Logging DNS queries

Octopuss

@johnpoz Ah the firewall, that's a problem. I do not understand networking at all, it's just something I could never learn despite being an IT support guy by trade (well, used to up until ~ten years ago).

This is what I have for WAN.

johnpoz

@Octopuss nope nothing there that would allow access to your dns from outside.

Do you have anything in the floating tab?

So when you running dnstop for 2 hours.. Did you have active p2p running (torrents).. Maybe when you have active p2p running is when your dns queries spike like crazy? Maybe you might want to leave dnstop running for a day or 2 to see what your typical sort of queries are day to day..

So also when you were running it you were only listening for dns that comes in on your lan interface, but see you also have a wifi and wifi-separate.. Its possible lots of queries are coming in there?

You could also run it on your wan interface and it should show you the queries your pfsense is sending and to what IPs

You will see lot of destination in mine because I resolve, and do not forward.. For your destinations you should only see your isp dns since your forwarding.. But its more about the amount of them, and sure you could log with like -l 3 again to see what is being asked for..

Octopuss

@johnpoz said in Logging DNS queries:

Maybe when you have active p2p running is when your dns queries spike like crazy? Maybe you might want to leave dnstop running for a day or 2 to see what your typical sort of queries are day to day..

I would have to catch a moment when a torrent starts seeding.

And sure, I could keep it running for a day, but the program could crash or I would forget and reboot the PC and all the results would be gone.

johnpoz

@Octopuss you can store the info to a file. You reboot your pfsense? The only time a reboot is if upgrading its version.

See the manual for dnstop on how to use the savefile - it really should just be the /path/filename at the end of your command.

I would run it first just on your wan interface for say an hour or so - are you seeing something crazy like 10k queries a minute or something to your isp dns?

Octopuss

@johnpoz said in Logging DNS queries:

You reboot your pfsense? The only time a reboot is if upgrading its version.

Oh, no, I use Mobaxterm to SSH to the various devices on the network that can do so. Obviously if my PC somehow restarts or goes to sleep or locks up or whatever, all the data would be lost.

edit: dnstop -Q -l 4 igc0 /tmp/dnstop doesn't save anything. This folder looked like something that can be written into but somehow nothing happened.

johnpoz

@Octopuss oh my bad - savefile is for reading in info from a pcap.. You would have to run a pcap capturing your dns and then load that in..

Ah your talking about loosing your ssh connection.. Ah you can run it in a screen then.. you can install that on pfsense with pkg install screen.

This allows you to run it in a screen, detach it and then reattach it later.. that way you can disconnect your ssh session.

see here is one running

[24.11-RELEASE][admin@sg4860.home.arpa]/root: screen -ls
There is a screen on:
        8926.pts-0.sg4860       (01/30/25 17:50:51)     (Detached)
1 Socket in /tmp/screens/S-admin.
[24.11-RELEASE][admin@sg4860.home.arpa]/root:

I can then reattach to that .. there are plenty of examples on the net on how to use screen

edit:
quick and dirty howto

run screen, start your command. do a cntrl+a and then d to detach it.. then you can even close your ssh session. Come back in a couple of days and reattach to that screen.. do a screen -ls to see your sessions, then attach to one you want with screen -r number

Octopuss

I have finally lost patience and call the ISP, spoke to the owner, and am not any smarter than before, lol.
He basically told me our address was number 2 in DNS queries - presumably in our network segment, but possibly in the entire network (I forgot). I think he said the total number of queries for yesterday was... 16k? Something like that.
I can't tell if that's a lot or not for a power user kind of person. My PC basically stays on 10+ hours a day with lots of tabs open, plus there is torrent seedbox, a few phones and 2-3 notebooks (which aren't used much so that's probably irrelevant).

I let dnshot running overnight, and since I last posted here until now, there have been 25283 total requests. 5900 of those is this forum alone which I let running. It was checking the WAN interface, and I am confused why it still displays local queries, but whatever.

edit: One more thing I don't understand is why whenever I refresh any page in the browser on my PC, extra DNS request is made, but when I do the same on my phone, nothing happens. I tried various things but the only time I see any DNS requests being logged from my phone is when I actually connect to the wifi.

