Does "Never forward non-FQDN queries" do anything?

Help
1

I have Pihole running in an LXC in Proxmox 9.1.6 that was created using the Proxmox VE Helper Script for Pi-hole.

My network is behind a Verizon router model XCI55AX, that will not allow me to change the DNS settings handed out by DHCP. So far I have not figured out a way to get Pi-hole working for my whole network, only on systems where I can manually configure the DNS. I’ve tried replacing the DHCP/DNS functions on the router with those supplied by Pi-hole but when I do that the damn router throws a tantrum and stops working. I am very frustrated about that but it’s not actually why I am posting.

What I am posting about is that I cannot figure out how to correctly configure Pi-hole to forward non-FQDN lookups to the Verizon router. I have everything else working, even reverse-lookups are functioning. But not unqualified hostnames. Changing the setting of “Never forward non-FQDN queries” does not seem to make any difference at all.

What I am expecting it to do is append the local domain name (which I have configured in the GUI) onto that hostname then resolve it but instead Pi-hole is refusing. My token is below if someone would be kind enough to take a look.

https://tricorder.pi-hole.net/Q3S93ctM/

2

Ticking Never forward non-FQDN queries would do the opposite of what you want to achieve: It would prevent any request for a non-dot domain to be forwarded. That setting needs to be unticked.

For such non-dot requests for local hostnames to be resolved successfully, you'd need matching DNS entries to be defined somewhere, either by Pi-hole or by some other DNS server in your network.

If another DNS server holds those records, you'd have to configure Pi-hole's Conditional Forwarding to that DNS server.

Your debug log indicates you've correctly configured Conditional Forwarding to your router at 10.11.12.1:

     revServers = [
       "true,10.11.12.0/24,10.11.12.1#53,your.domain"
     ] ### CHANGED, default = []

However, you've also added a custom dnsmasq configuration, which would conflict with Pi-hole's Conditional Forwarding:

-rw-r--r-- 1 root root 63 Mar  2 20:55 /etc/dnsmasq.d/99-your.domain.conf
   server=/your.domain/#
   address=(…)

That first line configures Pi-hole to use its standard servers for your.domain, i.e. its configured upstreams.

You should remove that custom configuration.

In addition, you want to verify that your router is correctly answering local DNS requests, e.g. by requesting resolution for a local hostname directly from your router:

nslookup <hostname> 10.11.12.1

If that does return NXDOMAIN, it would demonstrate that your router doesn't keep DNS records for local hostnames, so configuring Conditional Forwarding would be futile.
Instead, you'd have to create Local DNS Records in Pi-hole.

And some remarks on your router's/network's IPv6 DNS configuration (click for details)

Your debug log indicates that your router advertises its own IPv6 GUA as DNS server. This would have IPv6 clients to by-pass Pi-hole via your router.

You'd have to find a way to configure your router to stop advertising its own IPv6 as DNS server, or to advertise your Pi-hole host machine's IPv6.

You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.

If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether, provided you'd not depend on IPv6 for reasons.

If your router doesn't support that either, your IPv6-capable clients will always be able to bypass Pi-hole via IPv6.
You could then try to mitigate this, by setting Pi-hole as the only upstream of your router, provided your router supports it.
But note that you won't be able to attribute DNS requests to original individual IPv6 clients in such a configuration.

In addition, there is another router advertising a different local search domain:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 6 seconds)
   Scanning all your interfaces for DHCP servers and IPv6 routers
   Timeout: 6 seconds
   
   * Received 56 bytes from fe80::<redacted> @ eth0
     Hop limit: 64
     Stateful address conf.: Yes
     Stateful other conf.: Yes
     (…)
     DNS search list: <redacted>.org 
      DNS search list lifetime: 1800 sec
     MTU: 1500 bytes (valid)

If that's by intention, you may want to consider also configuring Conditional Forwarding for that domain.

3

Got it, I’ve un-ticked Never forward non-FQDN queries and yes, that revServers entries makes reverse lookup work. And I figured out that the dnsmasq configuration was a mistake and removed it. Yes, the ISP router that is performing DHCP does correctly answer local DNS requests. Everything seems to be working now that I noticed that the Group Management section Client list had no members configured. So I entered my sub-net as the default client and suddenly it all worked.

About the “remarks on your router’s/network’s IPv6 DNS configuration”… It’s a Verizon router and they won’t let me touch the DNS server addresses either for the router or for the DHCP packets it sends out. I’ll take a look at what that other DHCP server is because there definitely should not be a third.

Thank you for your help. I think my big mistake was not figuring out that I needed to add my local network as a client. Somehow I missed that in the “Configuring Pi-hole” documentation I read.

4

BTW, have you any advice about how to handle the fact that the Verizon router (model ARC-XCI55AX) won’t let me change that it advertises itself as the DNS server in the DHCP packets? I’ve tried turning off the DHCP and using Pi-hole to do it instead but when I did that it seemed like it threw a tantrum and stopped working.

I’m curious if you know of anyone that has gotten Pi-hole working with that model of router before. Did they have to manually configure the DNS settings for all their devices?

5

Did you remember to set a Static IP before disabling the router DHCP server?

6

For the system I was working from? I’m not actually sure what you mean. A Static IP for which machine(s)?

I had a static IP address set up for the Pi-hole server and I had it serving dynamic and static/served addresses as appropriate for all the other devices on the network when I shut off the router DHCP. But when I did that it took the WiFi network down.

7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.