Logging DNS queries

Gertjan · Jan 30, 2025, 3:02 PM

@fireodo What's unbound?

Like "Windows", pfSense, Linux, Apache, bind, postfix etc, a name of a program or collection of programs.
Used by millions or even billions, you use them without actually knowing them. by name.
DNS Resolver
And, because it's open source, here : I let the author do the introduction : UNBOUND.

Octopuss · Jan 30, 2025, 3:18 PM

@johnpoz said in Logging DNS queries:

@Octopuss the default dns resolver in pfsense.

Your clients out of the box would ask pfsense IP for dns that they got from dhcp running on pfsense, and unbound would resolve what they ask for to an IP.

What are you clients pointing to for dns? Is it not pfsense IP?

How do you mean? I have DHCP set up, and the WAN is static IP with info I got from our ISP, including their DNS server of course.

I don't understand the question, sorry.

johnpoz · Jan 30, 2025, 3:22 PM

@Octopuss there is zero reason to setup dns in pfsense out of the box. Doesn't matter if you have a static IP you set on your wan.

Even if you setup dns in general to point to your isp dns. Your clients via dhcp would get handed pfsense IP and unbound would resolve not forward.

Pfsense on its own is never going to do more than a handful of queries for stuff now and then - as it looks to see if there is an update to pfsense, or find the list of packages available, etc.

Look on your client on your network - where does it point for dns?

login-to-view

Did you change unbound in pfsense to do forwarding or not? You could put whatever dns you want in the general tab.. Unless you told unbound to forward its not going to ask those IPs.

If you setup in your dhcp to hand clients your isp dns.. Then logging in unbound isn't going to show you much.. You would either need to use the dnstop I pointed to, or sniff on your interfaces with packet capture under diagnostics to see what is doing dns queries to your isp dns.

Octopuss · Jan 30, 2025, 3:38 PM

@johnpoz I set DNS resolver, not DNS forwarder if that's what you're asking.
What I did was enter all those server names/IPs from our ISP in the general setup tab and in the WAN interface. That includes primary and 2ndary DNS server.

All the clients in LAN do get pfSense's IP (192.168.0.1) as DNS server.

johnpoz · Jan 30, 2025, 3:43 PM

@Octopuss if your using unbound as resolver - doesn't matter how many IPs you setup in general for dns.. It isn't going to ask those, unless you setup forwarding in unbound.

login-to-view

Unless you set that, then the only thing that could ever use the ones you put in general would be pfsense own dns lookups. And if you left loopback in there 127.0.0.1 it should normally ask it, which would then resolve from roots and your dns servers listed in there would never be asked anything.. Unless your unbound was down and pfsense itself moved to one of the others listed.

Octopuss · Jan 30, 2025, 3:52 PM

@johnpoz Ah ok, of course I enabled that, otherwise I wouldn't get anything resolved, right?

edit: It's been a long time since I set this up, and now I remember why I have it set up like that - the ISP's DNS servers are 2km away unlike something that's several countries away, so it should have much better response.

johnpoz · Jan 30, 2025, 4:06 PM

@Octopuss no you don't not need to set that up to resolve something like google.com or any other public domain. unbound would ask the root servers and walk down the tree.

As to response time.. Who cares if your 2ms or 100ms.. And the only time you have to talk to roots is on a cold lookup.. After a domain is looked up unbound will directly talk to the authoritative NS for that domain since it will be cached.

Your isp dns is only ever going to cache stuff queried by its customers anyway.. So you looking up something that no other customer has looked up recently will have their dns have to resolve from roots anyway, or forward it to some other NS..

If your forwarding - did you uncheck do dnssec? If you forward dnssec is only going to cause problems.. dnssec is only worthwhile when you actually resolve. All its going to do is generate extra queries for zero benefit other than your queries possibly fail.

If you want to know what is using large amount of dns, setup the logging I posted, or easier would to use dnstop to be honest.. This should give you indication right away what client behind pfsense is doing most of dns traffic..

You can very easy get a breakdown of who is asking for the most dns by IP, and what are the top things being looked for, and even what each IP is asking for the most, etc. etc..

login-to-view

You can install dnstop on pfsense with pkg install dnstop

[24.11-RELEASE][admin@sg4860.home.arpa]/root: pkg install dnstop
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
[24.11-RELEASE][admin@sg4860.home.arpa]/root:

I already had it installed.

Octopuss · Jan 30, 2025, 4:25 PM

@johnpoz Yes I did enable DNSSEC. After some reading around it sounded like a good thing to have.

What did you mean by "dnssec is only worthwhile when you actually resolve"?

