Ever since enabling Conditional Forwarding on Pi-Hole, I'm getting some strange results in the "Permitted Domains" section of the dashboard as seen in this screen shot:
Every host (whether it be internal or external is appended with my internal domain suffix).
There are also a bunch of hosts which appear that appear to be just random characters; none of those hosts actually exist.
It seems that 95% of the DNS queries are being answered by my secondary (internal) DNS server which is the green part of the graph. Before enabling conditional forwarding, this was not the case.
What are your settings for "Never forward non-FQDNs" and "Never forward reverse lookups for private IP ranges" on the Admin GUI > Settings > DNS page? Example below.
I was previously using it turned off. The reason I enabled it was because local clients on the LAN were having issues resolving internal host names. With Conditional Forwarding switched on, it resolved the internal name resolution issue.
I did check that that both the DNS addresses of Pi-Hole and the internal DNS server were being dished out by DHCP. I have since swapped these addresses around (internal first, then external) to see if it makes a difference, but it shouldn't matter if the internal DNS is secondary... should it?
What is your internal DNS server doing? If it's providing local addresses, those could likely be moved to the /etc/hosts file on the Pi, and the Pi would serve them up.
Yes, internal DNS is only providing internal addresses. I could forward DHCP queries to Pi-Hole I suppose, the reason I haven't so far is that it introduces another point of failure in the network if the Pi-Hole were to go down for whatever reason.
I think you may have created a loop with conditional forwarding.
The clean solution is to not use the internal DNS, move those static host names to the /etc/hosts file (you can name them whatever you want), then eliminate the internal DNS from the process and turn off conditional forwarding.
The way you have it now, if your Pi-Hole were to go down, can your clients still reach the internet or does your internal DNS server provide a path to the internet?
Yes you raise a good point. If the Pi-Hole was inaccessible, the clients would not be able to reach the internet, but at the very least, clients would still get an IP from DHCP and would be able to access internal resources. I'll have a play and see what I can sort out.
A cheap solution to this dilemma - get a second Pi (a Zero W is fine), then run that in parallel with the first. Set it up the same as the first (same hosts file, etc.), and then list this Pi as the second DNS in your router. That way, if either Pi fails or hangs, the other Pi automatically takes over. $30 US solution.
It seems as though the Ubiquiti DNS/DHCP services were misbehaving (they aren't very robust to begin with). I don't know the root cause however I have updated the config of my network as follows:
I have disabled all DHCP services on my UBNT USG Pro 4.
Manually specified the IP address of the Pi-hole in the DNS settings located in the LAN config (on the UBNT gear).
Enabled DHCP on the Pi-hole.
Rebooted / refreshed the IP config on all clients; They are now getting IP addresses and resolving local hostnames from the Pi-hole.
I would however like to see static name mappings included in the Pi-hole GUI in the future. I have some clients which use a (hardcoded) static IP address and they weren't resolving properly. I've manually added them to the /etc/hosts file. It's a bit of a pain from a management point of view as if I ever change things, I need to remember to always check that file otherwise I could be left chasing my tail.
I tried adding a static map to those clients in the DHCP settings however that failed. I suspect because the static IPs were located outside of the configured DHCP pool address range (even though the static map appeared in the list, it wasn't handing out those IP addresses).
