It appears that when my phone took up the June 2023 Android security updates queries for some google/android-related domains are often being sent flagged as non-recursive.
Many upstream providers respond to these queries with REFUSED, as does unbound for those running their own recursive resolver, and pihole naturally forwards this response. (Google 8.8.8.8 and Cloudflare 1.1.1.1 both provide normal responses, but quad9 9.9.9.9 for example responds REFUSED).
For now it doesn't appear to be actively breaking anything, as the phone winds up also querying the domains recursively after a time. It may be causing delays and sluggishness until the other queries complete.
However, it may become more of an issue if the non-recursive fallback is deprioritized or even completely removed in a future android update.
One workaround is to specify upstream servers directly for dnsmasq for these google domains. That way any blocked domains specified via pihole blocklists remain in place and take precedence, but any of these google-related domains not blocked will be passed to google. Meanwhile queries for all other domains will be serviced by pihole and your specified provider as per normal.
Workaround
Create a file with the following content in /etc/dnsmasq.d/09-google-nr.conf, then restart DNS resolver.
server=/google.com/8.8.8.8
server=/googleapis.com/8.8.8.8
server=/gmail.com/8.8.8.8
server=/googleusercontent.com/8.8.8.8
Example s a queries flagged as non-recursive being REFUSED
pihole.log excerpt
Jul 1 09:44:31 dnsmasq[4996]: query[A] play-fe.googleapis.com from 192.168.1.1
Jul 1 09:44:31 dnsmasq[4996]: forwarded play-fe.googleapis.com to XX.XX.XX.XX
Jul 1 09:44:31 dnsmasq[4996]: reply error is REFUSED
Query and response details from wireshark:
QUERY:
Domain Name System (query)
Transaction ID: 0x6039
Flags: 0x0010 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...1 .... = Non-authenticated data: Acceptable
Queries
safebrowsing.googleapis.com: type A, class IN
RESPONSE:
Domain Name System (response)
Transaction ID: 0x6039
Flags: 0x8095 Standard query response, Refused
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...1 .... = Non-authenticated data: Acceptable
.... .... .... 0101 = Reply code: Refused (5)