Custom DNS override config file in /etc/dnsmasq does not appear to be read

mattlach · September 24, 2025, 5:22am

Hi Everyone,

Long time lurker, first time poster.

I have pihole running on a dedicated ubuntu server install in a linux container.

I use a private upstream DNS server that I am pretty happy with, but some sites I need apparently flag it as being potentially malicious, and either return queries empty, or don’t reply at all and just time out.

I want to keep using this DNS server, but I would like to add overrides for specific domain names.

After reading some guides on how I might do this, the most appropriate way seems to be to create a custom config file in /etc/dnsmasq.d with the custom overrides.

So I created /etc/dnsmasq.d/99-overrides.conf

In it I have a list of domain names and DNS servers in the following format

server=/<domain name>/<IP to DNS server>
server=/<domain name>/<IP to DNS server>
server=/<domain name>/<IP to DNS server>

After saving my config file and restarting the Pihole-FTL service, the custom rules do not appear to work. I have flushed the DNS cache on one of my clients, and running dig on these domains I still do not get a response. Monitoring pihole -t during restart, I see no evidence that my custom config file is being read. Am I right to expect a “read” output during startup if it is being read properly?

Is there something here that I am missing? How would I go about troubleshooting this?

I appreciate any input.

I do understand the value of the debug output from pihole, but that contains a lot of rather private information about my network that I would rather not share, so maybe we can keep the advice at a high level, and I’ll try to figure it out?

Interestingly, it does appear as if at least pihole -d sees my custom config file:

*** [ DIAGNOSING ]: contents of /etc/dnsmasq.d

-rw-r--r-- 1 root root 57 Aug 16  2024 /etc/dnsmasq.d/02-custom-settings.conf
   dns-forward-max=5096
   min-cache-ttl=300
   rebind-domain-ok=

-rw-r--r-- 1 root root 87 Sep 24 02:02 /etc/dnsmasq.d/99-overrides.conf
   server=/<redacted>/1.1.1.1
   server=/<redacted>/1.1.1.1
   server=/<redacted>/1.1.1.1

I have tried some large DNS servers, including cloudflare, google and a couple of others here, which should be able to pull these domains.

How can I confirm whether or nor the specified override DNS is actually being queried for these domain names now?

If I can do that, I can narrow it down to whether it is a configuration issue on my piHole box, or if the issue is upstream. (in other words, the DNS server somehoe doesn’t like my public IP and is taking it upon itself to not forward me the IP’s I need)

I’d appreciate any input.

Thanks!

Bucking_Horn · September 24, 2025, 5:23am

Pi-hole v6 doesn't read /etc/dnsmasq.d/ by default, see Custom dnsmasq configs not loading.

Either enable misc.etc_dnsmasq_d, or instead -for just one or two lines- add them directly to misc.dnsmasq_lines, as as accessible via Settings | All settings » Miscellaneous.
All settings is available in Expert mode only.

mattlach · September 24, 2025, 2:03pm

Thank you for that! This did not come up in my searches.

Appreciate the pointer!

mattlach · September 24, 2025, 2:14pm

Do you know if misc.dnsmasq_lines accepts commented lines without causing problems? Would be nice to add notes of what I am doing for the future when I have inevitably forgotten

mattlach · September 27, 2025, 11:50pm

Hmm.

I added the server=lines to misc.dnsmasq_lines. Just to make suyre they took effect I rebooted. Even after flushing the DNS cache on my client machines it still does not appear to be working.

I mean, it could be an upstream problem too though.

Which logs can I look at to confirm this?

I didn’t find anything in /var/log that looks related.

Any hints regarding which logs I can look at to confirm if the requests for these domains are actually going to 1.1.1.1 instead of my default upstream DNS server?

Does pihole-FTL service maybe use a custom location for logs?

Much appreciated,

Matt

mattlach · September 27, 2025, 11:53pm

Never mind. I pulled a stupid. It is right there in /var/log/pihole.log.

And it does appear that the lines in misc.dnsmasq_lines are being interpreted.

The log confirms it is querying 1.1.1.1 now for just these domains.

So I guess I have some sort of upstream problem outside of pihole.

Thanks again.

mattlach · September 28, 2025, 12:19am

If anyone else comes across this in the future, I resolved my problem.

I didn’t realize DNS servers had the ability to do this, but Cloudflare must be using some sort of custom implementation. Their 1.1.1.1 server refuses to forward me IP addresses for certain domains (but only some of them for some reason) if the request comes from the public IP of the VPN server I use.

If I use a firewall rule to bypass the VPN server just for these DNS lookups, suddenly everything works.

Presumably the specific domains I am trying to request are Cloudflare customers, and cloudlfare is using their own public DNS service to filter out requests from IP addresses they see as undesirable.

The funny part is, once I do a case by case bypass of my primary DNS server, and send that request bypassing my VPN and then get the IP address, the loading of the websites just works, despite the fact that the actual web request is still coming from behind my VPN.

So it looks like they are only filtering DNS requests, not actual traffic.