Stop upstream forwarding for local domain

I have set my local LAN domain to something like "foo", and have set my devices to names like "server1.foo", etc. All is good, but...

If I ping something NOT on my LAN, e.g. "asdf.foo", pi-hole logs show the DNS request going to the upstream DNS. How can I prevent upstream requests for "foo"?

My pi-hole is my only dhcp server on my network, and it has domain set to "foo". My DNS upstream servers are set for external servers, e.g. Google. I've enabled the DNS options to never forward non-fqdn and reverse private lookups. I've not enabled the conditional forwarding option since my pi-hole is my only dhcp server.

I've searched these forums and others, but haven't found an answer. I'm not understanding something simple.

Some DNS settings:

pihole1782×192 10.9 KB

Some DHCP settings:

pihole2786×360 14.2 KB

Solution: Be sure to hit the "Save" button when updating the DNS settings on the settings page. Changing options like the very important Never forward non-FQDNs does not save them. The options may appear changed on the settings page even after a reboot, but the changes are not effective until you save them.

You will want to select the first checkbox here - on the admin GUI > Settings > DNS page.

image3078×420 140 KB

Thanks -- I had already selected that option (I updated my post with a few screenshots). I also verified that when I ping a bogus hostname on my local domain, pi-hole forwards it to my upstream server (Google). Maybe I don't understand "When there is a Pi-hole domain..." I see only the domain setting on the DHCP tab.

You probably do NOT want to use any old, made up domain for your home lan. This article has a nice explanation of why not: What domain name to use for your home network.

Please upload a debug log and post just the token that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

In addition, please share your dnsmasq configuration details.
These can be retrieved by running the following command on your Pi-hole host machine:

grep -nRv '^#\|^$' /etc/dnsmasq.*

As requested:

https://tricorder.pi-hole.net/74NBOimr/

pi@pihole:~ $ grep -nRv '^#\|^$' /etc/dnsmasq.*
/etc/dnsmasq.conf:1:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.conf.old:642:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/02-pihole-dhcp.conf:5:dhcp-authoritative
/etc/dnsmasq.d/02-pihole-dhcp.conf:6:dhcp-range=192.168.1.100,192.168.1.200,24h
/etc/dnsmasq.d/02-pihole-dhcp.conf:7:dhcp-option=option:router,192.168.1.1
/etc/dnsmasq.d/02-pihole-dhcp.conf:8:dhcp-leasefile=/etc/pihole/dhcp.leases
/etc/dnsmasq.d/02-pihole-dhcp.conf:11:domain=foo
/etc/dnsmasq.d/02-pihole-dhcp.conf:14:dhcp-option=option6:dns-server,[::]
/etc/dnsmasq.d/02-pihole-dhcp.conf:15:dhcp-range=::100,::1ff,constructor:eth0,ra-names,slaac,24h
/etc/dnsmasq.d/02-pihole-dhcp.conf:16:ra-param=*,0,0
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:1:dhcp-host=b4:..:51,192.168.1.3,unifi-cloudkey-foo
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:2:dhcp-host=ac:..:87,192.168.1.10,alpha-ipmi
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:3:dhcp-host=ac:..:0e,192.168.1.12,alpha
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:4:dhcp-host=4a:..:97,192.168.1.13,alpha-transmission
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:5:dhcp-host=02:..:0c,192.168.1.14,alpha-sonarr
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:6:dhcp-host=9e:..:c3,192.168.1.15,alpha-sabnzbd
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:7:dhcp-host=ba:..:7d,192.168.1.16,alpha-radarr
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:8:dhcp-host=02:..:19,192.168.1.18,media
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:9:dhcp-host=34:..:82,192.168.1.19,hp-printer
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:10:dhcp-host=70:..:16,192.168.1.20,lepton
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:11:dhcp-host=02:..:8c,192.168.1.23,mariadb
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:12:dhcp-host=02:..:27,192.168.1.24,emby
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:13:dhcp-host=24:..:0c,192.168.1.26,tv
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:14:dhcp-host=d4:..:16,192.168.1.27,meferree
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:15:dhcp-host=00:..:8e,192.168.1.28,alpha-docker
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:16:dhcp-host=02:..:f9,192.168.1.29,yt-server
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:17:dhcp-host=02:..:40,192.168.1.30,calibre
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:18:dhcp-host=b6:..:1f,192.168.1.31,mfg-pixel5
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:19:dhcp-host=52:..:14,192.168.1.32,mef-pixel5
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:20:dhcp-host=dc:..:86,192.168.1.33,mgering-lap
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:21:dhcp-host=ac:..:c4,192.168.1.112,mef-pixel
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:22:dhcp-host=30:..:7B,192.168.1.50,brother-printer
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:23:dhcp-host=00:..:4D,192.168.1.60,alphocker
/etc/dnsmasq.d/01-pihole.conf:21:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:22:addn-hosts=/etc/pihole/custom.list
/etc/dnsmasq.d/01-pihole.conf:25:localise-queries
/etc/dnsmasq.d/01-pihole.conf:28:no-resolv
/etc/dnsmasq.d/01-pihole.conf:32:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:34:log-queries
/etc/dnsmasq.d/01-pihole.conf:35:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:37:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:39:log-async
/etc/dnsmasq.d/01-pihole.conf:40:server=8.8.8.8
/etc/dnsmasq.d/01-pihole.conf:41:server=8.8.4.4
/etc/dnsmasq.d/01-pihole.conf:42:interface=eth0
/etc/dnsmasq.d/01-pihole.conf:43:server=/use-application-dns.net/
/etc/dnsmasq.d/01-pihole.conf:44:dhcp-name-match=set:hostname-ignore,wpad
/etc/dnsmasq.d/01-pihole.conf:45:dhcp-name-match=set:hostname-ignore,localhost
/etc/dnsmasq.d/01-pihole.conf:46:dhcp-ignore-names=tag:hostname-ignore
/etc/dnsmasq.d/05-pihole-custom-cname.conf:1:cname=foo1.foo,alphocker.foo
/etc/dnsmasq.d/05-pihole-custom-cname.conf:2:cname=foo2.foo,alphocker.foo
/etc/dnsmasq.d/05-pihole-custom-cname.conf:3:cname=foo3.foo,alphocker.foo
/etc/dnsmasq.d/05-pihole-custom-cname.conf:4:cname=foo4.foo,alphocker.foo
/etc/dnsmasq.d/05-pihole-custom-cname.conf:5:cname=foo5.foo,alphocker.foo

Your debug log suggests that Never forward non-FQDNs isn't checked.

This is consistent with your dnsmasq configuration, where a local line like the following is absent:

domain=lan
local=/lan/

Since Pi-hole is your DHCP server, ticking the Never forward non-FQDNs box on Pi-hole's DNS tab and clicking Save should fix your issue.

Oh, now I see the light. I had checked the Never forward... box, and pi-hole remembered it even after rebooting. I looked at /etc/pihole/setvars.conf and noticed there was nothing about fqdn there until I hit the Save button. Then I see DNS_FQDN_REQUIRED=true is now there.

Even better, the problem is gone; forwarding upstream is stopped for the local domain.
I'll investigate more, but I did check that box (see the embedded capture).

I'm left wondering about the wording of that option. It says, literally, that non-fqdn should not be forwarded. But foobar.dawson is a fqdn for the host foobar in the dawson domain.

The description seems sufficient, but the Never forward non-FQDNs name itself only tells one half of the story. It primarily controls the domain-needed and expand-hosts options in 01-pihole.conf.
Once you enable Pi-hole's DHCP server, the local=/foo/ option will be added to 02-pihole-dhcp.conf, unless Never forward non-FQDNs isn't checked.

I believe this dependency was introduced after FTL 5.3 was released (as a result of a discussion from Private host names not sent to upstream since v5.3.2).

Correct! But I failed to hit the "Save" button. Even after selecting this checkbox and verifying it is still set after a reboot was not enough; I had to hit the "Save" button.

Good catch. I discovered that it was checked in the UI but not effective in the running config. I noticed that /etc/pihole/setupVars.conf was missing this setting: DNS_FQDN_REQUIRED=true After I hit the Save button, setupVars had this setting. And life became good again.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.