I run split DNS on my network, that way I can access my services internally/externally without any configuration changes or issues. DNS over HTTPS DNS over TLS (DoT) causes problems, since the DNS request doesn’t hit my DNS server.
So I just block all DNS over HTTPS DoT on my network (via pfBlockerng). I was looking through the logs, and I see home assistant (10.254.1.50) reaching out to 1.1.1.1 – I thought this was strange, so I went into the configuration settings and I didn’t see this in the settings anywhere to disable. I have a static IP address, and my own DNS server set.
Just not sure which service attempts to use DNS over HTTPS DoT, or if hass core is the culprit. Any thoughts?
Do you mean DNS over https or DNS over TLS? HA uses cloudflare DoT as a fallback DNS server by default if it fails to get an answer from any of the the configured ones:
But I’m not aware of any usage of cloudflare DoH by HA. I don’t know what that would be coming from.
It may not actually be failing. By default HA uses the fallback for SERVFAIL, REFUSED and NXDOMAIN responses. Falling back on REFUSED and NXDOMAIN in particular is (understandably) what people find confusing.
I explained the reason it uses the fallback for these here:
It does actually make sense since most users would prefer to simply not worry about DNS. So the fallback as configured ensures that people don’t hit strange issues around key hostnames like github.com and ghcr.io even if their ISP provided DNS server is misbehaving. And for users that do care and want to exert full control over DNS in their network they can simply disable the fallback with
ha dns options --fallback=false
Although for anyone looking to disable the fallback I strongly recommend running the following command first:
ha resolution info
Just to make sure your DNS server doesn’t have the musl-related issue I mention in that post. If you do it will show up under issues and should be fixed first. Otherwise the fallback can be disabled.
I am running HA on Proxmox using the KVM image provided by HA. I also run PFSense as my router/firewall (and DNS server). I block direct DNS (and DNS over TLS) queries and re-route all DNS queries to PFSense.
I noticed that I was seeing 70 to 80% CPU usage and between 0.7 and 1.1 Mbps network throughput on my HA KVM. After executing
ha dns options --fallback=false
CPU usage immediately dropped to 1% and network throughput dropped to 0.001 Mbps (which is what I would expect normally).
I’d like to thank you very much for this, I had the same setup and problem; I recently setup pfsense in proxmox and once I added my HA VM onto the new network BLAM both machines CPU getting hammered with about 8Mbps Tx/Rx activity.
I had the same issue today. I just stood up a new intel box to run HA on and this morning my PFSENSE firewall was pegged archiving log files generated by what could be described as a DOS from that server with DNS traffic going to 1.1.1.1 - which I block. Disabling that dns option fixed it.
I am thinking there is some kind of bug in this fall-back mechanism!
I finally got my OPNSense firewall installed today. I started monitoring traffing and found that HomeAssistant downloaded well over 8GB (YES, GigaBytes) of %what-ever% from 1.1.1.1 in ~1.5h. I have a 1GBit Fibre into my home, so I never noticed it before. With OPNSense, I could see that HA download at an exact and constant rate of 10MBits/s directly from 1.1.1.1 and 1.0.0.1 over TCP 853.
That is TOO much! DNS Packets are tiny and should NEVER reach multiple GB, NEVER.
I disconnected the HA LAN cable just confirm, here is a screen shot when I plugged it back in.
[[apparently I am not allowed to add more than one picture]]
After I ran the " ha dns options --fallback=false " comand, the internet returned to normal speeds.
Some times a picture say more than 1000 words, this is NOT one of these cases
as you havent informed about anything, not even if your have read your OPNSense manual or you just plugged it in, and look a some figures you maybe really dont understand , the context of-
I.E im sure you would be able to confirm your “Initial findings” by looking at your .i.e HA-DB-File, and the overall size of your HA-storage AND a “decent” Traffic analyzer
