Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Excessive DSN requests

    DHCP and DNS
    2
    4
    823
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gauthig
      last edited by

      I have been noticing very high DNS outbound traffic.  With the nice stats using ELK, I see I end up having ~65% of all destination ports are 53 (outbound, no one is trying to use my box as DNS from outside).

      I have DNS Forwarder off and DNS resolver on.  Checking my internal machines they are using pfsense as the dns server as my DHCP server only provides that as an option.

      I am up to 2,500 requests per hour. I only have 20 nodes on my internal network but most are IoT type of devices.  Maybe three computers are active browsing at any time.

      Anyone see this behavior?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        2,500 DNS requests per hour doesn't seem alarming to me at all.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • G
          gauthig
          last edited by

          This is when very idle so no other traffic.  As I see it, unless you only send one packet out for each web site or Internet service, your normal traffic combined should be grater than the DNS traffic.

          Attached is a picture that shows 80% of traffic is for DNS for yesterday.
          The strange thing is that when I do LAN only traffic and see the DNS queries going to pfsense, it's only 3%.  But then outbound on the WAN, it jumps to 80%.

          ELK-1Day-Traffic.JPG
          ELK-1Day-Traffic.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            That's how the resolver works. It resolves all requests from the root/gtld servers down. One A record request might be 20 DNS queries. Then it will be cached.

            If it concerns you you should pcap port 53 on WAN and see if it's anything you should be worried about.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.