The domain pi.hole should be fully local

[DL6ER]

What does this implement/fix?

The domain pi.hole should be fully local. Queries (of whatever type) should never be forwarded upstream.

---

Related issue or feature (if applicable): Fixes #2330

Pull request in docs with documentation (if applicable): N/A

---

By submitting this pull request, I confirm the following:

1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
2. I have commented my proposed changes within the code.
3. I am willing to help maintain this change if there are issues with it later.
4. It is compatible with the EUPL 1.2 license
5. I have squashed any insignificant commits. (git rebase)

Checklist:

• The code change is tested and works locally.
• I based my code and PRs against the repositories developmental branch.
• I signed off all commits. Pi-hole enforces the DCO for all contributions
• I signed all my commits. Pi-hole requires signatures to verify authorship
• I have read the above and my PR is ready for review.

[yubiuser]

As you noted in the linked issue. Should we extend this to webserver.domain?

---

Before and after checking out this branch

chris@T14Gen5:~$ dig pi.hole -t HTTPS @nanopi.lan

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> pi.hole -t HTTPS @nanopi.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48914
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi.hole.			IN	HTTPS

;; AUTHORITY SECTION:
.			86362	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2025030400 1800 900 604800 86400

;; Query time: 30 msec
;; SERVER: 10.0.1.24#53(nanopi.lan) (UDP)
;; WHEN: Tue Mar 04 18:28:11 CET 2025
;; MSG SIZE  rcvd: 111

chris@T14Gen5:~$ dig pi.hole -t HTTPS @nanopi.lan

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> pi.hole -t HTTPS @nanopi.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50053
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi.hole.			IN	HTTPS

;; Query time: 0 msec
;; SERVER: 10.0.1.24#53(nanopi.lan) (UDP)
;; WHEN: Tue Mar 04 18:29:13 CET 2025
;; MSG SIZE  rcvd: 36

[DL6ER]

Should we extend this to webserver.domain?

I am undecided but I actually tend more towards No. They may be specifying real domains here for which they got let's encrypt certificates and if you would make those domains purely local, legit subdomains they may be using for other things would not be forwarded upstream any longer. I do think this has the potential to break more than it will help.

[AliveDevil]

I'm all for configurability, and for less surprises.

In this case, my suggestion is to introduce dns.domainForwardDeny as a multiline-configuration list, which is by-default populated with pi.hole.
People are then free to either remove this, or amend their own domains, with the UI hint that pi-hole will take full-control of these zones.

[DL6ER]

I'm all for configurability, and for less surprises.

I wholeheartedly agree and 154 configurable options in pihole.toml prove this. However, I am not a fan of adding options for the sake of adding options - and this is what I'm afraid would be happening here. I do think this PR is fine as it is after having thought two or three times about this: Adding this hard-coded pi.hole as local domain and not more.

pi.hole is already a special domain where you cannot configure the A and AAAA records at all as they are automatically synthesized depending on the interface a query arrives at your Pi-hole. It doesn't really make sense for users to remove the locality for the domain pi.hole and they are always free to add local=abc.com as advanced dnsmasq config line if they want to have this for another domain. That's exactly why we allow setting advanced dnsmasq options.

[yubiuser]

Mar  5 09:28:01: query[HTTPS] pi.hole from 10.0.1.32
Mar  5 09:28:01: config pi.hole is NODATA