SOA Queries From 'local' Are Spamming Upstream DNS Server


Expected Behaviour:

SOA queries from ‘local’ coming into Pi-hole would not be forwarded to Upstream DNS server.

Actual Behaviour:

According to my log files, a ton of these ‘local’ queries are spamming my upstream DNS servers. Each time one of these queries is forwarded, I’m getting a SERVFAIL error response back from Cloudflare (as I would expect). Here is something that I see over and over again in my pihole.log file:

Feb  9 20:22:23 dnsmasq[541]: query[SOA] local from
Feb  9 20:22:23 dnsmasq[541]: forwarded local to
Feb  9 20:22:23 dnsmasq[541]: forwarded local to
Feb  9 20:22:23 dnsmasq[541]: forwarded local to
Feb  9 20:22:23 dnsmasq[541]: reply error is SERVFAIL
Feb  9 20:22:33 dnsmasq[541]: query[SOA] local from
Feb  9 20:22:33 dnsmasq[541]: forwarded local to
Feb  9 20:22:33 dnsmasq[541]: forwarded local to
Feb  9 20:22:33 dnsmasq[541]: forwarded local to
Feb  9 20:22:33 dnsmasq[541]: reply error is SERVFAIL

My Pi-hole is handling DNS. My Orbi router is handling DHCP. I’m just testing everything now from a Macbook Pro that I’ve configured to point to the Pi-hole DNS server in my Network Preferences. Just trying to make sure everything is working as expected before switching the router to use the Pi-hole for DNS. Let me know if I can provide any other information - I feel like a bad net citizen for unnecessarily spamming the upstream DNS servers.

Debug Token:




Is the MacBook Pro at IP

What is your network domain name as defined on the Orbi?



Hi jfb - thanks for the quick response!

Yes - is the IP address of the Macbook Pro.

RE: the network domain name. I dug all through the Orbi settings, checked everywhere in the router administration UI, and I don’t see a field holding that value (or anything similar) anywhere. I don’t believe the Orbi allows the user to configure that value.

I can enable debug mode, and telnet in the router, though. If you know where I should look in the file system for that value, I can jump into the router, read a file, and grab it. Let me know.




You can enable this setting in Pi-hole to only forward FQDNs (domains with more than a single segment):
DNS -> Never forward non-FQDNs

1 Like


Ah - great, thanks for the pointer. I see that option in Settings -> DNS -> ‘Never forward non-FQDNs’, but the checkbox is already checked. Since it’s checked, pi-hole shouldn’t be forwarding ‘local’ to the upstream DNS provider, correct, because it isn’t a fully-qualified domain name?

Is it just a bug in the version of pi-hole that I’m running ( Pi-hole Version v4.2.1 Web Interface Version v4.2 FTL Version v4.2.1)?

Do you have any other suggestions on how I could stop this from happening?



That option is handled by dnsmasq, and we do not mess with it.
The option in the Pi-hole web interface toggles the domain-needed dnsmasq option. This option only applies to IPv4 (A) and IPv6 (AAAA) queries. The query in your log is an SOA query.

Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a “not found” answer is returned.



I had the same problem of constant ‘local’ SOA requests but I’m not on mac… I checked my dnsmasq config and pi-hole DNS settings and everything was as expected (domain-needed was present and 'never … etc." were correctly ticked).

Anyway - I have narrowed down the cause to Chrome.

When I have the pi-hole admin console saved on my chromebook as a shortcut with the URL: http://raspberrypi.local/admin, then I get constant SOA requests from my chromebook.

When I have the actual IP adress (ie. as my shortcut, then I do not get any SOA requests.

Of course I always leave the admin window open when I’m following what’s happening - if I close http://raspberypi.local/admin then the requests seem to stop.

Hope this helps

1 Like

closed #9

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.