Pihole seems to be redirecting all local DNS to the internet

I have a standard Pihole setup that is configured as my only DNS and DHCP server on my network. It all seems to be working with Pihole correctly identifying the IP from the name, except that every request for a resource on my local network seems to be being forwarded to the upstream DNS server (Google). Below is the logfile. Is there something I can do to stop this?

Mar 12 22:46:11: query[A] nas2.home from 192.168.1.246
Mar 12 22:46:11: Pi-hole hostname nas2.home is 192.168.1.2
Mar 12 22:46:11: query[HTTPS] _7878._https.nas2.home from 192.168.1.246
Mar 12 22:46:11: forwarded _7878._https.nas2.home to 8.8.4.4
Mar 12 22:46:11: reply _7878._https.nas2.home is NXDOMAIN

Your output shows that the [A] queries (IPv4) are being answered locally.

Mar 12 22:46:11: query[A] nas2.home from 192.168.1.246
Mar 12 22:46:11: Pi-hole hostname nas2.home is 192.168.1.2

The [HTTPS] queries are being forwarded, as expected, because there is no local answer to this query.

Thank you for your reply but I don't understand what you mean by "no local answer to this query". Would you mind please elaborating on this a bit so I can try to find out how to fix this? Thank you.

An [HTTPS] query is a non-standard query, and isn't yet supported in the RFC's (documents that govern internet protocols). This is discussed in the link I provided. The answer to [HTTPS] queries at this point in time will always be NXDOMAIN (the domain does not exist on the internet)/

Your Pi-hole can answer [A] or [AAAA] queries for local domains, if it knows the names of the domains which match particular IP's.

Here is a brief description of the various sources (and the order in which they are used) for Pi-hole to provide a local domain name:

As an example, on my Pi I have all my regular network clients mapped in a hosts file. I can ask Pi-hole for the name or IP of a client, and it will look in the hosts file and provide it.

nanopi-neo:~:# nslookup printer
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	printer
Address: 192.168.0.4

nanopi-neo:~:# nslookup 192.168.0.4
4.0.168.192.in-addr.arpa	name = Printer.

Thanks. This makes more sense now. I have my name defined in the Local DNS Records section of the web UI and it seems like pihole is recognising this and resolving it correctly, but that doesn't answer the original question about the [HTTPS] queries being sent to the internet. Since Pihole doesn't understand [HTTPS] queries, does this mean that all DNS requests for my local resources from a web browser that uses DNS over HTTPS is sent to the internet and there's no way to stop it?

Screenshot 2024-03-13 0028451002×246 6.87 KB

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

I think I understand your confusion.

The HTTPS query type and the https:// protocol are different things, but they use the same name (causing this confusion).

HTTPS is a type of DNS resource record, like: A, AAAA, DNSKEY, SOA, SRV, TXT, etc. (more record types).

In this context, HTTPS queries are not directly related to the use of https:// protocol on on your browser.

Note:

The debug log (asked by Bucking_Horn) would help us understand why this queries are being sent to upstream servers

Thank you. Here's the token.

https://tricorder.pi-hole.net/NSsHFS1E/

You can add the following line to your custom configuration /etc/dnsmasq.d/03-dhcp-options.conf:

local=/home/

then run a dnsmasq syntax check:

docker exec <container-name-or-id-here> pihole-FTL dnsmasq-test

If ok, restart your Pi-hole, e.g. via Settings | Restart DNS resolver.

This would configure Pi-hole to answer queries locally from DHCP, /etc/hosts, or its Local DNS record definitions, but to not forward *.home queries upstream.

Pi-hole v6 will include the respective configuration by default.

Unrelated to your observation, I noticed quite a few warnings similar to "no address range available for DHCP request via " in your debug log.

While those are harmless (unless you'd want to have Pi-hole's DHCP server to provide DHCP to those interfaces), you could consider explicitly configuring your Pi-hole container for your host's ovs_eth0 by setting its INTERFACE environment variable accordingly, and setting DNSMASQ_LISTENING to single.

Thank you for your really helpful response. I've applied the local=/home/ option now and I think it's fixed it. Below is an exceprt of my log file, which no longer shows DNS requests for my local network resources being sent to the upstream DNS. Pihole receives the HTTPS query and responds with an NXDOMAIN reply, which seems like the correct behaviour given what you said previously. Does this now look OK to you?

Mar 15 09:19:40: query[A] pm.home from 192.168.1.245
Mar 15 09:19:40: /etc/pihole/custom.list pm.home is 192.168.1.4
Mar 15 09:19:40: query[HTTPS] _8006._https.pm.home from 192.168.1.245
Mar 15 09:19:40: config _8006._https.pm.home is NXDOMAIN

This "local" setting seems to be really important from a privacy perspective to prevent local DNS requests spilling out onto the internet. It wasn't obvious to me from the documentation that I needed to do this, and others might also have the same problem and not realise it unless they inspect their logs, so perhaps a really prominent paragraph in the documentation would be good, or a step-by-step guide on how to configure DNS and DHCP properly.

Thanks also for your advice regarding the warnings in the log. I'll test that later when nobody is using the network.

Thanks again for your support.

This will be handled better in the future, we already have a pull request awaiting review for the currently running Pi-hole v6 public beta:

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.