filter-rr=ANY directive not being honoured in FTL v6.5

[heybrodes]

Environment:

Pi-hole FTL version: v6.5
Bundled dnsmasq version: 2.92rc1
OS: Ubuntu/Debian (Linux, amd64)

Description:
The filter-rr=ANY directive placed in /etc/dnsmasq.d/99-public.conf is not being applied. ANY queries are still being forwarded and answered rather than being filtered.
Steps to reproduce:

Add filter-rr=ANY to a custom config file in /etc/dnsmasq.d/
Restart pihole-FTL: systemctl restart pihole-FTL
Confirm syntax check passes: pihole-FTL --test returns dnsmasq: syntax check OK
Confirm config is being read: grep -r "filter-rr" /etc/dnsmasq.d/ returns the correct file and directive
Send an ANY query to the resolver: dig ANY example.com @

Expected behaviour:
ANY queries should be filtered and return an empty or NODATA response per the filter-rr directive, which has been supported since dnsmasq 2.86.
Actual behaviour:
ANY queries are forwarded upstream and full responses are returned to the client. This is visible in /var/log/pihole/pihole.log:
query[ANY] rfmw.com from x.x.x.x
forwarded rfmw.com to 127.0.0.1#5335
reply rfmw.com is
reply rfmw.com is
reply rfmw.com is
Additional notes:

The bundled dnsmasq version (2.92rc1) is well above the 2.86 minimum required for filter-rr support
The issue persists across restarts
Other directives in the same config file (bogus-priv, stop-dns-rebind, domain-needed) appear to work correctly
As a workaround, an iptables hashlimit rule has been applied to rate limit DNS traffic, but this does not address the core issue of ANY queries being answered

[yubiuser]

Did you enable the option to honor config files in /etc/dnsmasq.d/?

[heybrodes]

etc_dnsmasq_d = true (confirmed in /etc/pihole/pihole.toml)

…

On Thu, 26 Feb 2026 at 23:04, yubiuser ***@***.***> wrote: *yubiuser* left a comment (pi-hole/FTL#2789) <#2789 (comment)> Did you enable the option to honor config files in /etc/dnsmasq.d/? — Reply to this email directly, view it on GitHub <#2789 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APRSDKZBU5ERZEP5P6YEJQD4N3OMFAVCNFSM6AAAAACWAOQ7JKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTSNRWGE4TCMRVHE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[heybrodes]

/etc/dnsmasq.d# cat 99-public.conf
filter-rr=ANY
bogus-priv
stop-dns-rebind
domain-needed

[DL6ER]

Your expected behavior is a incorrect/a misunderstanding:

Expected behaviour:
ANY queries should be filtered and return an empty or NODATA response per the filter-rr directive, which has been supported since dnsmasq 2.86.

Quoting man dnsmasq page:

--filter-rr=[,...]
Remove records of the specified type(s) from answers. The otherwise-nonsensical --filter-rr=ANY has a special meaning: it filters replies to queries for type ANY. Everything other than A, AAAA, MX and CNAME records are removed. Since ANY queries with forged source addresses can be used in DNS amplification attacks (replies to ANY queries can be large) this defangs such attacks, whilst still supporting the one remaining possible use of ANY queries. See RFC 8482 para 4.3 for details.

This quote does rather clearly say that these queries are not short-circuited as a whole, but only made smaller to reduce the possible attack-vector:

Everything other than A, AAAA, MX and CNAME records are removed.

To get these records (types A, AAAA, MX and CNAME), it obviously needs to forward the original question upstream.

---

By the way: Pi-hole already adds

filter-rr=ANY

by default (and unconditionally) to /etc/pihole/dnsmasq.conf which is the primary source of truth.