Gertjan

@Octopuss said in Logging DNS queries:

I think he said the total number of queries for yesterday was... 16k? Something like that.

Euh, lol. That's nothing. That's what we consume here per hours .... and its Friday, they all left for the weekend already.
You spoke to the owner .... wow, how big is your ISP ? 3 or 4 clients ?

@Octopuss said in Logging DNS queries:

I see any DNS requests being logged from my phone is when I actually connect to the wifi.

If your not connected to your wifi .... then where does the traffic come from ?
I give you a hint : not through pfSense.

@Octopuss said in Logging DNS queries:

I don't understand is why whenever I refresh any page in the browser on my PC

What host name ?
For example : this one : forum.netgate.com ? You already know why, but didn't connect all the dots yet ^^

[24.11-RELEASE][root@pfSense.bhf.tld]/root: dig forum.netgate.com AAAA

Bla bla bla 

;; ANSWER SECTION:
forum.netgate.com.      30      IN      AAAA    2610:160:11:11::6

So, the IP that was resolved from [24.11-RELEASE][root@pfSense.brit-hotel-fumel.net]/root: dig forum.netgate.com AAAA is 2610:160:11:11::6 and its valid for (TTL) 30 seconds.
The browser will send out a DNS request to update the info as soon as the TTL is expired.
As you found out yourself : that happens every 60 seconds. Why 60 seconds ? Not sure, the question was already asked, but no one from Netgate could come public with a reason.

TTL = Time To Live.

You saw 5900 requests for the "forum.net.com" so you had a forum web page open for 5900/60 = 100 minutes or so.

@Octopuss said in Logging DNS queries:

It was checking the WAN interface

In that case you'll see the DNS requests that are coming from the resolver, and, if you have devices that don't use the pfSense resolver but do their own resolver or tap into 8.8.8.8 or 1.1.1.1,
If you 'dnstop' on a LAN, you would see even more DNS traffic. The traffic that was already in the resolver cache with a not expired TTL would get answered directly without the need of a more time consuming resolve process.

Octopuss

@Gertjan said in Logging DNS queries:

You spoke to the owner .... wow, how big is your ISP ? 3 or 4 clients ?

I'm not sure, it's a local one for this town and the surrounding areas. They have their own fibre cables laid all around. I would guess the number of clients could be very low thousands.

@Gertjan said in Logging DNS queries:

f your not connected to your wifi .... then where does the traffic come from ?

You misunderstood.
Every time I refresh any page in the browser on my PC, a hit number for that address/IP in dnstop window increases.
When I do the same on the phone (which is on the wifi), nothing happens. Actually the phone's IP doesn't even show up in the list when I go watch the virtual interface for the wifi. The only time the phone's IP and some requests show up in the list is the moment the phone actually connects to the wifi.

@Gertjan said in Logging DNS queries:

The traffic that was already in the resolver cache with a not expired TTL would get answered directly without the need of a more time consuming resolve process.

By that logic there should not be any additional requests logged when I refresh a page on my PC, right?

SteveITS

@Octopuss Many phones and even desktop browsers now will use DOH/DOT and bypass local DNS servers.

Gertjan

@Octopuss said in Logging DNS queries:

Every time I refresh any page in the browser on my PC, a hit number for that address/IP in dnstop window increases.

The Ctrl-F5 refresh ?
This normally reloads the entire web page.
Maybe it also executes a DNS request to re validate the IP.

This

@Octopuss said in Logging DNS queries:

When I do the same on the phone (which is on the wifi), nothing happens. Actually the phone's IP doesn't even show up in the list when I go watch the virtual interface for the wifi.

So, it's connected to the wifi ... and you see nothing.

Then I don't understand :

@Octopuss said in Logging DNS queries:

The only time the phone's IP and some requests show up in the list is the moment the phone actually connects to the wifi.

So, it's connected to the wifi ... and you see something.

johnpoz

@Octopuss 16k in a day?? yeah that is nothing.. So my network normally does around 34k local queries a day. With like 30 some clients asking my pihole - there are a few that don't ask my pihole but just pfsense directly. I have more than 31 clients on the network.

Now not all of those go out to the internet.. Because unbound caches something once its looked up once for the length of ttl.