Btw how do I use dnstop? Sorry I don't know ANYTHING about Linux. The link you posted doesn't help. Supposedly one of the parameters is device, but I have no idea wha that is. I presume it wants the id of whatever network adapter it should check, but I have no idea how to figure that out.
Nevermind I got it. I guess I am supposed to keep it running and it will accumulate over time.

How do I make it output like on you screenshots though?

Gertjan · Jan 30, 2025, 4:52 PM

@Octopuss said in Logging DNS queries:

How do I make it output like on you screenshots though?

That's what I was asking myself also.
So, google man freebd dnstop and you're in.

Start with a

ifconfig

and you see your interfaces. Or go to (GUI) Interfaces > Interface Assignments to see the same thing.
My LAN is igc0 ...

So :

dnstop -4 -6 -Q -R -l 3 igc0

When it ran, I pressed # (because "show sources + 3rd level query names")

Experiment with it.

SteveITS · Jan 30, 2025, 7:50 PM

@Octopuss If you have pfSense set to forward DNS queries then it doesn't look anything up itself and just asks the configured DNS server(s). In that setup DNSSEC should be off because it can create problems. The target DNS servers would use DNSSEC and you presumably trust them already.

The default in pfSense is to not forward, so it looks up DNS answers itself as noted above.

Both ways work.

One possibility is that if you are blocking anything, I've heard of IoT devices that assume "I can't connect" means "retry immediately" and generate a huge amount of lookups and connection attempts as they retry their DNS lookup several times per second.

johnpoz · Jan 30, 2025, 8:11 PM

@Octopuss said in Logging DNS queries:

it will accumulate over time.

yeah.. you need to leave it run for the amount of time you want to collect info.. Just running for a couple seconds isn't going to show much unless you were getting just streaming dns queries like crazy..

I would run it and then do a query from your client for something specific - and you should be able to see it, your prob going to want to use atleast -l 3 if not higher as mentioned by @Gertjan so you can see something like www.domain.com, but you won't be able to see the specific query for something like otherthing.whatever.domain.com - the query would be counted but the info it would show for the specific query would only be whatever.domain.com

I am curious what your isp considers large amount of dns requests ;) Unless you were doing what could be considered a dos, why would they care if you ask for 10,000 queries in a day or 1k.. ? Now 1k a second, ok yeah that seems high - or even worse 10k a second than yeah you doing something odd.. or wrong..

Keep in mind if your client was asking pfsense 1k times a second for www.whatever.com - your isp would only see 1 query for that for whatever the length of the ttl was.. So say the ttl was 3600 seconds for www.whatever.com.. The most your isp dns should ever see is 1 query for that an hour, even if you client locally was asking pfsense 10k times a second..

Because pfsense would have that record cached, no reason to ask the isp dns for it until the ttl expired and it was no longer in cache - then if client asks for it again it would have to forward that to your isp dns to get an answer.

If your isp is saying your doing large amount of queries you really shouldn't have to run dnstop very long to notice which client of yours is asking for large amount of queries..

edit: see I ran it with -l 3 and I can see query for something.otherthing.com, but what I really asked for was www.something.otherthing.com, but that is 4 levels in the query, and I told dnstop to only keep track of 3

login-to-view

Octopuss · Jan 30, 2025, 8:25 PM

@johnpoz said in Logging DNS queries:

I am curious what your isp considers large amount of dns requests ;)

Me too!
I asked them to call me tomorrow to explain what the heck they see that worried them enough to justify contacting me.
I let it run for two hours or so, and this doesn't look anything out of ordinary.
login-to-view

johnpoz · Jan 30, 2025, 8:35 PM

@Octopuss no that is not crazy by any means.. And to be honest those vcenter.lan and prefer.lan shouldn't even be sent to your isp dns. or that esxi.lan either. I mean there is no way your isp would be able to answer that query.. And I take they actually resolve locally right.

so forum.netgate.com.. the ttl on that record is 60 seconds, which I personally think is crazy low.. But with a ttl of 60 seconds.

;; ANSWER SECTION:
forum.netgate.com.      60      IN      A       208.123.73.77

And you ran for 2 hours.. so 120 minutes.. While your client asked unbound 858 times.. The most your isp should of seen is 120, once a minute every hour.. same could be said for those other counts.. Your isp dns should only see a fraction of those numbers, depending on what the ttl of the specific record is.

7k queries in 2 hours, doesn't seem crazy to me.. Especially since a lot of those shouldn't even be going to your isp, and other would only be a portion of those numbers because unbound should answer those from cache.

