DNS problem and name look up

On a RasPi, I run PiHole to see what is happening in/on my network.

The other day I am noticing HUGE traffic to the name heartbeat.
(Bit of a give away to me, but indulge me)

I have since discovered my backups failed and so I have none. Only the working flow/s.
(That has since been fixed)
Ok, I have a back up but from March...... This year.

So the problem that I am seeing:

This is what PiHole is showing me in a very filtered log:

Jun 17 19:32:27 dnsmasq[9674]: query[A] heartbeat from 192.168.0.99
Jun 17 19:32:27 dnsmasq[9674]: config heartbeat is NXDOMAIN
Jun 17 19:32:27 dnsmasq[9674]: query[A] heartbeat from 192.168.0.99
Jun 17 19:32:27 dnsmasq[9674]: config heartbeat is NXDOMAIN
Jun 17 19:32:28 dnsmasq[9674]: query[A] heartbeat from 192.168.0.99
Jun 17 19:32:28 dnsmasq[9674]: config heartbeat is NXDOMAIN
Jun 17 19:32:28 dnsmasq[9674]: query[A] heartbeat from 192.168.0.99
Jun 17 19:32:28 dnsmasq[9674]: config heartbeat is NXDOMAIN

Started 19:32 17 June. Local time I hope.
But what ever.... From then it has been relentless.

What I've done to try and find it:
Every 30 seconds I send out nmap commands with IP ranges of my LAN and my uplink.
(Other post)
That is old now.

But that happens every 30 seconds.
I look at the log of PiHole and it is continuing to be logged.
I disable that part of the flow. Alas it continues.

Ok, not the end of the world.

But to be sure - rather than going through all the tabs - I stopped NR.
The entries stopped. (Phew)

Yes, ok, I could step through them all and disable them and find out when it starts again.
But it is confusing to me.

I'm guessing I am pinging and for some reason heartbeat is being given rather than an IP address.
I get that.
But I haven't got any ping nodes used now.
They've been superseded with nmap commands.

Any thoughts on how to track it down?
(Maybe I disable 1/2 the tabs. If it remains, disable another 1/2 of the active tabs.
If it is good, enable 1/2 of the tabs and see what happens.)

Sorry folks. I am really having a few bad days just now.

Update:

I've isolated it to one flow.

(SHOULD be easy.)

But it isn't......

That is the flow which generates the heartbeat signal.
Ok, so, that's not really helpful for a couple of reasons:

1 - The heartbeat message.... I've changed it to something else but the logs don't reflect the change in the name.
2 - Nothing on that flow does any pinging, or network stuff.
That flow is the main control for that RasPi and sends the signal to other flows.

Which also then begs the question:
This flow creates the heartbeat message/signal. Given.
That message goes elsewhere and can be used on other flows.

So if I disable the other flows the problem should also go away. Yes?

I was suspicious it was that tab and so I had all OTHER tabs disabled.
The error was still happening.
I then disabled THAT tab and they stopped.

To double check myself, I then re-enabled all the OTHER tabs and left this one DISABLED.
All good. No errors.
Enabled that tab (back to all tabs active) and the error comes back.

It's late here. It isn't I am walking away from the problem. It will still be here tomorrow.
But rather than bash my head I feel sleep may be in order, and I can attack it tomorrow with a clearer mind - I hope.

And it may also give time if anyone has any ideas on how I can track this down and post.

Thanks.

(New day)

Thinking about the problem as it is presented:

Jun 17 19:32:27 dnsmasq[9674]: config heartbeat is NXDOMAIN

In my code as I said there is a heartbeat message sent every 30 seconds.

But it is HEARTBEAT - as opposed to heartbeat which is showing in the log.

Are they the same thing?

I tried changing HEARTBEAT to something else but I was still seeing heartbeat in the log.
So that has me confused.

Given I have Isolated the cause to one flow, why is it that if I search for heartbeat I don't get any thing helpful to determine from where it is coming?

Found the problem:

node-red-contrib-redplc-ntptime

Disabled it and the DNS problem stops.

(Go figure)

Wondering why you would use this Andrew rather than just grabbing the system time from the PI it is running on (which will already be performing some form of NTP time sync (and will need good time for all of its running processes ?

Craig

Well, I didn't k now the Pi checked the NTP itself constantly.

I thought it only did it at boot up.

This scenario is more a test thing anyway.

The idea is that I already have code that checks the difference between the software time and the RTC, If they differ by too much I am warned.

This was that every now and then (maybe daily at a given time) the time in/on/at the NTP (External) would be got and compared to the local time.

Again, if a big difference I would be notified.

So in the bigger picture it is just an exercise in self checking.

To be sure:
The RasPi has ongoing external NTP checking happening anyway?

Thanks.

It should have external NTP setup

Here is a quick article on how to check

Craig