PTR request ( Reverse lan scan requests)

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
User avatar
trendy
Posts: 343
Joined: Tue Feb 25, 2020 2:54 pm

Re: PTR request ( Reverse lan scan requests)

Post by trendy »

Just to be clear, I don't use adguard nor unbound, therefore I am not aware of their bits and bytes. But, yes, my gut says that TTL values should be honored downstream by default.
mail2rst
Posts: 135
Joined: Fri Apr 13, 2018 4:53 pm

Re: PTR request ( Reverse lan scan requests)

Post by mail2rst »

Please suggest me what i have to do in simple way. I already have A-record file in this format ' local-data-ptr: "192.168.1.12 60 host.name"
local-data: "host.name. 60 A 192.168.1.12" ` in unbound. but this thing is only valid for known lan devices. raspberrpi send the dns request to unused lan ip addresses also. if this is issue related to upstream dns server then what you suggest for my raspberry custom upstream DNS would be for all other lan network devises my upstream dns server is 192.168.1.90 (through router) but for docker host machine(172.28.0.1) what should be our custom upstream dns server of raspberry pi running at 192.168.1.74 (192.168.1.90 [adguard/unbound/docker host], 172.28.0.2:53 [docker adguard], 172.28.0.3:5335 [docker unbound] or 1.1.1.1[external]) or 192.168.1.254[DHCP Server router]. if you see the screen shot raspberry pi send request to unbound for unused lan ip also.
Attachments
arpi.jpg
User avatar
trendy
Posts: 343
Joined: Tue Feb 25, 2020 2:54 pm

Re: PTR request ( Reverse lan scan requests)

Post by trendy »

Create dummy entries for unused IPs too.
mail2rst
Posts: 135
Joined: Fri Apr 13, 2018 4:53 pm

Re: PTR request ( Reverse lan scan requests)

Post by mail2rst »

is i have to write for each lan address 192.168.1.1 to 192.168.1.254? even if i write it its not making much difference. it will again send 254 requests for each ip & known A-Record will reply NOERROR & unknown will NXDOMAIN. the end result each hour unnecessary 254 PTR request to unbound.

Code: Select all

Response details
Status
Processed
DNS server
172.28.0.3:5335
Elapsed
0.99 ms
Response code
NXDOMAIN

Code: Select all

Response details
Status
Processed
DNS server
172.28.0.3:5335
Elapsed
0.87 ms
Response code
NOERROR
Response
PTR: rpi.local. (ttl=3600) 
mail2rst
Posts: 135
Joined: Fri Apr 13, 2018 4:53 pm

Re: PTR request ( Reverse lan scan requests)

Post by mail2rst »

My unbound.conf is copied & modify from dietpi default template unbound.conf

Code: Select all

# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
server:
	# Do not daemonize, to allow proper systemd service control and status estimation.
	do-daemonize: no

	# A single thread is pretty sufficient for home or small office instances.
	num-threads: 1

	# Logging: For the sake of privacy and performance, keep logging at a minimum!
	# - Verbosity 2 and up practically contains query and reply logs.
	verbosity: 0
	log-queries: no
	log-replies: no
	# - If required, uncomment to log to a file, else logs are available via "journalctl -u unbound".
	#logfile: "/var/log/unbound.log"

	# Set interface to "0.0.0.0" to make Unbound listen on all network interfaces.
	# Set it to "127.0.0.1" to listen on requests from the same machine only, useful in combination with Pi-hole.
	interface: 0.0.0.0
	# Default DNS port is "53". When used with Pi-hole, set this to e.g. "5335", since "5353" is used by mDNS already.
	port: 5335

	# Control IP ranges which should be able to use this Unbound instance.
	# The DietPi defaults permit access from official local network IP ranges only, hence requests from www are denied.
	access-control: 0.0.0.0/0 refuse
	access-control: 10.0.0.0/8 allow
	access-control: 127.0.0.1/8 allow
	access-control: 172.16.0.0/12 allow
	access-control: 192.168.0.0/16 allow
	access-control: ::/0 refuse
	access-control: ::1/128 allow
	access-control: fd00::/8 allow
	access-control: fe80::/10 allow

	# Private IP ranges, which shall never be returned or forwarded as public DNS response.
	# NB: 127.0.0.1/8 is sometimes used by adblock lists, hence DietPi by default allows those as response.
	private-address: 10.0.0.0/8
	private-address: 172.16.0.0/12
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	private-address: fd00::/8
	private-address: fe80::/10

	# Define protocols for connections to and from Unbound.
	# NB: Disabling IPv6 does not disable IPv6 IP resolving, which depends on the clients request.
	do-udp: yes
	do-tcp: yes
	do-ip4: yes
	do-ip6: yes
	prefer-ip6: no

	# DNS root server information file. Updated monthly via cron job: /etc/cron.monthly/dietpi-unbound
#	root-hints: "/var/lib/unbound/root.hints"

	# Maximum number of queries per second
	ratelimit: 1000

	# Defend against and print warning when reaching unwanted reply limit.
	unwanted-reply-threshold: 10000

	# Set EDNS reassembly buffer size to match new upstream default, as of DNS Flag Day 2020 recommendation.
	edns-buffer-size: 1232

	# Increase incoming and outgoing query buffer size to cover traffic peaks.
#	so-rcvbuf: 4m
#	so-sndbuf: 4m

	# Hardening
	harden-glue: yes
	harden-dnssec-stripped: yes
	harden-algo-downgrade: yes
	harden-large-queries: yes
	harden-short-bufsize: yes

	# Privacy
	use-caps-for-id: yes # Spoof protection by randomising capitalisation
	rrset-roundrobin: yes
	qname-minimisation: yes
	minimal-responses: yes
	hide-identity: yes
	identity: "Server" # Purposefully a dummy identity name
	hide-version: yes


        # Optimisations
        msg-cache-slabs: 8
        rrset-cache-slabs: 8
        infra-cache-slabs: 8
        key-cache-slabs: 8

	# Caching
	cache-min-ttl: 300
	cache-max-ttl: 86400
	serve-expired: yes
	neg-cache-size: 4M
	prefetch: yes
	prefetch-key: yes
	msg-cache-size: 128m
	rrset-cache-size: 256m
        root-hints: /etc/unbound/root.hints
        auto-trust-anchor-file: /etc/unbound/root.key
        include: /etc/unbound/a-records.conf
User avatar
trendy
Posts: 343
Joined: Tue Feb 25, 2020 2:54 pm

Re: PTR request ( Reverse lan scan requests)

Post by trendy »

The whole point of raising the TTL to a day or week is to reduce the amount of queries. It obviously won't make a difference if you create records for all IPs in the subnet and use a TTL of 1 hour.
The other thing you may want to try is to set the TTL for NXDOMAIN to a day or week. As I am not using unbound, my google-fu is the same as yours.
User avatar
Joulinar
Posts: 5148
Joined: Sat Nov 16, 2019 12:49 am

Re: PTR request ( Reverse lan scan requests)

Post by Joulinar »

@mail2rst

probably something you could raise as question with AGH guys https://github.com/AdguardTeam/AdGuardHome/issues and/or Unbound https://github.com/NLnetLabs/unbound/issues
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply