Docker Gateway IP Spamming "." NS queries

So I am running PiHole in docker. Everything is working as expected, except that for some reason PiHole is getting spammed approximately once per second by these queries:

   May 22 00:00:03 dnsmasq[221]: query[NS] . from
   May 22 00:00:03 dnsmasq[221]: exactly blacklisted . is NODATA

I added a blacklist for it as you can see. But it is still clogging up my statistics with useless information. After some digging, i've realised that is the "gateway" IP for my pihole docker network.

If I look at UFW logs on the host, I can see some similar port 53 traffic, but not happening once every second:

May 22 16:56:44 raspberrypi kernel: [ 3673.767965] [UFW ALLOW] IN= OUT=br-e0014f3a706f SRC= DST= LEN=45 TOS=0x00 PREC=0x00 TTL=64 ID=26680 DF PROTO=UDP SPT=32990 DPT=53 LEN=25 
May 22 16:56:45 raspberrypi kernel: [ 3675.391618] [UFW BLOCK] IN=br-e0014f3a706f OUT= MAC=02:42:3d:02:08:fa:02:42:ac:1e:09:02:08:00 SRC= DST= LEN=80 TOS=0x00 PREC=0x00 TTL=64 ID=55903 DF PROTO=UDP SPT=44036 DPT=53 LEN=60

Using UFW to block port 53 traffic didn't seem to help, but maybe I did something wrong...

Here is my tricorder log:

And here is my docker-compose:

# More info at and
    container_name: cloudflared
    # Restart on crashes and on reboots
    restart: unless-stopped
    image: cloudflare/cloudflared
    command: proxy-dns
      # Listen on an unprivileged port
      - "TUNNEL_DNS_PORT=5053"

      # Listen on all interfaces

    # Attach cloudflared only to the private network
    container_name: pihole
    image: pihole/pihole:latest
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
      - "53:53/tcp"
      - "53:53/udp"
    #  - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
      - "80:80/tcp"
      - "TZ=America/Chicago"
      # Internal IP of the cloudflared container
      - "DNS1="

      # Explicitly disable a second DNS server, otherwise Pi-hole uses Google
      - "DNS2=no"
      # WEBPASSWORD: 'set a secure password here or it will be random'
      - "MAXDBDAYS=2"
    # Volumes store your data between container upgrades
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
      - './resolv.conf:/etc/resolv.conf'
   # cap_add:
   #   - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped
      - cloudflared

  # Create the internal network
    driver: bridge
        - subnet:

Bump? Anyone able to assist?

Looks like this is very similar to this topic:

Thank you, I will look through those and see if i can find any solution.

I probably would tread carefully when manipulating the firewall, as Docker is applying some elaborate iptables rulesets for container isolation.

In addition to rdwebdesign's link, note that '.' root DNS queries would be common for a recursive resolver, or for a DNSSEC validating resolver.

Pi-hole could also sending DNS requests for '.' if DNSSEC is enabled.

unbound is a recursive resolver, but it would usually send those requests to the root DNS server, not to Pi-hole .

You wouldn't perhaps redirect DNS to your Pi-hole at your router's firewall?

I have already disabled DNSSEC a while ago since i'm using a DoH upstream resolver via cloudflared.

And yes, I do have my unifi controller set to pi-hole's DNS for my whole network.

After looking at the link above, I disabled my wireguard container for now and it has stopped the "." queries. Doesn't really resolve the problem long term yet, as I now can't remotely log into my home network with wireguard disabled. Unfortunately I still haven't found a couple hours to completely dive into the reading from the link above to see if there is a more nuanced approach to resolving the issue...