I have a standard Pihole setup that is configured as my only DNS and DHCP server on my network. It all seems to be working with Pihole correctly identifying the IP from the name, except that every request for a resource on my local network seems to be being forwarded to the upstream DNS server (Google). Below is the logfile. Is there something I can do to stop this?
Mar 12 22:46:11: query[A] nas2.home from 192.168.1.246
Mar 12 22:46:11: Pi-hole hostname nas2.home is 192.168.1.2
Mar 12 22:46:11: query[HTTPS] _7878._https.nas2.home from 192.168.1.246
Mar 12 22:46:11: forwarded _7878._https.nas2.home to 8.8.4.4
Mar 12 22:46:11: reply _7878._https.nas2.home is NXDOMAIN
Thank you for your reply but I don't understand what you mean by "no local answer to this query". Would you mind please elaborating on this a bit so I can try to find out how to fix this? Thank you.
An [HTTPS] query is a non-standard query, and isn't yet supported in the RFC's (documents that govern internet protocols). This is discussed in the link I provided. The answer to [HTTPS] queries at this point in time will always be NXDOMAIN (the domain does not exist on the internet)/
Your Pi-hole can answer [A] or [AAAA] queries for local domains, if it knows the names of the domains which match particular IP's.
Here is a brief description of the various sources (and the order in which they are used) for Pi-hole to provide a local domain name:
As an example, on my Pi I have all my regular network clients mapped in a hosts file. I can ask Pi-hole for the name or IP of a client, and it will look in the hosts file and provide it.
Thanks. This makes more sense now. I have my name defined in the Local DNS Records section of the web UI and it seems like pihole is recognising this and resolving it correctly, but that doesn't answer the original question about the [HTTPS] queries being sent to the internet. Since Pihole doesn't understand [HTTPS] queries, does this mean that all DNS requests for my local resources from a web browser that uses DNS over HTTPS is sent to the internet and there's no way to stop it?
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
If ok, restart your Pi-hole, e.g. via Settings | Restart DNS resolver.
This would configure Pi-hole to answer queries locally from DHCP, /etc/hosts, or its Local DNS record definitions, but to not forward *.home queries upstream.
Pi-hole v6 will include the respective configuration by default.
Unrelated to your observation, I noticed quite a few warnings similar to "no address range available for DHCP request via " in your debug log.
While those are harmless (unless you'd want to have Pi-hole's DHCP server to provide DHCP to those interfaces), you could consider explicitly configuring your Pi-hole container for your host's ovs_eth0 by setting its INTERFACE environment variable accordingly, and setting DNSMASQ_LISTENING to single.
Thank you for your really helpful response. I've applied the local=/home/ option now and I think it's fixed it. Below is an exceprt of my log file, which no longer shows DNS requests for my local network resources being sent to the upstream DNS. Pihole receives the HTTPS query and responds with an NXDOMAIN reply, which seems like the correct behaviour given what you said previously. Does this now look OK to you?
Mar 15 09:19:40: query[A] pm.home from 192.168.1.245
Mar 15 09:19:40: /etc/pihole/custom.list pm.home is 192.168.1.4
Mar 15 09:19:40: query[HTTPS] _8006._https.pm.home from 192.168.1.245
Mar 15 09:19:40: config _8006._https.pm.home is NXDOMAIN
This "local" setting seems to be really important from a privacy perspective to prevent local DNS requests spilling out onto the internet. It wasn't obvious to me from the documentation that I needed to do this, and others might also have the same problem and not realise it unless they inspect their logs, so perhaps a really prominent paragraph in the documentation would be good, or a step-by-step guide on how to configure DNS and DHCP properly.
Thanks also for your advice regarding the warnings in the log. I'll test that later when nobody is using the network.