Skip to content

Disable "nameserver ADDRESS refused to do a recursive query" for conditional forwarders #2836

Open
Open
Disable "nameserver ADDRESS refused to do a recursive query" for conditional forwarders#2836
Labels
Bugfix in progressdnsmasq bug
@JulioQc

Description

@JulioQc
JulioQc
opened on Apr 5, 2026

Versions

  • Pi-hole: 6.4.1
  • Web: 6.5
  • FTL: 6.6

Platform

  • OS and version: Debian 13

  • Platform: Proxmox

  • Pi-hole (192.168.0.7) → Unbound (recursive resolver)

  • AD DNS (192.168.0.2):

    • Authoritative for localdomain.ca
    • No root hints
    • Forwards unknown domains → Pi-hole

  • Pi-hole:

    • Conditional forwarding enabled for localdomain.ca → 192.168.0.2

Expected behavior

Conditional forwarders should be treated as authoritative-only servers for their domain.

  • Queries for the configured domain (e.g. localdomain.ca) should be forwarded
  • These servers should not be used for recursive queries
  • A REFUSED response for recursion should not mark the server as unreliable

Actual behavior / bug

Pi-hole (FTL/dnsmasq) sends recursive queries to a conditional forwarder (AD DNS).

  • AD DNS correctly responds: REFUSED (no recursion enabled for external domains)
  • Pi-hole logs: nameserver 192.168.0.2 refused to do a recursive query
  • After repeated events, Pi-hole stops forwarding queries to that server

Result:

  • Local domain resolution fails (NXDOMAIN)
  • Restarting pihole-FTL restores functionality temporarily

Steps to reproduce

Configure Pi-hole conditional forwarding:

  • Domain: localdomain.ca
  • Target: 192.168.0.2 (AD DNS)

Ensure AD DNS:

  • Is authoritative for the domain
  • Does NOT perform recursion (disable recursion in DNS server settings )

Generate mixed DNS traffic:

  • Local queries (e.g. host.localdomain.ca)
  • External queries (e.g. google.ca)

Observe Pi-hole logs:

  • refused to do a recursive query

After some time:

  • Local domain stops resolving via Pi-hole
  • Restarting Pi-hole restores it temporarily

Additional context

Conditional forwarders appear to be treated as general upstream resolvers under certain conditions, causing:

  • Incorrect recursive queries
  • Misinterpretation of REFUSED as failure
  • Temporary upstream suppression

Suggested fix / behavior change

  • Do not send recursive queries to conditional forwarders
  • Treat REFUSED as expected for authoritative servers
  • Do not penalize / suppress conditional forwarders based on recursion refusal

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugfix in progressdnsmasq bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions