HA spamming PTR DNS lookups?

I had the same problem. In my case, it depended on the integration/component.

I recently switched all the hardcoded IPs in my configuration files to local names instead and I saw a huge jump in my pihole chart (like you did). Requests from my hassio went from the low 100s to nearly 3000 per 10 minute timeframe. I could see which host it was requesting records for in the pihole logs (like you did) and I then used trial and error to back out the changes until I found the culprit.

It was ZoneMinder, my security camera integration/component. When I put the hostname of the system in there instead of the IP I get nearly 3000 queries in 10 minutes from hassio for it.

I just barely figured this out you can see the requests dive at the end.

I came across this after I observed the same issue with my pi-hole/hass setup. I found a solution that seemed to work for me. Posting in the hope that it will help someone else too.

Initially, I disabled the Nmap Tracker integration. All x.x.x.x.in-addr.arpa PTR lookups seemed to stop.

After looking a little more at the integration, and NMAPs options, I reconfigured the Nmap Tracker and added the following to suppress DNS resolution.

scan_options: " -n "

So far traffic on my pi-hole is reasonable again.

2 Likes

How did you reconfigure Nmap tracker… your option for -n scan did not help me… the only solution it was to stop using Nmap…

1 Like

I think this might be related to why my devices get kicked off wifi sometimes, I am also seeing a large amount of dns lookups on adguard: When hassio is online other devices on network lose wifi connection · Issue #1194 · home-assistant/operating-system · GitHub

This is happening to me as well. Running HASSIO on a RPI4, and it shoots ton of PTR scans through the pihole.

It started doing this recently (perhaps after updatinf to latest HASSIO core??, I do not know what causes /how to stop it
Any suggestion is appreciated

2021-04-30 12:49:49 PTR 210.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 209.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 208.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 207.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 206.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 205.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 204.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 203.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 202.7.168.192.in-addr.arpa 192.168.4.103 OK (cached) Blacklist
2021-04-30 12:49:49 PTR 201.7.168.192.in-addr.arpa 192.168.4.103 OK (cached)

Are you using the nmap addon?

Nick,
I am not using nmap addon.

–B0

Something is scanning your network addresses, at least between .201 and .210.

Does anyone have an idea how to trace the source of this behavior?
I am running HASS 5.13 and core-2021.4.6

There are about 1,000 DNS PTR calls per hours coming from my HA.

TY

They come from that IP address.

I have the same issue. Every hour, my HA do a lot a PTR request


I run HA in docker container. It scan 172.20.0.0/16, the docker internal network (so it’s totally useless).
It destroy all my DNS stats. :confused:

I disabled all my integrations, and the request don’t stop.
I’m not using nmap integration.

2 Likes

Yep, that is exactly my HASSIO IP address,

Hope someone figures this out , I’m not using nmap either, it is annoying enough on a /24 network but for a while I was on a /16 and it was trying to do a reverse lookup on every possible host address. I’m sure it did not always do this.

I also have the same problem with home assistant and pihole running both in docker containers on the same machine

Logs of ha may help you.

Subscribing because I’m curious. I have these too but was never really that bothered by it. I have an HAOS setup and ship all my logs over to Grafana so I can pretty clearly see the pattern. Every hour like clockwork something makes like 200 PTR requests to the hassio_dns container asking for the hostname of almost every IP address in the range I use for my LAN (192.168.1.x). Nearly all just return NXDOMAIN but it doesn’t seem to matter to whatever is doing it.

There are a few other interesting notes about this data:

  1. I don’t see every number. The logs are missing every IP address which is actually assigned a device. I don’t know if that’s because it doesn’t query those or because the hassio_dns container only logs NXDOMAIN requests though.
  2. It stops at 192.168.1.202 every time. Another mystery, the range goes to 254 and nothing above 80 or so is assigned.
  3. I do run adguard. I guess that could be it? Would be weird though because Adguard is my DHCP server, dunno why it would be asking anyone else to do reverse lookups on my LAN for it. And even if it did I would think it would be asking my gateway. To my knowledge the adguard add-on doesn’t know anything about hassio_dns, rather hassio_dns asks it to resolve external requests a lot.
  4. These PTR requests say their source is 172.30.32.1. That’s the gateway of the hassio network not sure that really means anything we didn’t already know (its coming from somewhere in HA)

I was wondering if this was zeroconf. I know zeroconf is a key piece of discovery and is scanning your network for supported devices and I believe it uses DNS to do this based on the code. But I don’t really see anything in there that would suggest an hourly schedule so I’m not really sure.

EDIT: Oh wait, I think I was looking at the wrong core discovery integration, I think its dhcp. That one clearly does have a 60 minute schedule right here

1 Like

Same problem here: HA and adguard, no nmap integration (10.30.52.92 = HA docker host)


image
image

It completely messes up my stats.

Ok some more poking around:

  1. I see these PTR requests in adguard. So looks like hassio_dns logs the failures but passes all of these on to adguard. I find adguard’s query log very confusing since it doesn’t seem to be sorted by time and I can’t sort by any of the columns but when I started searching for individual PTR requests I found the pattern. Interestingly what seems to happen is there is a PTR request once per hour for unused addresses and once every 10 minutes for addresses actually in use, no wonder these numbers are so high.
  2. I removed the dhcp component from my configuration.yaml after my initial post about an hour ago. There has been no PTR requests since then. Will continue to monitor but definitely starting to look like the culprit.
1 Like

@CentralCommand maybe my problem is different but i don’t have the DHCP component.

Do you have default_config? If so then you have dhcp as well