Pi-hole: DNS queries reaching maximum (150) - Excessive HTTPS loading times for local domains

GuAnDi · January 27, 2025, 2:02pm

Hello everyone,

I've identified an issue with DNS resolution in my home network and need assistance with troubleshooting.

Issue Description

When accessing local domains (*.home.com) via HTTPS, I experience:

Extremely long loading times (~20 seconds per page load)
Pi-hole warning: "Maximum number of concurrent DNS queries reached (max: 150)"
Browser analysis shows: Connection establishment takes 11.07 seconds

Network Setup

Internet: FritzBox 5590
Pi-hole on Raspberry Pi 4
QNAP NAS TS-473A (dual network interfaces)
- Home Assistant OS in VM
- Docker containers: Nginx Proxy Manager, Heimdall, Firefly3, etc.
Various endpoints (PCs, mobile devices, TV, Alexa)

Error Messages

Pi-hole log shows repeated DNS queries:

Jan 24 19:15:00 dnsmasq[28054]: query[A] heimdall.home.com from 192.168.xxx.1
Jan 24 19:15:00 dnsmasq[28054]: /etc/pihole/custom.list heimdall.home.com is 192.168.xxx.2
Jan 24 19:15:02 dnsmasq[28054]: query[AAAA] heimdall.home.com from 192.168.xxx.1
Jan 24 19:15:02 dnsmasq[28054]: Maximum number of concurrent DNS queries reached (max: 150)
Jan 24 19:15:02 dnsmasq[28054]: config error is REFUSED
Jan 24 19:15:02 dnsmasq[28054]: query[AAAA] heimdall.home.com from 192.168.xxx.3
Jan 24 19:15:02 dnsmasq[28054]: forwarded heimdall.home.com to 192.168.xxx.1
Jan 24 19:15:02 dnsmasq[28054]: query[AAAA] heimdall.home.com from 192.168.xxx.1
Jan 24 19:15:02 dnsmasq[28054]: config error is REFUSED
Jan 24 19:15:02 dnsmasq[28054]: query[AAAA] heimdall.home.com from 192.168.xxx.1
Jan 24 19:15:02 dnsmasq[28054]: config error is REFUSED

Browser Timing:

Queuing and connecting: 11.07s
Request sent and waiting: 133.08ms
Content downloading: 0.77s
Waiting on main thread: 18.03s

Already Verified

DNS entries in Pi-hole are correctly configured
Nginx Proxy Manager is accessible
Local services are fundamentally working

Debug Token for detailed Pi-hole logs: https://tricorder.pi-hole.net/qrGRw0WV / Any help or suggestions would be greatly appreciated.

Best regards

Bucking_Horn · January 27, 2025, 2:17pm

You've configured a DNS loop, with your Pi-hole forwarding queries to your router at .1, which your router then immediately forwards to Pi-hole, and so forth ad infinitum, or until all concurrent threads have been saturated.

What closes the loop in your above case is that you haven't defined AAAA records for heimdall, only A.

You could either provide such AAAA/IPv6 information in either Pi-hole or your router, or create a filtering rule to short-circuit queries for unknown local names from your router.

What would you prefer?

GuAnDi · January 27, 2025, 2:27pm

Thank you so much for your reply.

That sounds really strange because I have checked my settings multiple times after seeing these logs and can't find any reference to .1! The redirection from heimdall should go to .16 (my Nginx Proxy).

I would prefer the cleaner solution if there is one.

Bucking_Horn · January 27, 2025, 2:30pm

What kind of redirection are you talking of, and where did you configure that?

GuAnDi · January 27, 2025, 2:43pm

I have added in PiHole a DNS record for heimdall.home.com to 192.168.8.16.

Pihole is my one and only DNS Server at home. My FritzBox leads all DNS requests to PiHole.

GuAnDi · January 27, 2025, 3:08pm

The entry has existed since the initial setup, yet the error still occurs. This suggests that there must be another misconfiguration causing the issue.

Bucking_Horn · January 27, 2025, 3:35pm

That's not a redirection - it is the local A record definition I've mentioned above.

The loop is closed by a query for an AAAA record: As you haven't defined that, Pi-hole forwards the query upstream to your router, and as your router doesn't know an AAAA record either, it forwards the request upstream, which happens to be your Pi-hole.

Do you require your router to use Pi-hole as upstream, instead of just having it distribute Pi-hole as local DNS server?

GuAnDi · January 27, 2025, 3:57pm

I just wanted to make sure that all requests go to PiHole.

If I change the upstream DNS to a public one, they would receive the Let's Encrypt entry that is published with the local IP of my Nginx proxy. Is my understanding correct?
Additionally, I'd like to know: Would Pi-hole still maintain its functionality as a local DNS server in this case because Im not sure if all devices are sending their requests directly to Pi-hole.

