Skip to content

Conditional Forwarding not always works correctly with new version 6 #1792

New issue
New issue
Open
Open
Conditional Forwarding not always works correctly with new version 6#1792
@abrbon

Description

@abrbon
abrbon
opened on Mar 23, 2025

This is a: Bug

Details

Been using the docker PiHole version 5 for a long time (as in many years) without any issues.

I am using PiHole in a docker environment behind the Nginx Proxy Manager (NPM) (to use LE SSL certs) and using the dnscrypt-proxy docker within the same NPM proxy network to use as my Upstream DNS server instead of directly using for example the Cloudflare upstream servers within PiHole.

I do not use the DHCP within PiHole because i have an OPNSense router installed for that so i have setup the Conditional Forwarding settings to forward my LAN subnet (192.168.1.0/24) to my OPNSense router on 192.168.1.1 and also configured my local domain which is a registered domain for example mydomain.nl (this is not my actual domain because i don't want to share that here)

Because I use NPM for quite a few internal running services on docker, for example my Home assistant server, it is using the LAN IP for my NPM proxy server so it can resolve that internally within the proxy network to the correct docker service.

Like I said this has been working perfectly for many years with PiHole 5.

I have recently upgraded to PiHole 6 which seemed to work fine but after a short time (hours) i began to notice that some of my docker services could not be reached anymore. So the Conditional Forwarding didn't seem to work anymore.
When I tried to ping the domain name for the service not working it would not reply the IP anymore.
But strange thing is that if i try that couple of times (pings) it suddenly seems to be working again.

Related Issues

  • I have searched this repository/Pi-hole forums for existing issues and pull requests that look similar

Could not find anything related to my issues

How to reproduce the issue

  1. Environment data
  • Operating System: Debian 12
  • Hardware: RasPI 4B
  • Kernel Architecture: ArmV8 64bit
  • Docker Install Info and version:
    • Software source: docker.io version 20.10.24+dfsg1
    • Supplimentary Software: portainer latest version
  • Hardware architecture: ARMv8
  1. docker-compose.yml contents, docker run shell command, or paste a screenshot of any UI based configuration of containers here
---
volumes:
  data:
  data-dnscrypt:
  dnsmasq_data:

services:
  dnscrypt-proxy:
    container_name: dnscrypt-proxy2
    image: melchor9000/dnscrypt-proxy:latest
    hostname: dnscrypt-proxy2
    environment: 
      TZ: Europe/Amsterdam
    networks:
      nginx-pm_default:
        ipv4_address: 172.19.0.250
    dns:
      - 127.0.0.1
    volumes:
      - data-dnscrypt:/etc/dnscrypt-proxy
    labels:
      wud.watch: true
    deploy:
      restart_policy:
        condition: any
        delay: 5s
        window: 30s
    # restart: always

  # More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    hostname: pihole
    ports:
      - 53:53/tcp
      - 53:53/udp
      # - 67:67/udp
      - 9080:80/tcp
    deploy:
      restart_policy:
        condition: any
        delay: 5s
        window: 30s
    # restart: always
    networks:
      nginx-pm_default:
    environment:
      TZ: Europe/Amsterdam
      # This is the IP of dnscrypt-proxy container
      # FTLCONF_dns_upstreams: '172.19.0.250#5300'
      # Set a password to access the web interface. Not setting one will result in a random password being assigned
      # - FTLCONF_webserver_api_password: 'correct horse battery staple'
    # Volumes store your data between container upgrades
    volumes:
      - data:/etc/pihole
      - dnsmasq_data:/etc/dnsmasq.d
    labels:
      wud.watch: true
    cap_add:
      # See https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
      # Required if you are using Pi-hole as your DHCP server, else not needed
      # - NET_ADMIN
      # Required if you are using Pi-hole as your NTP client to be able to set the host's system time
      - SYS_TIME
      # Optional, if Pi-hole should get some more processing time
      - SYS_NICE

networks:
  nginx-pm_default:
    external: true
  1. any additional info to help reproduce

These common fixes didn't work for my issue

  • I have tried removing/destroying my container, and re-creating a new container
  • I have tried fresh volume data by backing up and moving/removing the old volume data
  • I have tried running the stock docker run example(s) in the readme (removing any customizations I added)
  • I have tried a newer or older version of Docker Pi-hole (depending what version the issue started in for me)
  • I have tried running without my volume data mounts to eliminate volumes as the cause

If the above debugging / fixes revealed any new information note it here.
Add any other debugging steps you've taken or theories on root cause that may help.

I have also tried just a clean fresh docker stack (using Portainer) with only the docker-pihole without my dnscrypt-proxy but that didn't make any difference.

I also noticed when i login to the Pihole docker using exec console and i do a nslookup or dig command to any domain like google.com or any of my own internal services it always take around 4000ms.

But when I go back to my Pihole version 5 (2024.07.0) is only takes around 10-15ms first time and any retry for the same domain it takes 0ms.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions