SOA queries from 'local' coming into Pi-hole would not be forwarded to Upstream DNS server.
Actual Behaviour:
According to my log files, a ton of these 'local' queries are spamming my upstream DNS servers. Each time one of these queries is forwarded, I'm getting a SERVFAIL error response back from Cloudflare (as I would expect). Here is something that I see over and over again in my pihole.log file:
Feb 9 20:22:23 dnsmasq[541]: query[SOA] local from 192.168.1.39
Feb 9 20:22:23 dnsmasq[541]: forwarded local to 1.1.1.1
Feb 9 20:22:23 dnsmasq[541]: forwarded local to 1.0.0.1
Feb 9 20:22:23 dnsmasq[541]: forwarded local to 1.1.1.1
Feb 9 20:22:23 dnsmasq[541]: reply error is SERVFAIL
Feb 9 20:22:33 dnsmasq[541]: query[SOA] local from 192.168.1.39
Feb 9 20:22:33 dnsmasq[541]: forwarded local to 1.1.1.1
Feb 9 20:22:33 dnsmasq[541]: forwarded local to 1.0.0.1
Feb 9 20:22:33 dnsmasq[541]: forwarded local to 1.1.1.1
Feb 9 20:22:33 dnsmasq[541]: reply error is SERVFAIL
My Pi-hole is handling DNS. My Orbi router is handling DHCP. I'm just testing everything now from a Macbook Pro that I've configured to point to the Pi-hole DNS server in my Network Preferences. Just trying to make sure everything is working as expected before switching the router to use the Pi-hole for DNS. Let me know if I can provide any other information - I feel like a bad net citizen for unnecessarily spamming the upstream DNS servers.
Yes - 192.168.1.139 is the IP address of the Macbook Pro.
RE: the network domain name. I dug all through the Orbi settings, checked everywhere in the router administration UI, and I don't see a field holding that value (or anything similar) anywhere. I don't believe the Orbi allows the user to configure that value.
I can enable debug mode, and telnet in the router, though. If you know where I should look in the file system for that value, I can jump into the router, read a file, and grab it. Let me know.
Ah - great, thanks for the pointer. I see that option in Settings -> DNS -> 'Never forward non-FQDNs', but the checkbox is already checked. Since it's checked, pi-hole shouldn't be forwarding 'local' to the upstream DNS provider, correct, because it isn't a fully-qualified domain name?
Is it just a bug in the version of pi-hole that I'm running ( Pi-hole Version v4.2.1 Web Interface Version v4.2 FTL Version v4.2.1)?
Do you have any other suggestions on how I could stop this from happening?
That option is handled by dnsmasq, and we do not mess with it.
The option in the Pi-hole web interface toggles the domain-needed dnsmasq option. This option only applies to IPv4 (A) and IPv6 (AAAA) queries. The query in your log is an SOA query.
Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned.
I had the same problem of constant 'local' SOA requests but I'm not on mac.... I checked my dnsmasq config and pi-hole DNS settings and everything was as expected (domain-needed was present and 'never .... etc." were correctly ticked).
Anyway - I have narrowed down the cause to Chrome.
When I have the pi-hole admin console saved on my chromebook as a shortcut with the URL: http://raspberrypi.local/admin, then I get constant SOA requests from my chromebook.
When I have the actual IP adress (ie. http://192.168.1.101/admin) as my shortcut, then I do not get any SOA requests.
Of course I always leave the admin window open when I'm following what's happening - if I close http://raspberypi.local/admin then the requests seem to stop.