Octopuss · Jan 30, 2025, 8:38 PM

@johnpoz said in Logging DNS queries:

And to be honest those vcenter.lan and prefer.lan shouldn't even be sent to your isp dns

vcenter.lan is just a virtualized server running FreeNAS that sits in the living room, and considering I was watching DNS queries on LAN interface, I guess this was strictly local.

johnpoz · Jan 30, 2025, 8:45 PM

@Octopuss yeah any local resources should never go to your isp.. because unbound should resolve that locally.

example

$ dig nas.home.arpa                                                        
                                                                           
; <<>> DiG 9.16.50 <<>> nas.home.arpa                                      
;; global options: +cmd                                                    
;; Got answer:                                                             
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61959                  
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1       
                                                                           
;; OPT PSEUDOSECTION:                                                      
; EDNS: version: 0, flags:; udp: 1232                                      
;; QUESTION SECTION:                                                       
;nas.home.arpa.                 IN      A                                  
                                                                           
;; ANSWER SECTION:                                                         
nas.home.arpa.          2364    IN      A       192.168.9.10               
                                                                           
;; Query time: 2 msec                                                      
;; SERVER: 192.168.3.10#53(192.168.3.10)                                   
;; WHEN: Thu Jan 30 14:39:44 Central Standard Time 2025                    
;; MSG SIZE  rcvd: 58

no public dns would ever be able to resolve that, so why should it be sent upstream either forwarding or resolving. if its not resolving locally then you wouldn't be able to use it locally. because you wouldn't be able to get an answer.

If you ping vcenter.lan from your pc - you get back an IP right..

$ ping nas.home.arpa
Pinging nas.home.arpa [192.168.9.10] with 32 bytes of data:

$ ping ntp.home.arpa
Pinging ntp.home.arpa [192.168.3.32] with 32 bytes of data:

edit: now that you mention locally listening - you might want to make sure your dns isn't open to the public internet.. Its possible if your dns is open to the public, all kinds of ips could be asking your dns from the public internet and unbound is forwarding that to your isp.. This can be used as a dns amplification attack.

You should make sure your firewall rules on your wan are not open to dns traffic tcp/udp 53.. You might want to run dnstop on yoru pfsense wan and see if your seeing queries from IPs out on the internet.

Octopuss · Jan 30, 2025, 9:27 PM

@johnpoz Ah the firewall, that's a problem. I do not understand networking at all, it's just something I could never learn despite being an IT support guy by trade (well, used to up until ~ten years ago).

This is what I have for WAN.
login-to-view

johnpoz · Jan 30, 2025, 9:51 PM

@Octopuss nope nothing there that would allow access to your dns from outside.

Do you have anything in the floating tab?

So when you running dnstop for 2 hours.. Did you have active p2p running (torrents).. Maybe when you have active p2p running is when your dns queries spike like crazy? Maybe you might want to leave dnstop running for a day or 2 to see what your typical sort of queries are day to day..

So also when you were running it you were only listening for dns that comes in on your lan interface, but see you also have a wifi and wifi-separate.. Its possible lots of queries are coming in there?

You could also run it on your wan interface and it should show you the queries your pfsense is sending and to what IPs

login-to-view

You will see lot of destination in mine because I resolve, and do not forward.. For your destinations you should only see your isp dns since your forwarding.. But its more about the amount of them, and sure you could log with like -l 3 again to see what is being asked for..

Octopuss · Jan 30, 2025, 9:55 PM

@johnpoz said in Logging DNS queries:

Maybe when you have active p2p running is when your dns queries spike like crazy? Maybe you might want to leave dnstop running for a day or 2 to see what your typical sort of queries are day to day..

I would have to catch a moment when a torrent starts seeding.

And sure, I could keep it running for a day, but the program could crash or I would forget and reboot the PC and all the results would be gone.

johnpoz · Jan 30, 2025, 10:01 PM

@Octopuss you can store the info to a file. You reboot your pfsense? The only time a reboot is if upgrading its version.

See the manual for dnstop on how to use the savefile - it really should just be the /path/filename at the end of your command.

I would run it first just on your wan interface for say an hour or so - are you seeing something crazy like 10k queries a minute or something to your isp dns?

Octopuss · Jan 30, 2025, 11:26 PM

@johnpoz said in Logging DNS queries:

You reboot your pfsense? The only time a reboot is if upgrading its version.

Oh, no, I use Mobaxterm to SSH to the various devices on the network that can do so. Obviously if my PC somehow restarts or goes to sleep or locks up or whatever, all the data would be lost.

edit: dnstop -Q -l 4 igc0 /tmp/dnstop doesn't save anything. This folder looked like something that can be written into but somehow nothing happened.