Odd DNS requests
-
I noticed the other day that there were some local DNS lookups for my router ( pfsense.XXXXXXXXXX.net ) in the pfblocker-ng reports that looked odd, so I added the following to log DNS requests from unbound in the logs:-
log-queries: yes log-replies: yes log-tag-queryreply: yesThere seem to be lookups for my router with the FQDN and the domain name tacked onto the end, anyone else seeing this ?
I disabled pfBlocker-NG-devel 3.1.0.9 yesterday and didn't see any entries but almost as soon as I re-enabled it they started to appear.
2a02
5678:2::14 is my Mac.Date,Time,Level,Host Name,Category,Program,Messages 2023-01-12,09:14:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:2] reply: 2a02:1234:5678:2::14 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. HTTPS IN NXDOMAIN 0.036452 0 115 2023-01-12,09:14:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:1] reply: 2a02:1234:5678:2::14 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. AAAA IN NXDOMAIN 0.034383 0 115 2023-01-12,09:14:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:0] reply: 2a02:1234:5678:2::14 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. A IN NXDOMAIN 0.034134 0 115 2023-01-12,09:14:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:0] query: 2a02:1234:5678:2::14 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. A IN 2023-01-12,09:14:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:1] query: 2a02:1234:5678:2::14 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. AAAA IN 2023-01-12,09:14:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:2] query: 2a02:1234:5678:2::14 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. HTTPS IN 2023-01-12,08:55:00,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:2] reply: 127.0.0.1 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. CNAME IN NXDOMAIN 0.000000 1 115 2023-01-12,08:55:00,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:2] query: 127.0.0.1 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. CNAME IN 2023-01-12,08:54:47,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:2] reply: 127.0.0.1 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. CNAME IN NXDOMAIN 0.000000 1 115 2023-01-12,08:54:47,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:2] query: 127.0.0.1 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. CNAME IN 2023-01-12,08:53:36,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:3] reply: 127.0.0.1 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. CNAME IN NXDOMAIN 0.000000 1 115 2023-01-12,08:53:36,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:3] query: 127.0.0.1 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. CNAME IN 2023-01-12,08:53:30,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:3] reply: 127.0.0.1 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. CNAME IN NXDOMAIN 0.039726 0 115 2023-01-12,08:53:30,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:3] query: 127.0.0.1 pfsense.XXXXXXXXXX.net.XXXXXXXXXX.net. CNAME IN -
Just looked again 172.16.2.10 is my NAS, maybe its not a pfBlocker issue:-
Date,Time,Level,Host Name,Category,Program,Messages 2023-01-12,09:56:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:1] reply: 172.16.2.10 account.synology.com.XXXXXXXXXX.net. AAAA IN NXDOMAIN 0.000000 1 111 2023-01-12,09:56:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:1] query: 172.16.2.10 account.synology.com.XXXXXXXXXX.net. AAAA IN 2023-01-12,09:56:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:1] reply: 172.16.2.10 account.synology.com. AAAA IN NOERROR 0.000000 1 116 2023-01-12,09:56:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:2] reply: 172.16.2.10 account.synology.com. A IN NOERROR 0.000000 1 102 2023-01-12,09:56:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:1] query: 172.16.2.10 account.synology.com. AAAA IN 2023-01-12,09:56:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:2] query: 172.16.2.10 account.synology.com. A IN 2023-01-12,09:56:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:3] reply: 172.16.2.10 checkipv6.synology.com. AAAA IN NOERROR 0.013613 0 345 2023-01-12,09:56:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:1] reply: 172.16.2.10 checkipv6.synology.com. A IN NOERROR 0.000000 1 185 2023-01-12,09:56:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:3] query: 172.16.2.10 checkipv6.synology.com. AAAA IN 2023-01-12,09:56:10,Info,pfsense.XXXXXXXXXX.net,daemon,unbound,[58103:1] query: 172.16.2.10 checkipv6.synology.com. A IN -
@nogbadthebad yeah pretty much every device/client will do that - its search suffix.. Some clients are dumber than other ones, etc..
do a nslookup and set debug, so it shows you what gets asked and answered...
