If there is a request for a blocked host like "msmetrics.ws.sonos.com" you should see one request for that host in the logs which is then blocked.
Actual Behaviour:
There are two requests. One blocked request for "msmetrics.ws.sonos.com" which s correct. But also one more request for "msmetrics.ws.sonos.com.urs.lan" where "urs.lan" is my local domain.
So in the statistics I currently see e.g. 2343 hits for the blocked domain "msmetrics.ws.sonos.com" but also 1499 requests forwarded requests which are not blocked.
Anything I am doing wrong or is this the expected behaviour?
Ok, so if I understand correctly, then for every request to a blocked domain there is also an additional request made with the local domain added? What is causing that behaviour?
I thought if you just request e.g. "msmetrics" then a local domain like "urs.lan" is automatically added to the request.
However if a request to a fully qualified domain name is made, it should not automatically add an additional request with the local domain added?
Could you pleas explain me a little bit more in detail what and why this is happening here?
The requests for the domain ending in .lan (from IP 40), are going to the router, it appears, but no reply is shown in the log. Are you using your router as the upstream DNS server for Pi-Hole, or does the Pi-Hole use a commercial third party DNS server?
From the IP=40 client, what happens when you NSLOOKUP or DIG "msmetrics.ws.sonos.com"
A request from IP 40 with a .lan suffix, which Pi-Hole forwarded to the router, not to unbound. Do you have conditional forwarding enabled on the Pi-Hole?
Sep 20 21:55:08 dnsmasq[832]: 343956 192.168.1.40/53941 forwarded msmetrics.ws.sonos.com.urs.lan to 192.168.1.1
You mean conditional forwarding? Yes, I configured Pi-hole to send "urs.lan" requests to my router as the router is the one who as all the knowledge about internal hosts (as it works as the DHCP server as well)
If you don't use conditional forwarding, do all your queries from the router show as the router, or does Pi-Hole show the individual clients? This varies by router (with Apple routers I see the clients without conditional forwarding).
Do you have any local clients mapped in /etc/hosts on the Pi?
You mean if I make a DNS query from the command line of my router? Otherwise: My router does not do any queries against Pi-hole?
To clarify my config:
All my clients have the Pi-hole server as DNS
So DNS queries from the clients go to the Pi-hole server
If the query is a local one (".urs.lan"), Pi-hole forwards the request to my router via conditional forwarding
If the query is an external one which should be blocked, Pi-hole blocks the request
If the query is an external one which is not on any blacklist, Pi-hole forwards to the upstream server "127.0.0.1#5353" which is my Unbound server on the same machine
My router itself sends external queries (which should never reach my router ;-)) to an external upstream DNS
All queries to your Pi-Hole come through the router, as that is your traffic manager on the network, but they don't all originate at the router. From Client, to router, to Pi-Hole. It's a hub and spoke setup.
The reason for conditional forwarding is to let the Pi-Hole find out which specific client of the router requested the IP address. Without this, in some setups with the router providing DHCP, all DNS requests to the Pi-Hole appear to come from the router. In fact, they come from individual clients but the router isn't passing this information to Pi-Hole.
As a test, turn off conditional forwarding and see where your Pi-Hole DNS queries are coming from.
Ok, now I understood your question Just tested with conditional forwarding disabled and I do get the correct IP of the requesting client in the log. However I still see an additional request with the local domain added.
But: In the meantime I really think that the client makes the additional request as they do not happen to all blocked domains.
They happen for Sonos devices, the Sonos desktop clients on Win and Mac and also from Amazon Echo devices. Maybe these clients just try a failed request again with the local domain added (they know the local domain suffix via DHCP).
Other requests are only nslookup requests from Win and Mac which I do manually for testing. So nslookup might also add the local domain if the request fails.
If Pi-hole does the request I would say that all blocked domain requests should be duplicated.
This appears to be the case. I don't believe Pi-Hole has the ability to initiate any requests - it just receives and answers DNS requests.
I don't have a domain name on my network, so I'm not seeing any of this behavior. I have Sonos speakers, Sonos IOS clients (I don't use the Sonos desktop clients), and a pile of Amazon Echo devices. None of them do this, they just make straight requests.
Just guessing here - this could be a behavior of the router as well (adding the domain and forwarding the request). I would leave conditional forwarding off for now and see if there is a change.
For local client resolution, add clients (one per line) to the Pi /etc/hosts file (leave the existing entries there). I do this primarily so I won't see IP's in my Pi-Hole admin display and logs, I see the client name as mapped in the hosts file. But this also provides IP addresses when I dig a local client name (dig printer returns 192.168.0.102).
I guess that might be the reason why the behaviour here is different. So I think I have to live with that. It really seems to be only Sonos and Amazon which are affected.
As I said, disabling conditional forwarding does not change anything in the behaviour (besides that I would need to make double definitions for my local DNS names which I would like to avoid).