Old DNS server keeps receiving queries from HA | Home Assistant | Page 1

sonic sage Nov 10, 2025, 4:13 PM

#

HA running in a VM on ESXi host, managed by vCenter. HA was pointing at DNS02 for DNS queries and lately I installed a new DNS01 and in my network everything has moved to and is querying DNS01 now. In HA I also changed DNS settings and shutdown the whole HA VM and booted again. Now on my old DNS server I see a query every 20 seconds from the IP of my HA VM, querying just one name, my vcenter server.

I can't find which part in HA, Add-on, Integration, whatever would need to know where my vCenter is. Is there a way I can check at HA core level which process is querying the old DNS02 server?
HAOS 2025.11.1
OS 16.3

sharp cave Nov 10, 2025, 4:36 PM

#

Please share

ha network info
ha dns info

#

You can also always get a proper CLI and run something like this

 grep -slRI --exclude-dir={proc,sys,dev,tmp,run} "IPHERE" / 2>/dev/null

sonic sage Nov 10, 2025, 4:48 PM

#

The DNS servers mentioned are the new DNS

sharp cave Nov 10, 2025, 4:53 PM

#

What's the old one? Are you sure the requests come from HA(OS)?

sonic sage Nov 10, 2025, 4:53 PM

#

Old one is 192.168.0.2

#

I'm not sure where it is coming from, but it has to be the HA VM

sharp cave Nov 10, 2025, 4:54 PM

#

I'd recommend running tcpdump then: #1432435993050349630 message
What kind of DNS server is it?

sonic sage Nov 10, 2025, 4:55 PM

#

[2025-11-10 16:50:48 UTC] [192.168.0.3:41122] [UDP] QNAME: vcenter.xxxxxxxx.com; QTYPE: A; QCLASS: IN; RCODE: NoError; ANSWER: [192.168.0.4]

#

tcpdump is not available in HA OS

sharp cave Nov 10, 2025, 4:55 PM

#

See link.

sonic sage Nov 10, 2025, 4:55 PM

#

Old DNS is technitium DNS
New DNS is bind9

#

Ah 🙂
apk add tcpdump

sharp cave Nov 10, 2025, 4:58 PM

#

Technitium should have good logs for checking where the requests come from.
I'd recommend you get a proper CLI as explained above and check this

grep -slRIE --exclude-dir={proc,sys,dev,tmp,run} "192.168.0.2|vcenter.|Someuniquerequestdomainhere" / 2>/dev/null

sonic sage Nov 10, 2025, 4:59 PM

#

Well technitium is telling me this:
[2025-11-10 16:51:08 UTC] [192.168.0.3:38446] [UDP] QNAME: vcenter.xxxxx.com; QTYPE: A; QCLASS: IN; RCODE: NoError; ANSWER: [192.168.0.4]

Every 20 seconds

sharp cave Nov 10, 2025, 4:59 PM

#

But HAOS is not 192.168.0.4?

sonic sage Nov 10, 2025, 4:59 PM

#

tcpdump -n udp dst port 53

Stays empty.

#

HA is 192.168.0.3
vcenter is 192.168.0.4
technitium (old) is 192.168.0.2
bind9 (new) is 192.168.0.1

sharp cave Nov 10, 2025, 5:01 PM

#

So clearly the request comes from vcenter (which I have no experience with), not HAOS?

sonic sage Nov 10, 2025, 5:02 PM

#

Eeuh no ?

The query is from 192.168.0.3, asking what is vcenter, answer is 192.168.0.4. Seen on old dns

#

tcpdump -n dst 192.168.0.2 stays empty as well.

sharp cave Nov 10, 2025, 5:04 PM

#

Strange.

sonic sage Nov 10, 2025, 5:04 PM

#

Question: If an add-on is querying 192.168.0.2, and in docker container, would I see this in HA OS in tcpdump?

#

When I do a tcpdump with no options, I don't get a lot of difference in traffic:

#

Wondering if tcpdump is done in the right place

sharp cave Nov 10, 2025, 5:06 PM

#

I get a lot of stuff with tcpdump -i any -s 1024

# timeout 5 tcpdump -i any -s 1024 | wc -l
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 1024 bytes
205 packets captured
254 packets received by filter
0 packets dropped by kernel
206

I tested in the Advanced SSH Addon.

sonic sage Nov 10, 2025, 5:07 PM

#

using terminal

#

sharp cave Nov 10, 2025, 5:07 PM

#

Works in core SSH Addon too.

sonic sage Nov 10, 2025, 5:07 PM

#

sharp cave Nov 10, 2025, 5:07 PM

#

I'm not sure if it catches everything. Hence I'd use the grep way.

