Assume a local business has a domain 'taco.rentals'. They setup a pi-hole with some upstream DNS servers. For this example, lets say the upstream point to their local DNS server and OpenDNS for additional filtering. Every so often when the business tries to resolve local services such as ad.taco.rentals or fileserver.taco.rentals. These local domain names resolve about 70% of the time because some of the queries to the local DNS sever while others go to the OpenDNS server. You can set up strict-order to work manually editing the config files, but it would be a nice to have the feature supported in the GUI.
On a side note there are a lot of taco domains that are not claimed yet. My favorite so far:
taco.direct
taco.news
taco.gives
taco.guru
taco.rentals
taco.engineer
taco.partners
taco.reviews
taco.charity
taco.training
If you want all the DNS traffic filtered by Pi-Hole, then all the DNS traffic needs to go to Pi-Hole only. If Pi-Hole doesn't block the query, then Pi-Hole will forward the request to OpenDNS if OpenDNS is the upstream DNS server for Pi-Hole. As you note, if clients have the option of going to OpenDNS directly, that traffic bypasses Pi-Hole.
Local domains can be mapped in /etc/hosts or in a configuration file in /etc/dnsmasq.d
I apologize I did not make the that statement very clear. When I mentioned upstream DNS servers. I mean upstream from the Pi-hole. All devices are pointing to the Pi-Hole.
I may have put the cart before the horse is suggesting a solution instead of asking the best way to handle this situation. When there is a local DNS server that already serves up local content (local as in, internal services that are not exposed to the internet), but you Pi-hole forwards queries to not just the local DNS but to other selected upstream DNS servers it can affect the availability of local content. When you talk about mapping your local domain, I am not familiar with what you are referring to for mapping the local domain. For example, would I need to list all local records that are already defined on the local DNS server in the specified files? Or could I specify that domain should be looked up at the specified DNS server?
The best solution here might be to put the two upstreams in series. For example, forward all DNS requests from your clients to the local DNS server, set up to only respond for local DNS entries. If that resolver cannot answer, it sends the requests to Pi-Hole. The downside of this is that all Pi-Hole queries will come from the local DNS server and you lose identity of the original client that made the request.
An alternate setup could be all traffic to Pi-Hole, Pi-Hole to local DNS, and local DNS to OpenDNS if it isn't a local domain. This provides the opportunity to match DNS requests to Pi-Hole to specific clients.
You would put all the local entries in one of the two files I mentioned. If it's just a few and they don't change frequently, this is manageable. If you have active DNS changes and the local DNS server keeps track of a lot of local addresses, this might not be as attractive.
This is how I have it currently setup. My PiHole points only to the internal DNS server. Which is why I requested strict-order. So that the Pi-hole would attempt the internal one first. Then reach out to the external servers.
Does this request make more sense now?
@jfb what about kitten domains? These are all open.
kitten.energy
kitten.rentals
kitten.parts
kitten.repair
It does not make more sense. If the two DNS servers are in series, there is no strict order issue. You have to go through the first to get to the second.
This seems like a half baked solution and introduces more risk. When you daisy chain you have a higher risk of failure. If the internal DNS server fails, it would nice to still have internet access. Its like buying a Nexus 10, when you run out of ports, you plug in a Linksys unmanaged switch. You can do it and people do, but it feels wrong.
You would have to like this one then - annoyedmod.com, that is legit not taken.
If this seems like a bogus feature request this can totally be ignored. I am really not trying to annoy you. I figured this would be something that is in scope and has a some level of a use case, in my opinion.
I'm trying to understand how you envision this feature working. Strict order is usually just that, with no reply logic to determine when to jump to an alternate server. From the dnsmasq manual (dnsmasq is embedded in pihole-FTL):
"-o, --strict-order
By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf"
Ah, okay! Essentially if strict order is enabled. It will request them in a specific order. So if the internal DNS (which would need to be listed first), when that query does not resolve, for what ever reason, it will pull from the additional external sources listed. Your internal DNS would be broken, but external access would still work as intended.
@jfb as the annoyedmod.com domain funny? Or do I need to try another one?
I'm not sure about the use case above, but I'd like to see strict-order as part of the GUI (all it needs for that is a checkbox that then add the directive to the conf file).
It does though either need a note so say #2 is first and #1 is second or that the GUI inserts the servers into the conf file in the logical order as considered by the strict-order directive. As and when dnsmasq fixes that, the kludge can be removed in pi-hole.
I also don't understand exactly what OP is requesting here, but I'm all for the ability to set strict-order from the GUI. I use cloudflared (because of DoH+DNSSEC) as my main DNS, but the daemon malfunctions sometimes so I use my router (also DoH) as backup. I don't want to use both at the same time because my router is rather slow compared to Cloudflare.
Hm, before finding strict-order, I noticed that too. But it's either fixed or doesn't happen with strict-order enabled, because I have my DNS servers from most to least preferable (in the DNS tab and in 01-pihole.conf) and I only see request to the first server in my Query Log.