Searching on the Unbound and DNSMASQ messages they are saying the same thing. That somewhere on your network a machine(s) are making more than the maximum allowed number of DNS requests. This must be in a very short time frame as the DNS requests tend to be dealt with very quickly.
Somewhere in the IPFire logs there must be something about DNS requests to IPFire and/or pihole. If the machine or machines making these requests can be identified then the reason why should be easier to identify.
I don’t know if it is possible to make unbound provide more detailed logs with some debug setting to run for only a short time because it will probably generate a lot of material. I haven’t been able to find anything at the moment.
just for the sake of completeness: Way back in 2016 (with Core Update 106), we switched from dnsmasq to unbound as a DNS resolver. Hence, the dnsmasq log sections do not provide any information ever since, and were only kept to allow old dnsmasq logs still be viewed via the web interface - though I think we can safely remove it nowadays.
To figure out which client behind IPFire generates all these queries, you can enable logging of DNS queries. (It is disabled by default due to privacy reasons, since DNS queries basically leak most parts of the browsing history of users.)
To do so, create a new file in /etc/unbound/local.d/ (such as /etc/unbound/local.d/log-queries.conf - the .conf suffix is important) with the following contents:
server:
log-queries: yes
Afterwards, reload Unbound by executing
/etc/init.d/unbound reload
You will then see DNS queries logged in /var/log/message - for example, by running this command:
tail -f /var/log/messages | grep -i unbound
This should be sufficient to get the client IP address emitting the PTR queries.