Can local DNS entry override an existing upstream entry?

Hi everyone,

I am new to pi-hole and DNS, so please forgive.

I have a default setup of pi-hole (Core v6.3, FTL v6.4.1) and added a local DNS entry like this:

test.mywire.org --> 192.168.178.123

My upstream (Google) is able to resolve test.mywire.org as it is an existing domain, but I'd like to "shadow" it and let it point to a local IP instead, when I am in my LAN.

However, using
dig @<my_local_pihole_server> test.mywire.org

always resolves to the public IP, so it seems that the upstream resolves the query.

Is this behavior expected? How can I achieve this local shadowing? Shouldn't I be doing that?

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

sudo pihole -d

or if you run your Pi-hole as a Docker container:

docker exec -it <pihole-container-name-or-id> pihole -d

where you substitute <pihole-container-name-or-id> as required.

https://tricorder.pi-hole.net/N6vsc8qG/

Glancing at your debug log, you don't have any client specific filtering rules, so requests for A records of test.mywire.org should be answered with a private range IP, regardless of the client requesting it - provided that Pi-hole is receiving that request.

Your Pi-hole runs as a Docker container.
Please share your docker compose or docker run script for your Pi-hole container.

Also, please share the output of the following commands as run from a client:

nslookup pi.hole

nslookup test.mywire.org <docker.host.ip>

nslookup -class=chaos -type=txt version.ftl <docker.host.ip>

where you substitute <docker.host.ip> with your respective Docker host machine's IP address.

How do the latter two register in Pi-hole's Query Log?

Pi-hole is running as an app on ZimaOS (formerly casaos)

/ > date
Wed May 27 15:14:29 CEST 2026
/ > nslookup pi.hole                                           
Server:		192.168.178.144
Address:	192.168.178.144#53

Name:	pi.hole
Address: 172.17.0.5

/ > nslookup test.mywire.org 192.168.178.144                   
Server:		192.168.178.144
Address:	192.168.178.144#53

Non-authoritative answer:
Name:	test.mywire.org
Address: 208.67.222.111

/ > nslookup -class=chaos -type=txt version.ftl 192.168.178.144
Server:		192.168.178.144
Address:	192.168.178.144#53

** server can't find version.ftl: REFUSED

/ > date
Wed May 27 15:14:36 CEST 2026

dns769×521 91.6 KB

docker-compose.txt (46,0 KB)

To give you a very short and simple answer :

Yes, this should work indeed, because I have used Pi-Hole in the past to fix connectivity issues with a specific game when their DNS Records were borked and I wasn't using Unbound yet at the time

And good luck with solving the issue!

Your nslookup for test.mywire.org didn't register in Pi-hole's Query Log, i.e. respective DNS requests never made it to Pi-hole.
This demonstrates that the reply of 208.67.222.111 was not supplied by Pi-hole, but an alternative DNS server.

Similar is true for the FTL version lookup:
No TXT record request registers in Pi-hole's Query Log, i.e. it was the alternative DNS server that REFUSED to answer.

Something in your network (or on the machine you've run those nslookups from) is intercepting and redirecting DNS requests to another DNS server.

The usual suspects would be your router's firewall, or a personal firewall or antivirus feature on the machine issuing those nslookups.

The Pi-hole team neither develops nor endorses a Pi-hole app for ZimaOS/CasaOS. In addition, your docker compose file does not look like a typical Docker Pi-hole compose file.
It could be that ZimaOS is wrapping containers in an additional layer.

You may want to contact the maintainer of that app and/or consult CasaOS support for assistance.

It seems Cisco Umbrella DNS is running as a system service on my Mac (company policy) and intercepting DNS queries. Thanks for the support Bucking_Horn, nero355