Maximum number of concurrent DNS queries reached (max: 150)

I got the same problem as this post.

I increased the limit and i got no problem anymore. But i'd like do keep track on the problem like on the post i mention (counting DNS packets). How can i do it since iptables is obsolete?


  • Use its replacement - nftables

Hope this helps.

1 Like

I can't spend much time on it right now, but here's an idea.
Create a dedicated extra chain dns_counter and use /tmp/dhcp.leases to populate it.

nft add chain inet fw4 dns_counter
nft flush chain inet fw4 dns_counter
nft insert rule inet fw4 input_lan meta l4proto {tcp, udp} th dport 53 jump dns_counter
for IP in $(cat /tmp/dhcp.leases | awk '{ print $3 }'); do nft insert rule inet fw4 dns_counter ip saddr $IP counter; done

Use nft list chain inet fw4 dns_counter to check the counters.

Note that this will not detect DNS requests sent to the router's ipv6 address, if any.

I think that the issue of concurrent DNS queries is not immediately connected to the number of queries from clients. What I mean is that you can have a domain which will never provide an answer because the authoritative is firewalled. This query will be active in dnsmasq until it times out (2-5sec). On the other hand another client keeps making queries which are immediately answered, so these queries are removed from the list of concurrent, but still they appear high in the list of iptables.
You can start by increasing the limit, then look at the logs for expired queries and the requesting clients.

1 Like

Consider to enable DNS query logging to track down the source of the issue.
Perhaps one of your apps/clients is doing something weird like trying to reach a non-existent domain.

1 Like