :slight_smile:

I had the same problem. In my case, it depended on the integration/component.

I recently switched all the hardcoded IPs in my configuration files to local names instead and I saw a huge jump in my pihole chart (like you did). Requests from my hassio went from the low 100s to nearly 3000 per 10 minute timeframe. I could see which host it was requesting records for in the pihole logs (like you did) and I then used trial and error to back out the changes until I found the culprit.

It was ZoneMinder, my security camera integration/component. When I put the hostname of the system in there instead of the IP I get nearly 3000 queries in 10 minutes from hassio for it.

I just barely figured this out you can see the requests dive at the end.

I came across this after I observed the same issue with my pi-hole/hass setup. I found a solution that seemed to work for me. Posting in the hope that it will help someone else too.

Initially, I disabled the Nmap Tracker integration. All x.x.x.x.in-addr.arpa PTR lookups seemed to stop.

After looking a little more at the integration, and NMAPs options, I reconfigured the Nmap Tracker and added the following to suppress DNS resolution.

scan_options: " -n "

So far traffic on my pi-hole is reasonable again.

2 Likes

How did you reconfigure Nmap tracker… your option for -n scan did not help me… the only solution it was to stop using Nmap…

1 Like

I think this might be related to why my devices get kicked off wifi sometimes, I am also seeing a large amount of dns lookups on adguard: When hassio is online other devices on network lose wifi connection · Issue #1194 · home-assistant/operating-system · GitHub

This is happening to me as well. Running HASSIO on a RPI4, and it shoots ton of PTR scans through the pihole.

It started doing this recently (perhaps after updatinf to latest HASSIO core??, I do not know what causes /how to stop it
Any suggestion is appreciated

2021-04-30 12:49:49 PTR 210.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 209.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 208.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 207.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 206.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 205.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 204.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 203.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 202.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 201.7.168.192.in-addr.arpa 192.168.4.103 OK (cached)

Are you using the nmap addon?

Nick,
I am not using nmap addon.

–B0

Something is scanning your network addresses, at least between .201 and .210.

Does anyone have an idea how to trace the source of this behavior?
I am running HASS 5.13 and core-2021.4.6

There are about 1,000 DNS PTR calls per hours coming from my HA.

TY

They come from that IP address.

I have the same issue. Every hour, my HA do a lot a PTR request


I run HA in docker container. It scan 172.20.0.0/16, the docker internal network (so it’s totally useless).
It destroy all my DNS stats. :confused:

I disabled all my integrations, and the request don’t stop.
I’m not using nmap integration.

2 Likes

Yep, that is exactly my HASSIO IP address,

Hope someone figures this out , I’m not using nmap either, it is annoying enough on a /24 network but for a while I was on a /16 and it was trying to do a reverse lookup on every possible host address. I’m sure it did not always do this.

I also have the same problem with home assistant and pihole running both in docker containers on the same machine

Logs of ha may help you.