Messages: ignoring query from non-local network xxx.xxx.xxx.xxx

[hartundweich]

This is a: Bug

Details

I'm running pi-hole in a docker container on my Linux firewall. The firewall is configured to block DNS queries from the outside interface.
I cannot use my pi-hole as DNS server from outside my network - always getting "DNS request timed out" - this is what I'm expecting.
BUT: in my pi-hole diagnostics page I often see messages:
ignoring query from non-local network xxx.xxx.xxx.xxx

The IPs listed are from outside my network - how can they try to use my pi-hole docker container, even if iptables do not allow DNS queries through my outside interface? So as I cannot use pi-hole as DNS server from outside my network (tested multiple times) I have to consider this is a bug?

Related Issues

• [ X] I have searched this repository/Pi-hole forums for existing issues and pull requests that look similar

How to reproduce the issue

1. Environment data

• Operating System: Gentoo Linux with docker
• Hardware: Running on ESXi V8
• Kernel Architecture: amd64
• Docker Install Info and version:
  • Software source: OS provided package built from source code
  • Supplimentary Software: portainer
• Hardware architecture: amd64

2. docker-compose.yml contents, docker run shell command, or paste a screenshot of any UI based configuration of containers here
   Portmapping 53 -->1053
   Local DNS Server (Bind) is forwarding ALL DNS Requests to PI-Hole Docker container. Local DNS Server (bind) only acceppts queries from local netzworks (192.168.144.0/24)

3. any additional info to help reproduce
   Firewall is blocking all DNS traffic from outside interface (official public IP) on TCP/UDP 53 and 1053. From outside we allow only 80 and 443 to pass the firewall. But we acceppt established connections (NAT)
   If we try to reach our server for DNS queries we allways get a "request timed out" - but still having messages

ignoring query from non-local network xxx.xxx.xxx.xxx

xxx..xxx.xxx.xxx is definitely a public existing IP and not a local IP and not a link local IP

These common fixes didn't work for my issue

• [X ] I have tried removing/destroying my container, and re-creating a new container
• [ X] I have tried fresh volume data by backing up and moving/removing the old volume data
• [ X] I have tried running the stock docker run example(s) in the readme (removing any customizations I added)
• [ X] I have tried a newer or older version of Docker Pi-hole (depending what version the issue started in for me)
• [ X] I have tried running without my volume data mounts to eliminate volumes as the cause

If the above debugging / fixes revealed any new information note it here.
Add any other debugging steps you've taken or theories on root cause that may help.

The message have decreased since using image 2025.08.0 in previous versions they appeared much more often.

[rdwebdesign]

Please post a debug token:

• run docker exec -it <Pi-hole container name> pihole -d command.
• when asked to upload the log, answer Y.
• copy only the token and paste here.

[hartundweich]

Here it is: https://tricorder.pi-hole.net/NlcQmfeU/

[PromoFaux]

This is a: Bug

But then:

3. Firewall is blocking all DNS traffic from outside interface (official public IP) on TCP/UDP 53 and 1053. From outside we allow only 80 and 443 to pass the firewall. But we acceppt established connections (NAT)
If we try to reach our server for DNS queries we allways get a "request timed out" - but still having messages

If you're blocking it at the firewall level, then nothing special happening in the code is going to be able to overide that :)

Looking in your debug log, if you are talking about the IP ending in 163, is that your ISP? Just wondering if it is your router making the request.

I see you have Pi-hole set to allow only local requests, this is good.

[hartundweich]

Looking in your debug log, if you are talking about the IP ending in 163, is that your ISP?

No this IP is not belonging to my ISP, usually I see many different IPs in the log. Actually there is only this one - my public IP is a static one, so feel free to test if you can get through our firewall ;-)