I saw this warning for the first time today as well. It happened right after I updated my pihole installation via "pihole -up". I understand that this is a safety feature. However I can't find any query in the logs that might have triggered the warning (the logs show no queries received at the time of the warning) and it should not be possible in my network for non-local queries to occur. My pihole is (or at least should be) behind my firewall, inaccessible to the outside world. If there are in fact queries from non-local devices, how do I see them in order to understand how they happened in order to take proper measures?
Or is false positive warning indicating this a bug in the warning system?
The warning is only printed once and does not contain any information. This to avoid filling the log quickly, possibly leading to a DoS when indeed a lot of foreign traffic is arriving on an insufficiently firewalled Pi-hole.
Please try
pihole checkout ftl new/non_local_details
On the next warning of this type, you should also see the IP address triggering this warning. The warning is still printed only once (not once per address but once overall).
Do you want to tell us (even if only abstract)? I will submit this change upstream to the dnsmasq project and additional real life experience may help getting the change accepted more easily.
When I set up an IoT device on a different subnet, it inherited my phone's DNS setting. So the device was trying to use the pihole but it was 2 hops away, triggering the alert.
I still think having the IP address printed by default is a good idea -- if I had been I would seen immediately what was causing the warning and wouldn't have had to bother you here.
