Forward Lookup Zone Issue

I have a windows server with multiple forward lookup zones (, setup. My DNS lookups go client -> Pi-hole -> Windows Server.

Expected Behaviour:

Pi-hole should return internal IPs for all of the domains setup in my windows server.

Actual Behaviour:

Pi-hole is not returning local IPs for one of the forward zones, for this zone it's returning my public ip. From my client PCs if I do an nslookup for I get my internal IP, but if i do I'm getting my external IP. I don't think it's an issue with my server because an nslookup of on the server returns the internal IP. Any idea when for the second lookup zone it's returning my public IP?

Screen Shots of my setup:

Windows DNS settings:

lookup from DNS server

Pi-Hole settings:

look up from pi-hole host

lookup from client

I've updated the format of my post, any help would be appreciated.

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

I was looking at the log and saw this:

-rw-r--r-- 1 root root 34 Mar 25  2021 /etc/dnsmasq.d/02-pihole.conf

which i don't think is correct and I'm not sure were to change it.

There are a few things peculiar from your debug log (in addition to what you've already spotted).

Your firewall does not seem to allow access to Pi-hole's UI nor its DNS server:

*** [ DIAGNOSING ]: FirewallD
[i] Firewalld service active
[✗]   Allow Service: http (
[✗]   Allow Service: dns (
[✓]   Allow Service: dhcp
[✓]   Allow Service: dhcpv6
[✗] FTL Custom Zone Not Detected (

This would mean that DNS requests will never make it to Pi-hole.
You'd have to configure FirewallD to allow Pi-hole's required ports.

There is also another DNS resolver (dnsmasq) running on your Pi-hole machine:

*** [ DIAGNOSING ]: Ports in use
[✓] udp: is in use by pihole-FTL
[✗] udp: is in use by dnsmasq (

This is usually bound to create conflicts over port 53, so you'd have to disable or uninstall any additional DNS servers.
In your case, dnsmasq binds to your virbr0's, which seems to be separate from your network - your enps0 carries

Is this by intention?
What's the purpose of the other subnet?
What's the purpose of that dnsmasq?

Your debug log shows no DHCP server answering on your Pi-hole machine's links:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds
   DHCP packets received on interface ens192: 0
   DHCP packets received on interface virbr0: 0

This is unusual.
Are you operating your Pi-hole in some kind of virtualised environment?

We can't see what DNS servers your DHCP server is distributing, but your resolv.conf points to

*** [ DIAGNOSING ]: contents of /etc

-rw-r--r-- 1 root root 78 Feb 19 17:47 /etc/resolv.conf

Unless you've manually configured those, this may indicate that your DHCP server is distributing those two DNS servers.

Which of those is your Windows Server?
What is the other?

Your Pi-hole is using just one of them as upstream:

*** [ DIAGNOSING ]: Setup variables

As its Pi-hole's only upstream, any public address results are coming from that source.
This would include your lookups.

But as your current firewall settings prohibit DNS to been handled by Pi-hole, its unclear how Pi-hole should have provided any reply at all.

Run from your Pi-hole machine, what's the output of:

echo ">stats >quit" | nc localhost 4711

I'm not sure why it's not passing those firewall settings. I can definitely access the UI and nslookup says it's getting it's dns from pi-hole. I am running on this on a VM. It's CentOS8 on ESXi. There is only one NIC on the VM and it's ip address is I'm not sure where the is coming from. I also have no idea why dnsmasq is running (i'm still new to linux). I tried to disable it and rerun the logs but i still see the error your pointed out.

As far as the DHCP comments. The VM has a static IP and I'm not using Pi-hole for DHCP, is my windows server, is a backup DNS sever i have running. I only had the one one listed as the upstream while I was testing the issue.

All of that being said, I removed the contents of the /etc/dnsmasq.d/02-pihole.conf file and now everything looks to be working.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.