Depending on what your doing queries for - many things these days only have a ttl of 60 seconds, or 300 seconds.. Really low ttls to be honest.. This will increase the number of queries if you have anything that queries something a lot..

Example - look at my AVR..

In the last 24 hours its done 9300 queries all on its own.. See those www.gstatic.com and connectivitycheck fqdn its asking for..

;; ANSWER SECTION:
www.gstatic.com.        300     IN      A       142.250.190.67

;; ANSWER SECTION:
connectivitycheck.gstatic.com. 300 IN   A       142.250.190.3

They have ttl of only 5 minutes.. Notice the its asking every freaking minute for those.. So with a ttl of only 5 minutes.. Each one of those would in 24 hours do 288 queries each.. so we are at 576 just for those 2, also notice its asking for AAAA (ipv6).. So now just those 2 fqdn would cause 1152 upstream queries a day. There are others that have a ttl of only 60 seconds.. Many others, etc..

If some device checking every minute for something that has a ttl of only 60 seconds - this would cause 1440 queries in a day, and prob asking for AAAA so your now talking 2880 queries a day..

If he doesn't like how many queries you're doing to his dns servers - just resolve and you won't ask his NSers anything ;)

If you would like to reduce the number of queries you send to him there are a few things you can do.. One is set min ttl, so that you would cache things longer.. Now in theory you shouldn't really mess with what some domain owner has decided the ttl should be - but 60 seconds is insane low, and 5 minutes is really low as well - unless they were in the middle of changing where that record points to, etc.. But they have them this low to generate traffic so its easier to track, etc.

I have been running a min ttl of 3600 seconds for years and years and have never ran into any issues.. So if you wanted to do that its a simple setting in unbound, in advanced

Now unbound will cache something for 1 hour before it has to go look it up again if a client is asking for that vs say only 60 or 300 seconds.. So for example our 60 second example vs doing 2880 queries a day.. You would only be generating 48 queries.. 24 for the A and 24 for the AAAA

This will for sure drastically reduce the number of upstream queries unbound is doing.

Another thing you can do, is make sure dnssec is unchecked - if you forward dnssec isn't going to do anything other than cause extra dns queries and possible failures.. So if you continue to forward to your isp dns, make sure that is unchecked in unbound.

Another thing that will almost instantly cut your number of dns queries a client is causing upstream in half would be to not try and resolve AAAA, if you are not using IPv6, ie does your ISP provide you with IPv6 address space that your clients are using, you would of had to set that up in pfsense, etc.. But sounds like this is some ma and pop isp - I find it unlikely they provide IPv6..

Almost all devices/clients even if they have no IPv6 address will do both a A and AAAA query.. If you don't actively have a working IPv6 address those queries are useless.. This can be hard to do actually, but depending on your application - you may be able to get it to stop doing AAAA, firefox for example - simple setting tells it not to ask for AAAA in about:config

Other things just no way to stop them from doing AAAA, even when they have no IPv6 address other than maybe link-local.. My AVR in the above example has no IPv6 GUA address, there is no freaking way it can talk to the internet via IPv6 - so why is is asking for AAAA ;)

You can stop unbound from returning an answer to the clients for AAAA, but off the top of my head I don't know a way to stop it from looking upstream for AAAA if a client asks for it. Binds AAAA features might be able to do that. So the only way to reduce the number of queries upstream for AAAA would be to get the client to stop asking for them.

But just changing your min ttl to 3600 should drastically reduce the number of dns queries your sending to your isp NS. And unchecking dnssec will also help reduce number of queries.

Octopuss

@Gertjan said in Logging DNS queries:

The Ctrl-F5 refresh ?

No. Normal refresh.

@Gertjan said in Logging DNS queries:

Then I don't understand :

You are thinking too hard.
When I connect a phone to the wifi, THEN AND ONLY THEN do I see some specific DNS requests. Nothing after that.

BUT that is when I watch the wifi interface.

IF I start watching the WAN interface, then I do see the FIRST DNS requests on specific addresses made from the phone. Subsequent refreshing doesn't do anything.
The first part is weird.

Octopuss

@johnpoz I have already disabled DNSSEC after yesterday's replies, and I have had IPv6 disabled since the beginning.