Bucking_Horn · January 27, 2025, 4:20pm

Your guest network wouldn't, but your home network would, provided you've configured its DNS options correctly for both IPv4 as well as IPv6.

You are using a Fritzbox router, which supports distributing an IPv4 address as local DNS server via DHCP (which your debug log confirms you've done), as well as not advertising any IPv6 address for DNS (which you should probably verify).

Your Fritzbox would send any DNS request that it cannot answer itself to one of its configured upstreams (at Internet > Account Information >DNS server).

In your current setup, that would happen within your guest network in general, and within your home network only if a DNS request is sent to your router. You've configured your Pi-hole to do the latter, as you've enabled Conditional Forwarding for home.com to your FB at 192.168.8.1, which is somewhat unusual.

Fritzbox routers hard-code fritz.box as local domain which cannot be changed, so your FB would be unlikely to know any home.com domains (locally shadowed or not), making your current CF quite pointless.
You should consider to change Conditional Forwarding to use fritz.box instead.

home.com seems to be a public domain, possibly under your control, and you've created quite a few A records with private range IPs for Pi-hole.

As home.com would likely to be publically resolvable, that would indicate that your Pi-hole would shadow public DNS records, preventing your network from getting public DNS replies if a local DNS record exists.

Is that what you want to achieve?

GuAnDi · January 28, 2025, 8:00am

My goal was to enable a secure HTTPS connection for Home Assistant. This is necessary to run Assistant in the network. In this process, I installed Nginx PM and created LetsEncrypt certificates for various local services so that I can easily access them via addresses like heimdall.home.com. Home.com is my domain, and I would simply use it to create easily memorable addresses for my family.
If there is a different, simpler, faster, or better way to achieve this, I am open to suggestions.

Bucking_Horn · January 28, 2025, 10:56am

Pi-hole would not be involved in this, as LetsEncrypt verification would utilise information retrieved by public DNS.

It comes down to whether and how you would want to shadow public DNS records by local DNS records in Pi-hole.

Currently, public DNS servers like 8.8.8.8 would resolve your public DNS records (like heimdall.home.com) to private range IPs:

nslookup heimdall.home.com 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	heimdall.home.com
Address: 192.168.8.16

(Note for readers: home.com is not the actual domain here, which is known to me nonetheless, by virtue of debug log information.)
That is unusual and useless, as you won't be able to access private range IP addresses from public networks.

If you've created those A records within your DynDNS/domain administration tool, you should consider to either remove them or replace them with the correct public IPs, for those names that you wish to expose publically.

Creating local DNS records is the correct approach for this, but you should be aware that you are shadowing public DNS that way.

Your current configuration is missing AAAA record definitions, prompting respective AAAA lookups to be forwarded upstream, which then triggers the DNS loop.

To address this, try the following:

a. remove Pi-hole from your Fritzbox upstream DNS servers ( Internet > Account Information >DNS server ).

b. change your Pi-hole's Conditional Forwarding to use fritz.box as Local domain name.

This would avoid the loop for *.home.com, but it would still have Pi-hole forward DNS requests for AAAA records upstream, where they would be publically resolved.

If you are absolutely sure that you never want requests for *.home.com to be forwarded upstream, you could create a custom dnsmasq configuration to that effect, e.g. at /etc/dnsmasq.d/42-restrict-home-com.conf:

# never forward requests for home.com 
local=/home.com/

Check for potential syntax errors:

pihole-FTL dnsmasq-test

If OK, run pihole restartdns to take those settings into effect.

This would prevent Pi-hole from forwarding anything home.com upstream, but again:
Don't apply this if you want anything *.home.com to resolve via public DNS.

Likely unrelated to your issue, but you want to verify that your Fritzbox is not advertising any IPv6 address for DNS (or only your Pi-hole's ULA, but your Query Log is easier to read with no IPv6 DNS advertisements).

I also noticed that you've created some local DNS records ending in .local.
.local is the TLD reserved for the mDNS protocol, and should not be used with plain DNS.
For mDNS capable devices, any device attached to the same link will be resolvable by its self-assigned .local name, without involving DNS resolution at all.

GuAnDi · January 29, 2025, 10:41am

Hey @Bucking_Horn,
thanks a lot for the effort you put in here!
It took me a while to understand all the information

I removed PiHole as the DNS upstream in my FritzBox which fixed my problem directly
As I have a few pages for my domain online I dont want to just use my domain local.

The .local records where just for test purposes in there. I hoped to have a shorter domain to reach my internal services but I got to the same conclution as you explained. I will remove them.

Thank you so much.