Conditional Forwarding and Split Horizon DNS

originalme8 · November 7, 2025, 8:31pm

Environment

Running on Debian 12 LXC container on Proxmox
Version Details:
- Core: 6.2.2
- FTL: 6.3.3
- Web Interface: 6.3

Expected Behaviour:

I have pi-hole running on a Debian LXC. Currently it works well, but I have one situation where I cannot make it work.

I have multiple internal networks, but I have a split at /16 (10.1.X.X and 10.2.X.X). For the 10.1.X.X network, I would like requests to be forwarded DNS servers for all queries against my domain, and for 10.2.X.X, I would like them to forward to an external address, such as Cloudflare.

10.1.1.2 → Pi-Hole → Windows Internal DNS
10.2.1.2 → Pi-Hole → 1.1.1.1

I have tried a few different conditional forwarding rules, but none seem to work, and I feel like I am just missing something.

I have configured these under the advanced serttings --> Conditional forwarding section of https:///admin/settings/dns.

true,10.1.0.0/16,10.1.10.20#53,domain.local

true,10.2.0.0/16,1.1.1.1#53,domain.local
true,10.1.0.0/16,10.1.10.20#53,domain.local

true,10.2.0.0/16,1.1.1.1#53
true,10.1.0.0/16,10.1.10.20#53

Actual Behaviour:

Instead of sending traffic from the 10.2.X.X devices out to cloudflare, all traffic for my internal domains are being sent to the internal DNS servers.

Debug Token:

https://tricorder.pi-hole.net/c0U2MKue/

deHakkelaar · November 7, 2025, 9:14pm

I dont have a quick solution but ... CF consists of two parts.
One part for forward lookups (name to IP) and one part for reverse lookups (IP to name).

Above bit instructs forward lookups for the domain: domain.local to be forwarded to DNS server 10.1.10.20.
And reverse lookups for the 10.1.0.0/16 addresses to be forwarded to also 10.1.10.20.
Forward lookup example with 10.0.0.2 being my Pi-hole:

$ dig +short @10.0.0.2 hak01
10.0.0.145

Reverse lookup example:

$ dig +short @10.0.0.2 -x 10.0.0.145
hak01.home.dehakkelaar.nl.

From above, not sure if you can split up the domain: domain.local into two subnets with embedded dnsmasq like above.
I suspect dnsmasq will pick the first or last one only from above two directives.
Try changing the order to play around and follow the logs live to see what happens when testing:

sudo pihole tail

Above only deals with reverse lookups and not the forward lookups for domain.local!

Ps. about the .local search/suffix domain above:

API and curl POST

Ps. I dont recommend using above .local as a search/suffix domain.
Thats a special domain intended for mDNS and not for regular old school DNS.
From the mDNS RFC:
Appendix G. Private DNS Namespaces

The special treatment of names ending in ".local." has been
implemented in Macintosh computers since the days of Mac OS 9, and
continues today in Mac OS X and iOS. There are also implementations
for Microsoft Windows [B4W], Linux, and other platforms.

Some network operators setting up private internal networks
("intranets") have used unregistered top-level domains, and some may
have used the ".local" top-level domain. Using ".local" as a private
top-level domain conflicts with Multicast DNS and may cause problems
for users. Clients can be configured to send both Multicast and
Unicast DNS queries in parallel for these names, and this does allow
names to be looked up both ways, but this results in additional
network traffic and additional delays in name resolution, as well as
potentially creating user confusion when it is not clear whether any
given result was received via link-local multicast from a peer on the
same link, or from the configured unicast name server. Because of
this, we recommend against using ".local" as a private Unicast DNS
top-level domain. We do not recommend use of unregistered top-level
domains at all, but should network operators decide to do this, the
following top-level domains have been used on private internal
networks without the problems caused by trying to reuse ".local." for
this purpose:
  .intranet.
.internal.
.private.
.corp.
.home.
.lan.
RFC 6762: Multicast DNS

originalme8 · November 7, 2025, 9:29pm

Thank you for the detailed response. I think this clarifies it for me, and what I am trying to do is not possible. I understood this to work a bit differently from how it actually does.

I thought this would identify IP addresses of clients from the first IP (range) and forward to the second IP. Now that I understand that the first is a reverse lookup forward, this makes sense. I think my next step is to set up a second pi-hole server to manage the 10.2.x.x subnets.

As for the .local, I should have clarified that was an example. My domain in question is a .xyz domain.

I hope you have a good weekend.

deHakkelaar · November 7, 2025, 9:34pm

No it doesnt identify the clients IP.
It only looks at the type of queries.
Type A or AAAA record queries for forward lookups.
And PTR queries for reverse lookups.

Have a good weekend!

system · November 28, 2025, 9:34pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.