SOA Queries From 'local' Are Spamming Upstream DNS Server


#1

Expected Behaviour:

SOA queries from ‘local’ coming into Pi-hole would not be forwarded to Upstream DNS server.

Actual Behaviour:

According to my log files, a ton of these ‘local’ queries are spamming my upstream DNS servers. Each time one of these queries is forwarded, I’m getting a SERVFAIL error response back from Cloudflare (as I would expect). Here is something that I see over and over again in my pihole.log file:

Feb  9 20:22:23 dnsmasq[541]: query[SOA] local from 192.168.1.39
Feb  9 20:22:23 dnsmasq[541]: forwarded local to 1.1.1.1
Feb  9 20:22:23 dnsmasq[541]: forwarded local to 1.0.0.1
Feb  9 20:22:23 dnsmasq[541]: forwarded local to 1.1.1.1
Feb  9 20:22:23 dnsmasq[541]: reply error is SERVFAIL
Feb  9 20:22:33 dnsmasq[541]: query[SOA] local from 192.168.1.39
Feb  9 20:22:33 dnsmasq[541]: forwarded local to 1.1.1.1
Feb  9 20:22:33 dnsmasq[541]: forwarded local to 1.0.0.1
Feb  9 20:22:33 dnsmasq[541]: forwarded local to 1.1.1.1
Feb  9 20:22:33 dnsmasq[541]: reply error is SERVFAIL

My Pi-hole is handling DNS. My Orbi router is handling DHCP. I’m just testing everything now from a Macbook Pro that I’ve configured to point to the Pi-hole DNS server in my Network Preferences. Just trying to make sure everything is working as expected before switching the router to use the Pi-hole for DNS. Let me know if I can provide any other information - I feel like a bad net citizen for unnecessarily spamming the upstream DNS servers.

Debug Token:

hz722p4goc


#2

Is the MacBook Pro at IP 192.168.1.139?

What is your network domain name as defined on the Orbi?


#4

Hi jfb - thanks for the quick response!

Yes - 192.168.1.139 is the IP address of the Macbook Pro.

RE: the network domain name. I dug all through the Orbi settings, checked everywhere in the router administration UI, and I don’t see a field holding that value (or anything similar) anywhere. I don’t believe the Orbi allows the user to configure that value.

I can enable debug mode, and telnet in the router, though. If you know where I should look in the file system for that value, I can jump into the router, read a file, and grab it. Let me know.

Thanks!


#5

You can enable this setting in Pi-hole to only forward FQDNs (domains with more than a single segment):
DNS -> Never forward non-FQDNs


#6

Ah - great, thanks for the pointer. I see that option in Settings -> DNS -> ‘Never forward non-FQDNs’, but the checkbox is already checked. Since it’s checked, pi-hole shouldn’t be forwarding ‘local’ to the upstream DNS provider, correct, because it isn’t a fully-qualified domain name?

Is it just a bug in the version of pi-hole that I’m running ( Pi-hole Version v4.2.1 Web Interface Version v4.2 FTL Version v4.2.1)?

Do you have any other suggestions on how I could stop this from happening?


#7

That option is handled by dnsmasq, and we do not mess with it.
The option in the Pi-hole web interface toggles the domain-needed dnsmasq option. This option only applies to IPv4 (A) and IPv6 (AAAA) queries. The query in your log is an SOA query.

Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a “not found” answer is returned.

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html