#

I can definitely see requests the Node RED addon does.

sonic sage Nov 10, 2025, 5:14 PM

#

Found some scripts that reference my vcenter, but can't explain why they would trigger a query if they are not run and if they do some background stuf, why the would use the wrong DNS server.

          - type: button
            icon: mdi:delete-empty
            name: Alle snapshots opruimen
            action_name: Delete Snapshots
            tap_action:
              action: call-service
              service: esxi_stats.remove_snapshot
              service_data:
                host: vcenter.intern.vanzanten.be
                vm: homeassistant
                command: all

Will remove them since these are no longer needed. Also remove the esxi_stats integrations (HACS) already and restarted HA, not rebooted the VM

sharp cave Nov 10, 2025, 5:15 PM

#

I don't expect the button to do this. The HACS integration has a scan interval of 15s it looks like. Probably that.

sonic sage Nov 10, 2025, 5:16 PM

#

Plus I seem to have a ui_status_dashboard.yaml that I can't find in the GUI as a dashboard

#

#

#

Just to make sure, I did a query using dig from my workstation to the old DNS:
2025-11-10 17:20:45 UTC] [192.168.0.5:50822] [UDP] QNAME: google.com; QTYPE: A; QCLASS: IN; RCODE: NoError; ANSWER: [142.251.36.46]

Proving the 192.168.0.5 is now the source address. Hence the other logs I showed really show the HA VM as the source

#

Is there a way to shutdown everything from HA but not the core os? If I'm correct HA and all add-ons are containers?

sharp cave Nov 10, 2025, 5:27 PM

#

ha addons | grep "slug" | cut -d' ' -f4 | grep -iv "ssh" | xargs -I{} echo ha addon stop {}
ha core stop

Remove the echo or run the commands yourself if happy with that.

sonic sage Nov 10, 2025, 5:28 PM

#

Just powered off the whole VM and proofed that the dns query stopped. Will restart and try your commands

sharp cave Nov 10, 2025, 5:29 PM

#

There will still be a lot of stuff running. If you want to stop that you need docker access: https://gist.github.com/Impact123/e9a4a07b184eb393d2ff762e3b1b0a05#prerequisites

#

This is still running

# docker ps --format '{{.Names}}'
addon_a0d7b954_ssh
addon_core_ssh
hassio_multicast
hassio_audio
hassio_dns
hassio_cli
hassio_supervisor
hassio_observer

sonic sage Nov 10, 2025, 5:30 PM

#

I used to have that through portainer, but removed it a while ago after it wasn't supported anymore

sharp cave Nov 10, 2025, 5:31 PM

#

You can also use a serial terminal to your VM or set up port 22222 SSH access, or see Link above to use the advanced SSH addon for this.

sonic sage Nov 10, 2025, 5:39 PM

#

Found the culprit

#

It is the uptime kuma add-on

sharp cave Nov 10, 2025, 5:40 PM

#

Its database file should have been listed via grep.

#

Think about using keepalived. Your VIP can stay the same and you have HA/failover 🙂

sonic sage Nov 10, 2025, 5:41 PM

#

the grep didn't work after the 'cut' but that is maybe because I was still in "ha" console instead of root

sharp cave Nov 10, 2025, 5:41 PM

#

Yeah the ha > CLI does not accept normal linux commands.

#

Just for the future. You can enter login to get out of there.

sonic sage Nov 10, 2025, 5:42 PM

#

Well I tried login root, login ha, login homeassistant but not just login

#

Oh.... I'm so stupid..... found what was wrong

#

So I've been using uptime kuma to perform dns query tests

#

And cloned that query to query the new dns server

#

then remove the query to the old dns server

#

except, the change for the new one, did'nt change.... the screen name says query new dns, but the ip is the old dns

#

no wonder it kept querying every 20sec

#

Sorry for that! Send me a QR for a coffee or Monster to reward your patience and effords 😉

sharp cave Nov 10, 2025, 5:48 PM

#

Not needed in this server 🙂
I'm still not over misreading your DNS log myself: #1437475368473858159 message

#Old DNS server keeps receiving queries from HA