Pi-hole ignores own DNS rebinds.

Bucking_Horn · March 9, 2026, 8:50am

Your debug log shows that you've created A records for IPv4 records exclusively:

   [dns]
     (…)
     hosts = [
       "192.168.2.1 fritz.box",
       "192.168.2.11 nas.ipmi",
       "192.168.2.15 unim95.ddns.net",
       "192.168.2.6 test-pihole.unim95.ddns.net",
       "192.168.2.2 speedport.ip",
       "192.168.2.5 main-pihole.local"
     ] ### CHANGED, default = []
     (…)
     domain = "lan"

In addition, your Pi-hole is not aware that it should treat fritz.box as your local/search domain, using lan instead.

Consequently, Pi-hole would forward AAAA requests for fritz.box to its configured public upstreams, resulting in the public DNS reply showing in your nslookups.
You should note that this would also happen with any other public DNS records you are shadowing with your Pi-hole's local DNS records.

To address your fritz.box issue, you could either create the missing AAAA records or set dns.domain to fritz.box.

You could also consider to remove fritz.box from your local DNS records altogether and enable Pi-hole's Conditional Forwarding instead.
That way, Pi-hole would pass resolution of requests for anything ending in fritz.box to be answered by your Fritzbox router.

You should probably prefer this latter way of resolving local names, unless you'd want to see a specific name for a client in Pi-hole's UI.
Fritzboxes may keep multiple names for clients, and Pi-hole would then choose an arbitrary one for the client's associated IPs, which may not always be your preferred name.
Creating Local DNS records for those specific clients while using Conditional Forwarding for all other fritz.box domains would allow you to take advantage of Fritzbox's local name knowledge, manually only creating relevant entries.

EDIT:
Unrelated to your issue, you could also consider to configure your router to NOT advertise any DNS server IPv6 address at all, see Unresolved ipv6 adress in my top list - #4 by Bucking_Horn.
This will have your clients send DNS requests to Pi-hole via their IPv4 address exclusively, which would allow you to reliably associate friendly names to client IPs (which isn't possible with every IPv6).