When I try to visit it using Safari or Chrome on macOS, I get the “Not found on any Blacklist” reason for why a website is blocked. This makes absolutely NO sense to me. Why would it block something because it's NOT found on a blacklist? Moreover, as you can see in the screenshot, it’s expressly whitelisted (I did this the first time I got the message), but it still doesn't go through.
I've restarted Safari and run through every macOS DNS cache flush I can think of (sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache).
pi.hole is set in the hosts file to be used when that domain is called. pihole.local is handled by mDNS/avahii which has it's own resolvers and does not resolve through pi-hole to the IP address of the pi-hole device. The pi-hole device does not know how to resolve .local domains so you see the page which is actually a 404 page, when it says it's not on any lists it's just returning a 404.
It appears mDNS is converting the pihole.local domain to an IP address but lighttpd has no idea who that domain is so it does not have any page to give you. Instead it does a 404 and gives you the block page.
I understand redirects and 404. I guess I'd argue that the Pi-Hole 404 is very confusing for several reasons, not the least of which is that it says (paraphrasing) "You were blocked because that address is whitelisted and not on any blacklists."
I'd argue that Pi-Hole should probably understand its Avahi name and handle that the same as pi.hole.
At the very least, it should send all unknown traffic to the home page or the admin page, as it does with <ip address>.
And I'd counter that we don't know what the mDNS/Avahi/Bonjour name is going to be. We don't interact with any of those systems. We do DNS and we can set up pi.hole as the local domain name and that's what we have built Pi-hole to use. All of the documentation refers to that URL for administration.
Sending all unknown traffic to the admin page would defeat the use of a block page. Any domain that you are blocking would then show the admin page instead of the block page.
As far as the IP address working every time, that's because there is no DNS name resolution involved if you use the IP address, so we don't send all unknown traffic to the admin page. We send very specific domain names to the admin page and the IP address of the Pi-hole device itself. Those are items we can know without any possible confusion.
Per the argue/countering here, I'd like to throw my hat in the ring real quick. I got linked here by my similar issue Not Found On Any Blacklist
In my case I'm using an AD domain which has its own DNS servers, and I'm using a format of pihole.domain.local rather than pihole.local. Although to @DanSchaper's point I wouldn't expect PiHole to know what to do with any .local address, I did tell PiHole to forward those requests to my AD DC/DNS servers, and they know exactly what to do with .local addresses (so long as they are my AD domain). To @JetForMe's point, I also would expect that any URL linked by an A record to an IP would return the same result in my browser as entering the straight IP. Which means that because when I go to http://###.###.###.###/ I see the PiHole logo and text telling me what I found and the link to the admin page, I would expect that exact same page to pop up when I go to http://pihole.domain.local/, presuming that my AD DNS returns an A record with that IP for pihole in domain.local. I agree that returning a valid page for all unknown addresses is not 'good', but in this case my existing DNS said it's not an unknown address. I don't expect PiHole to know what to do with an address it isn't configured for, but I do expect it to return the same as what it would return for the IP, instead of "this page blocked because it's not configured to be blocked". At the very least, it's an error message which could be improved.
Ultimately, I can also use http://pi.hole/, which is IMO a functional workaround but not optimal in an environment where everything else uses naming conventions like http://web1.domain.local/ and http://mail1.domain.local/, and we'd really prefer to use http://pihole.domain.local/ for consistency's sake. So +1 for passing that request onto the external LAN DNS instead of returning a wonkey error message, but if it's an insurmountable thing to fix, it's not a huge thing to 'suffer' with. Overall PiHole is an amazing tool and I'm glad it exists.
You could add to the lighttpd configuration and set lighttpd to understand what URL you would prefer and have that URL forward to the admin page. See the existing lighttpd configuration on how we do that and how you can replicate that with an external configuration.
The reason for the 404 page is that lighttpd doesn't know how to answer the request since we can't know beforehand what URL you would like to use. We include a URL that should work everywhere but if you would like different we provide for you to be able to customize to that.
Further, to see what is happening and why you are getting this page, tail the lighttpd access log, look for the 404 and you will see why lighttpd has decided to return this page.
Thanks for your responses. You first stated that " The reason for the 404 page is that lighttpd doesn’t know how to answer the request", and then that I could "tail the lighttpd access log" to "see why lighttpd has decided to return this page". Didn't you just answer that, or did I misunderstand?
Ultimately, my goal is to write up a deployment and maintenance document so people who are not me can spin the VM/Docker/PiHole thing up as-needed, and the end-goal is to have as much configuration done in the webui as possible. Extra config modification for things under the hood is just asking for my techs to have issues. http://pihole.domain.local/admin/ works fine, it's http://pihole.domain.local/ that returns a confusing message, and it's probably easier for me to just include in the document "don't go there; go here instead" rather than debate it until it's smooth.
Lighttpd doesn't have a problem serving up the admin page at pihole.domain.local/admin, so it seems to have no problem redirecting that to my AD DNS. And to be clear, I wouldn't want pihole.domain.local to redirect to pihole.domain.local/admin. I would want pihole.domain.local to display the same exact page that I see from the IPv4 ip.ad.dr.ess. The same way that pihole.domain.local/admin displays the same page as ip.ad.dr.ess/admin.
and text telling me what I found and the link to the admin page, I would expect that exact same page to pop up when I go to 