Hi, been using Pi-hole on my local network successfully for quite a few months now. Just started getting this issue in the last few days. I don't know what prompted it, I hadn't updated in a while (although I have updated to the latest including FTL v6.4.1 since in case it helped fix).
I have a warning that has started appearing in the diagnosis tab:
Where 10.6.10.10 is a local Samba AD DC running a DNS server that manages DNS for all my local services. It is configured for conditional forwarding, acting as the upstream server for my local subnet (10.6.0.0/16) and my local domain (*.home.mydomain.net, *.internal.mydomain.net):
I have never seen this error before. I found this error after I noticed many of my services are intermittently losing internal connectivity.
In the FTL.log I see many lines like: 2025-12-11 23:00:00.169 AEDT [5383M] WARNING: dnsmasq: nameserver10.6.10.10refused to do a recursive query
2025-12-11 23:00:03.833 AEDT [5383M] WARNING: dnsmasq: nameserver10.6.10.10refused to do a recursive query
2025-12-11 23:00:04.835 AEDT [5383M] ERROR: add_message(type=5, message=nameserver10.6.10.10refused to do a recursive query) - SQL error step DELETE: database is locked
2025-12-11 23:00:04.836 AEDT [5383M] WARNING: dnsmasq: nameserver10.6.10.10refused to do a recursive query
2025-12-11 23:00:05.837 AEDT [5383M] ERROR: add_message(type=5, message=nameserver10.6.10.10refused to do a recursive query) - SQL error step DELETE: database is locked
I don't want my local DNS to be a recursive resolver, I don't want any queries to it forwarded upstream... I have no idea why this only started happening recently. Does anyone know why and how to make Pihole not expect it to be an upstream resolver, as it seems to be the cause of the intermittent issues with DNS I am seeing.
Note that the regular operation of Pihole for internet sites (not local DNS) is working fine, it is just local DNS affected.
That is completely understandable, and also completely unrelated to the problem you describe.
Almost every DNS query sent is a recursive query. The only situation where they are not is if you are running a recursive resolver (such as unbound) which would accept recursive queries from your system, and then send its own non-recursive queries to authoritative name servers.
When a device queries example.home.mydomain.net, that is a recursive query. Non recursive queries necessary to obtain the same information, (such as by unbound) would be first a query for net, then mydomain.net, then home.mydomain.net and finally example.home.mydomain.net in each case from an authoritative server for the domain in question.
The only queries being sent by Pi-hole to this server are the ones for the domains you have specifically added in your configuration above.
The configuration screenshot above makes perfect sense for what you are trying to achieve. Pi-hole would be sending only local network queries to Samba, and it would be sending them with the recursive bit set.
The first step would be to try to figure out why Pi-hole receives replies from Samba instance to some queries but not to others.
Thanks for the explanation! That makes sense, I clearly misunderstood the meaning of recursive in this case.
Do you see something in my debug log that indicates Pi-hole is not receiving replies from Samba? I can’t really see that myself in the logs, but I also don’t know exactly what I’m looking for.
I hope it’s visible in my debug log, but anyway here’s a new excerpt from the output of pihole -t:
19:50:37: query[A] jellyfin.internal.mydomain.net from 10.6.10.100 19:50:37: forwarded jellyfin.internal.mydomain.net to 10.6.10.10 19:50:37: query[AAAA] jellyfin.internal.mydomain.net from 10.6.10.100 19:50:37: forwarded jellyfin.internal.mydomain.net to 10.6.10.10 19:50:37: nameserver 10.6.10.10 refused to do a recursive query 19:50:37: reply jellyfin.internal.mydomain.net is <CNAME> 19:50:37: reply npm.internal.mydomain.net is <CNAME> 19:50:37: reply docker-1.home.mydomain.net is 10.6.10.100 19:50:37: nameserver 10.6.10.10 refused to do a recursive query 19:50:37: reply jellyfin.internal.mydomain.net is <CNAME> 19:50:37: reply npm.internal.mydomain.net is <CNAME> 19:50:37: reply docker-1.home.mydomain.net is NODATA-IPv6 19:50:37: query[AAAA] jellyfin.home.mydomain.net from 10.6.10.100 19:50:37: cached jellyfin.home.mydomain.net is NODATA-IPv6 19:50:37: query[A] jellyfin.home.mydomain.net from 10.6.10.100 19:50:37: cached jellyfin.home.mydomain.net is 10.6.10.70 19:50:37: query[AAAA] authentik.internal.mydomain.net from 10.6.10.100 19:50:37: forwarded authentik.internal.mydomain.net to 10.6.10.10 19:50:37: query[A] authentik.internal.mydomain.net from 10.6.10.100 19:50:37: forwarded authentik.internal.mydomain.net to 10.6.10.10 19:50:37: nameserver 10.6.10.10 refused to do a recursive query 19:50:37: reply authentik.internal.mydomain.net is <CNAME> 19:50:37: reply npm.internal.mydomain.net is <CNAME> 19:50:37: reply docker-1.home.mydomain.net is NODATA-IPv6 19:50:37: nameserver 10.6.10.10 refused to do a recursive query 19:50:37: reply authentik.internal.mydomain.net is <CNAME> 19:50:37: reply npm.internal.mydomain.net is <CNAME> 19:50:37: reply docker-1.home.mydomain.net is 10.6.10.100
You can see it says my Samba DNS (10.6.10.10) is refusing to do a recursive query, despite it replying with the correct data (IPv4 address via CNAME resolution)?
Unfortunately, since the issue persists without explanation or any documentation for me to follow to trace this issue, I have had to look for a different solution other than Pi-hole. I have changed to Adguard Home and with an identical setup, it is working perfectly with no issues conditionally forwarding to my local DNS.