$ nslookup Default Server: pi.hole Address: 192.168.3.10 > set debug > www.google.com Server: pi.hole Address: 192.168.3.10 ------------ Got answer: HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: www.google.com.local.lan, type = A, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 3, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: www.google.com.local.lan, type = AAAA, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 4, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: www.google.com, type = A, class = IN ANSWERS: -> www.google.com internet address = 142.250.190.36 ttl = 1026 (17 mins 6 secs) ------------ Non-authoritative answer: ------------ Got answer: HEADER: opcode = QUERY, id = 5, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: www.google.com, type = AAAA, class = IN ANSWERS: -> www.google.com AAAA IPv6 address = 2607:f8b0:4009:809::2004 ttl = 1026 (17 mins 6 secs) ------------ Name: www.google.com Addresses: 2607:f8b0:4009:809::2004 142.250.190.36 >notice it tacked on local.lan to my simple query for www.google.com
edit: Part of the reason I set my zone to static vs transparent - if not much of those would get sent to roots or forwarded..
-
@johnpoz Thanks John, one I'll have to chalk up to experience.
From my Mac:- andy@mac-pro ~ % nslookup > set debug > www.google.com Server: 2a02:1234:5678:2::1 Address: 2a02:1234:5678:2::1#53 ------------ QUESTIONS: www.google.com, type = A, class = IN ANSWERS: -> www.google.com internet address = 142.250.187.228 ttl = 300 AUTHORITY RECORDS: ADDITIONAL RECORDS: ------------ Non-authoritative answer: Name: www.google.com Address: 142.250.187.228 > From a PC:- C:\Users\andy>nslookup Default Server: pfsense-user.XXXXXXXXXX.net Address: 2a02:1234:5678:2::1 > set debug > www.google.com Server: pfsense-user.XXXXXXXXXX.net Address: 2a02:1234:5678:2::1 ------------ Got answer: HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: www.google.com.XXXXXXXXXX.net, type = A, class = IN AUTHORITY RECORDS: -> XXXXXXXXXX.net ttl = 2792 (46 mins 32 secs) primary name server = ns0.zen.co.uk responsible mail addr = netman.zen.co.uk serial = 2017030359 refresh = 14400 (4 hours) retry = 1800 (30 mins) expire = 604800 (7 days) default TTL = 86400 (1 day) ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 3, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: www.google.com.XXXXXXXXXX.net, type = AAAA, class = IN AUTHORITY RECORDS: -> XXXXXXXXXX.net ttl = 2792 (46 mins 32 secs) primary name server = ns0.zen.co.uk responsible mail addr = netman.zen.co.uk serial = 2017030359 refresh = 14400 (4 hours) retry = 1800 (30 mins) expire = 604800 (7 days) default TTL = 86400 (1 day) ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 4, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: www.google.com, type = A, class = IN ANSWERS: -> www.google.com internet address = 142.250.187.228 ttl = 53 (53 secs) ------------ Non-authoritative answer: ------------ Got answer: HEADER: opcode = QUERY, id = 5, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: www.google.com, type = AAAA, class = IN ANSWERS: -> www.google.com AAAA IPv6 address = 2a00:1450:4009:820::2004 ttl = 118 (1 min 58 secs) ------------ Name: www.google.com Addresses: 2a00:1450:4009:820::2004 142.250.187.228 > From the NAS:- andy@nas:~$ nslookup > set debug > www.google.com Server: 172.16.2.1 Address: 172.16.2.1#53 ------------ QUESTIONS: www.google.com, type = A, class = IN ANSWERS: -> www.google.com internet address = 142.250.187.228 ttl = 300 AUTHORITY RECORDS: ADDITIONAL RECORDS: ------------ Non-authoritative answer: Name: www.google.com Address: 142.250.187.228 ------------ QUESTIONS: www.google.com, type = AAAA, class = IN ANSWERS: -> www.google.com has AAAA address 2a00:1450:4009:820::2004 ttl = 300 AUTHORITY RECORDS: ADDITIONAL RECORDS: ------------ Name: www.google.com Address: 2a00:1450:4009:820::2004 > -
@nogbadthebad so your mac doesn't do it..
Did you snip that off - I don't see it asking for AAAA either? Which is odd..
To be honest its a horrible practice and causes lots of extra dns traffic if you add it all up in a network, etc. On windows pcs its pita to disable even..
-
@johnpoz nope nothing snipped off, however if I do a host www.google.com it comes back with an IPv6 address:-
andy@mac-pro ~ % host www.google.com www.google.com has address 142.250.187.228 www.google.com has IPv6 address 2a00:1450:4009:81e::2004 andy@mac-pro ~ % -
@nogbadthebad that is odd nslookup behavior..
oh tip on windows, you could try adding . as the search suffix.. since it won't let you use nothing.. this seems to quiet it down.. Atlease from respect of nslookup debug.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.