I'm just slightly annoyed there doesn't seem to be a way to know what exactly is actually being sent to the ISP DNS servers with local queries showing up in dnstop output.
I'm wondering why doesn't pfSense have a component that does this kind of monitoring.

Gertjan

@Octopuss said in Logging DNS queries:

IF I start watching the WAN interface, then I do see the FIRST DNS requests on specific addresses made from the phone. Subsequent refreshing doesn't do anything.
The first part is weird.

Ah ok.
Like this :

@Gertjan said in Logging DNS queries:

If you 'dnstop' on a LAN, you would see even more DNS traffic. The traffic that was already in the resolver cache with a not expired TTL would get answered directly without the need of a more time consuming resolve process.

The resolver will resolve ones, and hand over the DNS request answer to the device/phone.
Subsequent DNS request for the same host name will be server from the revolver's cache, and nothing will show up on the WAN.
Only when the TTL became zero, so the resolved host name gets removed from the cache, a new resolve is needed if it is asked again and this will generate WAN DNS traffic..

SteveITS

@Octopuss said in Logging DNS queries:

I'm wondering why doesn't pfSense have a component that does this kind of monitoring.

because in 30 years in this industry this is the first I’ve heard of an ISP complaining about the volume of DNS requests.

You could set pfSense to resolve itself (the default) with Google or other DNS set for pfSense , or forward somewhere else, and then your ISP shouldn’t see (m)any requests, if nothing points to them.

Octopuss

@johnpoz said in Logging DNS queries:

I have been running a min ttl of 3600 seconds for years and years and have never ran into any issues.. So if you wanted to do that its a simple setting in unbound, in advanced

minttl.jpg

This setting is 0 by default, but the amount of requests still increases despite setting it to 3600. What's even more weird, for one website it doesn't increase at all no matter what I set and for other it increases if I refresh after longer than 5 seconds (meaning it doesn't increase if it was under 5s since last refresh).
I think this is way over my head in terms of being able to understand WTF is going on. I don't even understand the basics of networking.
Nevermind, I was watching the LAN interface.
Now it doesn't increase for the WAN interface either no matter whether I use -Q or -R parameters for dnstop (or both at once).
I give up, I am digging in pointless shit.

I'd have to hire someone who understands pfSense to go over all the settings and tell me if there's anything wrong with the setup.

johnpoz

@Octopuss said in Logging DNS queries:

I'm wondering why doesn't pfSense have a component that does this kind of monitoring.

You can turn up logging in unbound if you want to see more - but its going to be hard from that log to get some idea of how many are being done in an hour or a day, etc.

You can set other logging in unbound, in the custom option box

server:
log-queries: yes
log-replies: yes

But not really sure an easy way in unbound to see how many queries and what specific queries were sent upstream.. and to where for each query..

You can get a bunch of info using the cmd line control of unbound

unbound-control -c /var/unbound/unbound.conf

You could prob tell from

unbound-control -c /var/unbound/unbound.conf stats_noreset

Look at total.num.recursivereplies for how many queries were done upstream, etc..

johnpoz

@Octopuss said in Logging DNS queries:

I'd have to hire someone who understands pfSense to go over all the settings and tell me if there's anything wrong with the setup.

There is nothing wrong in your setup for dns - your not causing extra queries. 16K queries in a day is not excessive for typical network these days..

setting min ttl to 3600 is not going to reduce the number of queries your clients are doing if they do not have their own local cache. iot devices don't have their own local cache. Most OSes do, application have their own even. Firefox for example has its own cache.

keeping in mind when you set that unbound will restart and the cache will be cleared. But if you have some client asking every 60 seconds for something, vs unbound having to look that up upstream. Once you set the min ttl to 3600, it will only have to ask upstream every hour vs every minute.

If your client has its own local cache of dns, windows for example - if it wants to lookup www.something.com and the ttl was 60 seconds and it constantly wanted to look this up.. It would have to ask every 60 seconds.. Once you set min ttl of 3600, it will only ever have to ask for that every hour vs every minute.

Octopuss

@johnpoz But why on earth do I not see any requests for forum.netgate.com anymore no matter what interface I watch?
I swear this thing has a life of its own.