Excessive DSN requests
-
I have been noticing very high DNS outbound traffic. With the nice stats using ELK, I see I end up having ~65% of all destination ports are 53 (outbound, no one is trying to use my box as DNS from outside).
I have DNS Forwarder off and DNS resolver on. Checking my internal machines they are using pfsense as the dns server as my DHCP server only provides that as an option.
I am up to 2,500 requests per hour. I only have 20 nodes on my internal network but most are IoT type of devices. Maybe three computers are active browsing at any time.
Anyone see this behavior?
-
2,500 DNS requests per hour doesn't seem alarming to me at all.
-
This is when very idle so no other traffic. As I see it, unless you only send one packet out for each web site or Internet service, your normal traffic combined should be grater than the DNS traffic.
Attached is a picture that shows 80% of traffic is for DNS for yesterday.
The strange thing is that when I do LAN only traffic and see the DNS queries going to pfsense, it's only 3%. But then outbound on the WAN, it jumps to 80%.
-
That's how the resolver works. It resolves all requests from the root/gtld servers down. One A record request might be 20 DNS queries. Then it will be cached.
If it concerns you you should pcap port 53 on WAN and see if it's anything you should be worried about.