Okay, thanks. We see that the port where we're sending the dnssec-retry to (#5053) is missing here:
whereas it is included for all other queries, such as:
This is a bug in the embedded dnsmasq code. It affects FTL as well, however, FTL is still able to get the port using other means. Nevertheless, this secondary "reverse-engineering" of the port is what is triggering this message you have reported here.
This can only be solved with a bugfix to the dnsmasq code as well.
Please try
pihole checkout ftl fix/dnssec-retry
If you are running Pi-hole in a docker container, you have to be using the dev or nightly containers for the checkout command to be supported.
After the checkout, please grep again for dnssec-retry and check whether the port is now appended to the upstream IP address and the port mismatch error disappeared from pihole-FTL.log.