pihole appears to rate limit the wrong client

[bp0]

Versions

Pi-hole version is v5.18.3 (Latest: v5.18.3)
web version is v5.21 (Latest: v5.21)
FTL version is v5.25.2 (Latest: v5.25.2)

Platform

• OS and version: Debian 12.6 LXC

• Platform: Proxmox 8.2.5

Expected behavior

Actual behavior / bug

After turning on a Samsung TV (192.168.2.108), it made ~29000 A/AAAA queries for logs.netflix.com.
Pihole responded by rate limiting a different machine, 192.168.2.20, that had only made 67 queries.
I don't know which was actually rate limited, maybe the log message is just incorrect?

Steps to reproduce

I'm not sure I can reproduce this exact situation.

Debug Token

• URL: https://tricorder.pi-hole.net/aSbvSyjP/

Screenshots

[yubiuser]

Your client 192.68.2.20 has been rate limited yesterday. But your screenshot of the top clients is likely from today? Note that the Top Client table uses a rolling 24h window, so it might not capture query spikes if the are in the past >24h. Lets check what your client did yesterday. Pleas provide the output of the following command

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(id) from queries where client='192.168.2.20' and timestamp BETWEEN strftime('%s','2024-09-21 10:11:07') and strftime('%s','2024-09-21 10:12:07')"

[bp0]

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(id) from queries where client='192.168.2.20' and timestamp BETWEEN strftime('%s','2024-09-21 10:11:07') and strftime('%s','2024-09-21 10:12:07')"

0

[bp0]

Your client 192.[1]68.2.20 has been rate limited yesterday. But your screenshot of the top clients is likely from today?

I see what you're saying. The TV was turned on in the evening yesterday (it is now "off" but the blocked query count is still rising, 33217 now). If the time in the log is right, and it is local time, and it is 24hour, then the block did happen in the morning, before the TV was turned on, so I have no idea what caused that or why that is the only message in the log and why the TV hasn't been rate limited as well?

Why was 192.168.2.20 rate limited at all?

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(id) from queries where client='192.168.2.20' and timestamp BETWEEN strftime('%s','2024-09-21 00:00:00') and strftime('%s','2024-09-22 00:00:00')"

1620
Doesn't seem like an unreasonable number for a whole day.

Close the issue if you like. As you say, if the block happened before the TV was turned on then the report is wrong. I'm still confused about what is going on.

[yubiuser]

I'm still confused about what is going on.

Me too.
I'm not sure that the rate-limiting and turning on the TV are connected. What I don't understand is why it was blocked, but the database did not contain any entries in that time frame. 1620 sounds not like a lot. Esp. if we assume they are spread over the whole day. Do you know what client 192.168.2.20 is?

[bp0]

Do you know what client 192.168.2.20 is?

Yes, it is a regular desktop PC running Pop OS.

[DL6ER]

What I don't understand is why it was blocked, but the database did not contain any entries in that time frame.

It may be a timezone issue. The browser may know that it is, e.g., some US time with +6 hours while the server may be using UTC. In this scenario the screenshot and the sqlite3 query would work in entirely different timeslots.

@bp0 Did this ever happen again?