Pi-hole v3.3 Released: It’s “Extra” Special

Update 2018-02-14: 18:43 (version issues and not working after update)

If you’re running Rasbian Jessie, your version of dnsmasq will not work with this release, so you’ll need to revert to the previous versions:

cd /etc/.pihole
sudo git fetch --tags
sudo git checkout v3.2.1
cd /var/www/html/admin
sudo git fetch --tags
sudo git checkout v3.2.1
pihole -r
pihole checkout ftl v2.13.2

The Release

This release takes full advantage of dnsmasq‘s extra logging feature, which means you’ll get 100% accurate log analysis.  This release also includes full DNSSEC support, Teleporter enhancements, several important security fixes, as well as some other tweaks. This blog post will focus on the main features of this release, but if you want a detailed breakdown, the full changelogs can always be found at changes.pi-hole.net.

100% Accurate Logs

We bumped FTL to v3.0 because it’s even faster and will now interpret dnsmasq‘s log files with 100% accuracy.  This is a good thing, but if you have custom scripts or any thing else dealing with the log file, it’s important you know about this change before updating.  We are enabling one of dnsmasq‘s additional options, which changes the way we have previously written to the logs.

Under the hood, we are enabling --log-queries=extra, which provides more information in the log files:

-q, --log-queries
Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. 
If the argument "extra" is supplied, ie --log-queries=extra then the log has extra information at the start of each line. 
This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor.

 Why Weren’t The Logs 100% Accurate Before This?

For performance, we have been using (and will continue to use) asynchronous logging (--log-async), which has been the default on Pi-hole for some time.  Since Pi-hole began on low power devices like the Raspberry Pi, this feature prevented the DNS server from locking up if it was trying to process and log a lot of traffic at the same time.

A side effect of this was that the the response to the query was not always chronologically logged.  It didn’t happen that often and FTL was still able to decipher it quite well.  So if you still want to run an older version of Pi-hole, the FTL engine is still 99.9% accurate.

The extra logging feature was not enabled before because until now many distributions did not have a new enough dnsmasq to support it.

Using the extra logging feature, each log entry has a unique identifier, which lets us match up the logged response and query.  For the average user, it’s not even something they would likely notice.

We’ll still be using the asynchronous logging for it’s performance benefits, and we’ll let FTL handle the parsing of the log since we can keep track of it better now.

What Should I Know About The New Logging?

  • After updating, the old-style log files will not be readable by FTL
  • If you have previously disabled the database, you must re-enable it for at least 24 hours of history before updating if you want to see that day’s previous stats (this should only affect a small percentage of users)
  • The last 24 hours of stats are read directly from the database now and not pihole.log.1 (this is where we snagged some extra performance from)

Disable Logging Without Flushing

We have also added a button to disable logging without flushing the log files.

Full DNSSEC Support

If your version of dnsmasq doesn’t support DNSSEC or was compiled without it, this won’t work, but most newer versions of the package should work fine with it enabled.

You will also now see a DNSSEC column in the query log, which will display the status of individual queries (if enabled).

Teleporter Enhancements

Teleporter will now export your Audit Log.

Security Fixes And Other Notes

We’d like to thank Denis Andzakovic for notifying us about some security vulnerabilities, which are now fixed in this release.

The cosmetic version issues on the Web interface should be fixed now.

We were previously using .local as a fallback TLD for DHCP generated domains. We changed this to .lan so as not to conflict with Multicast DNS.


If you’re interested in helping contribute to Pi-hole, there are several ways to help.  One roadblock new users had when trying to submit pull requests, was to decipher the space/black hole-themed function names; we have renamed these in the codebase to help make it easier to understand.


Many of you have been asking if we have stickers for sale.  Not currently, but if you upvote our request here, they will become available on for sale Unixstickers.com (and we’ll get a portion of the sales to help further development of Pi-hole).

Also, if you’re presenting about Pi-hole or attending some other event where Pi-hole will be discussed, contact us and we’d be happy to send you some.

Notable Replies

  1. Thanks, it should be fixed now.

  2. Note that log-queries=extra will not work on all platforms, yes I know it is for the Pi but just FYI.

    # service dnsmasq start
    [....] Starting DNS forwarder and DHCP server: dnsmasq
    dnsmasq: extraneous parameter at line 37 of /etc/dnsmasq.d/01-pihole.conf

Continue the discussion discourse.pi-hole.net

3 more replies