FTL icon indicating copy to clipboard operation
FTL copied to clipboard

Published 20 hours ago verified publisher icon pi-hole

pihole appears to rate limit the wrong client

Open bp0 opened this issue 1 year ago • 5 comments

Versions

Pi-hole version is v5.18.3 (Latest: v5.18.3) web version is v5.21 (Latest: v5.21) FTL version is v5.25.2 (Latest: v5.25.2)

Platform

  • OS and version: Debian 12.6 LXC
  • Platform: Proxmox 8.2.5

Expected behavior

Actual behavior / bug

After turning on a Samsung TV (192.168.2.108), it made ~29000 A/AAAA queries for logs.netflix.com. Pihole responded by rate limiting a different machine, 192.168.2.20, that had only made 67 queries. I don't know which was actually rate limited, maybe the log message is just incorrect?

Steps to reproduce

I'm not sure I can reproduce this exact situation.

Debug Token

  • URL: https://tricorder.pi-hole.net/aSbvSyjP/

Screenshots

image image

bp0 avatar Sep 22 '24 16:09 bp0

Your client 192.68.2.20 has been rate limited yesterday. But your screenshot of the top clients is likely from today? Note that the Top Client table uses a rolling 24h window, so it might not capture query spikes if the are in the past >24h. Lets check what your client did yesterday. Pleas provide the output of the following command

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(id) from queries where client='192.168.2.20' and timestamp BETWEEN strftime('%s','2024-09-21 10:11:07') and strftime('%s','2024-09-21 10:12:07')"

yubiuser avatar Sep 22 '24 17:09 yubiuser 

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(id) from queries where client='192.168.2.20' and timestamp BETWEEN strftime('%s','2024-09-21 10:11:07') and strftime('%s','2024-09-21 10:12:07')"

0

bp0 avatar Sep 22 '24 17:09 bp0

Your client 192.[1]68.2.20 has been rate limited yesterday. But your screenshot of the top clients is likely from today?

I see what you're saying. The TV was turned on in the evening yesterday (it is now "off" but the blocked query count is still rising, 33217 now). If the time in the log is right, and it is local time, and it is 24hour, then the block did happen in the morning, before the TV was turned on, so I have no idea what caused that or why that is the only message in the log and why the TV hasn't been rate limited as well?

Why was 192.168.2.20 rate limited at all?

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(id) from queries where client='192.168.2.20' and timestamp BETWEEN strftime('%s','2024-09-21 00:00:00') and strftime('%s','2024-09-22 00:00:00')"

1620 Doesn't seem like an unreasonable number for a whole day.

Close the issue if you like. As you say, if the block happened before the TV was turned on then the report is wrong. I'm still confused about what is going on.

bp0 avatar Sep 22 '24 17:09 bp0

I'm still confused about what is going on.

Me too. I'm not sure that the rate-limiting and turning on the TV are connected. What I don't understand is why it was blocked, but the database did not contain any entries in that time frame. 1620 sounds not like a lot. Esp. if we assume they are spread over the whole day. Do you know what client 192.168.2.20 is?

yubiuser avatar Sep 22 '24 18:09 yubiuser

Do you know what client 192.168.2.20 is?

Yes, it is a regular desktop PC running Pop OS.

bp0 avatar Sep 23 '24 02:09 bp0

What I don't understand is why it was blocked, but the database did not contain any entries in that time frame.

It may be a timezone issue. The browser may know that it is, e.g., some US time with +6 hours while the server may be using UTC. In this scenario the screenshot and the sqlite3 query would work in entirely different timeslots.

@bp0 Did this ever happen again?

DL6ER avatar Oct 21 '24 04:10 DL6ER

This issue is stale because it has been open 30 days with no activity. Please comment or update this issue or it will be closed in 5 days.

github-actions[bot] avatar Dec 12 '24 08:12 github-actions[bot]