Internal domains are not forwarded to upstream DNS

I upgraded to v6 lately to give it a try. First my working config for v5

Unbound as upstream DNS

I followed the instructions and added unbound as only upstream DNS, listening on:

  • 127.0.0.1#5335
  • ::1#5335

I added a zone file for the zone internal:

server:
local-zone: "internal." static

local-data: "wpad.internal. IN A 192.168.42.254"
local-data: "wpad.internal. IN AAAA fd03:4fbe:19c5:37a5:d8b8:2694:bc1d:ef9c"
local-data: "wpad.internal. IN HTTPS 1 . port=80 ipv4hint=192.168.42.254 ipv6hint=fd03:4fbe:19c5:37a5:d8b8:2694:bc1d:ef9c"

Pi-hole as DHCP server

I configured pi-hole as my sole DHCP server and disabled the one in my router.

Internal domain

The internal domain is internal. I also disabled:

  • Never forward non-FQDN A and AAAA queries
  • Never forward reverse lookups for private IP ranges

With v5 request e.g. ping wpad.internal where answered. Now with v6 I need to add
the domain wpad.internal to the Local DNS Recods in the Pi-hole settings.

Without them being added this is the result when I dig Pi-hole directly:

dig @127.0.0.1 wpad.internal A
dig @127.0.0.1 wpad.internal AAAA


; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @127.0.0.1 wpad.internal A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31254
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;wpad.internal.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Oct 01 14:56:30 CEST 2024
;; MSG SIZE  rcvd: 42


; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @127.0.0.1 wpad.internal AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10987
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;wpad.internal.			IN	AAAA

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Oct 01 14:56:30 CEST 2024
;; MSG SIZE  rcvd: 42

And here when I ask unbound directly:

dig @127.0.0.1 -p 5335 wpad.internal A
dig @127.0.0.1 -p 5335 wpad.internal AAAA

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @127.0.0.1 -p 5335 wpad.internal A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54515
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;wpad.internal.			IN	A

;; ANSWER SECTION:
wpad.internal.		3600	IN	A	192.168.42.254

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Oct 01 14:56:04 CEST 2024
;; MSG SIZE  rcvd: 58


; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @127.0.0.1 -p 5335 wpad.internal AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18910
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;wpad.internal.			IN	AAAA

;; ANSWER SECTION:
wpad.internal.		3600	IN	AAAA	fd03:4fbe:19c5:37a5:d8b8:2694:bc1d:ef9c

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Oct 01 14:56:04 CEST 2024
;; MSG SIZE  rcvd: 70

So why doesn't v6 forward these request to unbound anymore.

Please quote the relevant lines from

/var/log/pihole/pihole.log

for the misbehaving queries

Also, it'd be great if you could generate and upload a debug log using so we have your exact configuration to check:

sudo pihole -d

(only provide the token)

Token:

https://tricorder.pi-hole.net/EQgoUg6U/

pihole.log:


Oct  1 18:23:18 dnsmasq[17595]: query[A] wpad.internal from 127.0.0.1
Oct  1 18:23:18 dnsmasq[17595]: config wpad.internal is NXDOMAIN
Oct  1 18:23:18 dnsmasq[17595]: query[AAAA] wpad.internal from 127.0.0.1
Oct  1 18:23:18 dnsmasq[17595]: config wpad.internal is NXDOMAIN

When you enable Pi-hole's DHCP server, your Pi-hole is configured to treat your local domain as strictly local:

*** [ DIAGNOSING ]: contents of /etc/pihole

-rw-r--r-- 1 pihole pihole 6.5K Oct  1 15:12 /etc/pihole/dnsmasq.conf
   (…)
   domain=internal
   local=/internal/

That would keep local FQDN requests from spilling to public upstreams - in your case, from being forwarded to unbound.

As you are running unbound with local zone addresses, you could consider to allow those forwards again.

But using Pi-hole's local DNS records for your local definitions would seem a more natural approach.

Thanks for looking into this. But why is that? I did not add this line to the config file.

Because:

EDIT:
Apologies, I did not take into account that you are running Pi-hole v6.

Above would apply to Pi-hole v5, when Never forward non-FQDN A and AAAA queries is also ticked.

For v6, the behaviour changed indeed:
Those dnsmasq domain and local options for your internal domain are already set for the current value of dns.domain, i.e. enabling the DHCP server is not required anymore.

And where can I disable this? Is this a new feature in v6?

For v5, untick Never forward non-FQDN A and AAAA queries.

For v6, add a Conditional forwarding entry for the IP ranges and domain you want to be handled by unbound at 127.0.0.1#5335, e.g.

true,192.168.42.0/24,127.0.0.1#5335,internal
1 Like

Just one additional question, I guess I did not read the changelog for v6, did I? Also, may I ask why this has been, decoupled from Never forward non-FQDN A and AAAA queries, in v6?

Pi-hole v6 has not been released yet, so there are no release notes to read yet :wink: (if that's what you are referring to).

With v5, local domain awareness was tied to enabling Pi-hole's DHCP server, which makes sense as Pi-hole would announce that local domain as configured.

But for all Pi-hole installations with a disabled DHCP server (arguably, the majority of installations?), Pi-hole would have forwarded local domain FQDNs upstream, despite public upstream's guaranteed lack of ability to resolve those domains as required.

As explained, Pi-hole v6 now will...

Your configuration of local zones in a colocated unbound is a special use case, and -as mentioned- kind of an unexpected one, as you can already define local DNS records with Pi-hole.

1 Like

Thanks, allot, for the explanation, and your patience. :blush: