Adding small section on DNS rebind protection in Fritz!Box docs

cozy_doomer · December 23, 2025, 6:57am

I recently had issues setting up Pi-hole with a Fritz!Box router.

The docs on this are really good but didn’t mention anything about DNS rebind protection which was enabled by default on my router (FRITZ!Box 4050, FRITZ!OS: 8.02).

This setting caused heavy delays when resolving domains and it took some time until I was able to find and fix it. Since there are specific docs on this brand of router I was thinking I should add a section in the docs so others might have an easier time. I’m not an expert but with some feedback I should be able to do this.

Roughly I would add:

a sub-header “Add Pi-hole as exception for DNS rebind protection“ in the “Distribute Pi-hole as DNS server via DHCP“ section in the docs
explanation that this might not be applicable for all router types and OS versions
(maybe people can direct me to a list of versions that have this setting on by default - but I think it’s unlikely this information exists)
instructions with a screenshot on how to add an exception for Pi-hole

Is this the right way to go about this and should my next step be to open a PR in the Pi-hole/docs repo for this?

Additional resources

Similar issue (fritzbox is also mentioned in this thread):

github.com/pi-hole/pi-hole

DNS Rebind Protection in LAN

opened 01:51PM - 08 Feb 16 UTC

closed 04:27AM - 14 May 17 UTC

bauxi

Documentation Needed Discussion

I don't know if someone did already mention this (a quick issue and faq search s…howed no results), but my Pi-Hole stopped working because my router had DNS Rebind Protection turned on. This means DNS queries cannot be answered with a local IP address, so maybe this could be included in the FAQs or somewhere else. I don't know if it happens really often, but OpenWrt has it turned on as default. ## <bountysource-plugin> Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/30648245-dns-rebind-protection-in-lan?utm_campaign=plugin&utm_content=tracker%2F3011939&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F3011939&utm_medium=issues&utm_source=github). </bountysource-plugin>

Relevant FAQ topic:

Bucking_Horn · December 23, 2025, 7:25am

FritzBox routers do enable DNS rebind protection by default. It can't be turned off entirely, but they allow you to configure exemptions.

Your contribution would be most welcome.

Just note:

That wouldn't be the correct section.
Your router's DNS rebind protection would kick in if your router receives a private IP address as DNS reply from its upstream, i.e. it could interfere with Pi-hole serving local names if you configured your router to use Pi-hole as upstream DNS server for your Fritz!Box.

When considering to contribute via GitHub, note that clicking the pencil on the top right of a doc page will take you to the respective GitHub source.

cozy_doomer · December 23, 2025, 4:53pm

Yes thank you for the correction - it should be under Pi-hole as DNS server via DHCP.
I tried both and misremembered which one I landed on.

If I understand you correctly you’d say it’s the case for all/most FritzBox routers and it’s not necessary to specify that it might not be applicable for certain versions?

Happy to do the change and close this topic after I got this information!