netbird icon indicating copy to clipboard operation
netbird copied to clipboard
verified publisher icon netbirdio

Very high number of dns queries

Open tiagogbarbosa opened this issue 7 months ago • 8 comments

Describe the problem

high number of DNS queries, accounting for approximately 60% of all DNS traffic on my network.

Are you using NetBird Cloud?

Not now

NetBird version

0.45.1

Is any other VPN software installed?

No

tiagogbarbosa avatar May 30 '25 05:05 tiagogbarbosa

Hello @tiagogbarbosa can you confirm if there is a DNS query pattern?

Our hosted domains have low TTL, which could cause a larger number of DNS queries if compared to domains with 1-hour TTLs. Still, we probably would be talking about 1 query per minute per node, depending on the hosted service.

mlsmaycon avatar May 30 '25 17:05 mlsmaycon

Hi there @mlsmaycon , I think I am also having this issue :

Image

In green on the graph is the LXC on my network that has NetBird installed as a routing peer for a network.

The bifrost.colere.cloud FQDN is my deployment of the docker-compose of NetBird (for some weird reason it is also requesting bifrost.colere.cloud.colere.cloud which doesn't exist?).

In the span of the last 38 minutes there have been 836 total requests to both the domains listed above.

(Left the Twingate DNS requests for comparison purposes, but I do not have a device with both the Twingate agent and NetBird agent installed at the same time.)

Coler-e avatar Jun 19 '25 14:06 Coler-e

The bifrost.colere.cloud FQDN is my deployment of the docker-compose of NetBird (for some weird reason it is also requesting bifrost.colere.cloud.colere.cloud which doesn't exist?).

bifrost.colere.cloud.colere.cloud is most likely because the OS is automatically applying a search domain to the address not ending with a dot ., we might be able to address that if it's coming from us? @mlsmaycon

~Out of curiosity how are you gathering those DNS queries? The corele.cloud. queries should be handled within NetBird daemon, resolve instantly and be completely harmless, if it's passed to anywhere else, we might want to investigate that.~

misinterpreted this part

nazarewk avatar Jun 19 '25 18:06 nazarewk

ohhh... if it's running within docker it might not be routing queries entirely through NetBird unless the container is extensively set up to handle this use case? @mlsmaycon ?

nazarewk avatar Jun 19 '25 18:06 nazarewk

Out of curiosity how are you gathering those DNS queries? The corele.cloud. queries should be handled within NetBird daemon, resolve instantly and be completely harmless, if it's passed to anywhere else, we might want to investigate that.

Those are from my OPNSense firewall, which is defined as the nameserver on NetBird for the 'All' group, and they are generated pretty much while idle.

I also have a the DNS server on the firewall configured for DNS forwarding to public DNS servers and it is the DNS server configured for the host of the LXC that has the NetBird agent and is being use as a router peer to my infra.

So it most likely is just trying to reach the NetBird management server / relay infrastructure that I host on bifrost.colere.cloud, but the frequency does seem a little bit overkill.

Coler-e avatar Jun 19 '25 18:06 Coler-e

So it most likely is just trying to reach the NetBird management server / relay infrastructure that I host on bifrost.colere.cloud, but the frequency does seem a little bit overkill.

You mean colere.cloud. is not a NetBird DNS domain of the peers, but the public domain of management?

nazarewk avatar Jun 20 '25 07:06 nazarewk

Could you give us some more information on your setup?

  • How many Peers do you have in the network?
  • What kind of OS and client versions are you using?

Generally ~840 queries (~420 doubled by the search domain) over ~38 minutes is roughly 10 queries per minute/1 per 6 seconds, which doesn't sound like that much. Especially if you're running more than 1 peer.

  • what is the TTL on your bifrost record?
  • do you have machine-wide DNS cache running locally? ~are containers going through it?~ actually they won't go through local DNS cache because the NetBird Nameserver tells it to use your OPNSense DNS resolver directly

nazarewk avatar Jun 20 '25 07:06 nazarewk

Could you give us some more information on your setup?

  • How many Peers do you have in the network?
  • What kind of OS and client versions are you using?

I have 4 Peers in the Netbird Network, one of which was off yesterday

1 Ubuntu LXC with agent 0.46.0 (routing peer to infra and local NS with forwarding ON)

1 Phone with agent 0.34.0

1 laptop with agent installed in WSL 0.46.0

1 Desktop with agent 0.47.0 (Is the one that was off)

Generally ~840 queries (~420 doubled by the search domain) over ~38 minutes is roughly 10 queries per minute/1 per 6 seconds, which doesn't sound like that much. Especially if you're running more than 1 peer.

Well from what I see now the search domain is in a lower proportion than that, last 37 minutes has 628 queries to bifrost.colere.cloud and 166 to search domain

  • what is the TTL on your bifrost record?

60 seconds for now, I could try taking it higher to test if behaviour changes?

  • do you have machine-wide DNS cache running locally? ~are containers going through it?~ actually they won't go through local DNS cache because the NetBird Nameserver tells it to use your OPNSense DNS resolver directly

Ah so maybe that is why there is that much queries being made.

The host that is making all those queries is the routing peer to my network in which I have the NS server has a ressource, so if no cache is being used that could be the reason?

Last 37 minutes has a rate of 17 queries per minute with 3 peers connected.

Coler-e avatar Jun 20 '25 09:06 Coler-e