Recently I have notices some strange DNS requests.
Imagine a device has a fqdn like foon.wifi.lan (Android) or pandora.wired.lan (Windows 11).
Meaning that wifi.lan and wired.lan are the domain names for vlans - which are only local.
Pihole shows strange DNS requests like microsoft.com.wired.lan and googleads.g.doubleclick.net.wifi.lan.
A few seconds before, there are requests to microsoft.com and googleads.g.doubleclick.net.
Where the googleads request is blocked (as expected) - the request for microsoft.com is not blocked.
Somebody an idea where these strange requests are coming from?
Is there a pihole/dnsmasq setting attached to this?
Since .lan is your local/search domain as distributed by your router, clients may opt to issue additional DNS requests expanding the requested domain by that domain before trying resolving it as absolute, e.g. Windows nslookup may do so, turning a plain lookup for a domain into up to 5 separate DNS requests (or more, if there are multiple search domains).
Note that commonly, expansion would not happen for fully qualified domains (i.e. for domains ending with a dot), as such domains will be treated as absolute from the start.
On Linux, controlling a client's resolv.conf ndot option may help mitigate expansion, but that is commonly already set to a sane value of 1.
I am unaware whether and how Windows OSs would support something similar.
I guess you could consider to configure your router to not distribute any local/search domains at all, if you are desparate to change it for all clients - provided your router supports that.
Note, however, that doing so may or may not impact how you maintain your local DNS records, as automatic expansion may have helped to resolve plain domains where only the full domain DNS records would have existed.
Perhaps, as you could omit the domain name from Pi-hole's DHCP server configuration, just as I've suggested to do with your router.
However, your router may still advertise DNS search domains via IPv6, so you'd also have to disable that in your router.
And the caveat about local resolution applies regardless.
The behaviour itself is not harmful, so you could just keep with your current settings.
As said before, it's completely normal, so you should only need to take action if you observe additional negative impacts.
In case you are worried about those requests for expanded domains being forwarded upstream: They would generally be answered with NXDOMAIN.
If you want those requests to stay in your network, you could configure Pi-hole keep requests to anything *.lan local, never forwarding to any upstream, via a custom dnsmasq configuration line local=/lan/.
This would be viable if you would not require those requests to be resolved by some other DNS server in your network (if you run Pi-hole as DHCP server, chances are you don't).