Setup:
- Fritz!Box as router with both DNS servers configured as 127.0.0.1 (so it never resolves any DNS requests)
- Fritz-Box as DHCP server with Pi-hole configured as DNS server
- Pi-hole as DNS proxy server, configured with DNS servers: 192.168.2.1 (router), 85.214.20.141; "Never forward non-FQDNs" is disabled
Expected Behaviour:
Pi-hole ALWAYS successfully resolving local hostnames like "dookie" and "fritz.box".
Actual Behaviour:
After a fresh Pi-hole restart (clearing the DNS cache), Pihole forwards a DNS request for a local hostname like "dookie" to both dns servers. 192.168.2.1 successfully resolves it to the correct local IP adress. The other DNS server fails to resolve it.
Some requests for "dookie" later seem to return a the cached NXDOMAIN reply from 85.214.20.141, instead of the successful reply from the router.
Logfile /var/log/pihole.log:
First attempt:
Jun 23 14:52:19 dnsmasq[403]: 151 192.168.2.2/52655 query[A] dookie from 192.168.2.2
Jun 23 14:52:19 dnsmasq[403]: 151 192.168.2.2/52655 forwarded dookie to 85.214.20.141
Jun 23 14:52:19 dnsmasq[403]: 151 192.168.2.2/52655 forwarded dookie to 192.168.2.1
Jun 23 14:52:19 dnsmasq[403]: 151 192.168.2.2/52655 validation result is INSECURE
Jun 23 14:52:19 dnsmasq[403]: 151 192.168.2.2/52655 reply dookie is 192.168.2.2
Later on:
Jun 23 15:23:12 dnsmasq[403]: 2030 192.168.2.2/61559 query[A] dookie from 192.168.2.2
Jun 23 15:23:12 dnsmasq[403]: 2030 192.168.2.2/61559 cached dookie is NXDOMAIN
Jun 23 15:23:12 dnsmasq[403]: 2031 192.168.2.2/61560 query[AAAA] dookie from 192.168.2.2
Jun 23 15:23:12 dnsmasq[403]: 2031 192.168.2.2/61560 cached dookie is NXDOMAIN
I want to understand why we have this behaviour and how can I prevent it? Why is pi-hole caching bad replies if it also gets good replies? Is this random order? After caching bad replies I never seem to get good replies into the cache again..
I know I can put "dookie" or "fritz.box" in the /etc/hostfile manually, or use the Pi as DHCP, but right now I am looking for better solutions.
Can I somehow tell pi-hole to always use the first DNS server, or to always use it for non-FQDNs requests? Or do I have to define a local domain for this somewhere?
Is the best solution to only put the Router into pihole's DNS config as a second hop, and the external DNS into the Router's DNS config. This way it should resolve local hostnames and only ask the external DNS server for all other requests.
It's an additional hop, but blocking, local hostnames without manual config and all other DNS requets should work, right? However, the router is then again able to answer DNS requests if some client somehow bypasses pi-hole and directly uses the router as DNS proxy.
Another question in this context: I deactivated IPv6 protocol on pihole but i still see DNS request attempts like in the log above. How can I completely prevent using IPv6 on pi-hole?
I am very thankful for any support on this!
EDIT: I use the bold marked way now, which seems to work very well for me!
