Pi-hole v4.2 Available With Shared Memory, New Blocking Modes, And More

Pi-hole v4.2 Available With Shared Memory, New Blocking Modes, And More

2019-02-03 Updates 11

We’re always happy when we can release a new version of Pi-hole, so today we’re announcing v4.2 of Pi-hole.  Thank you to to our patrons and everyone else who continue to support us.  Along with many other things, we’ve merged in the upstream code from dnsmasq v2.80.  For anyone who doesn’t know, FTLDNS (pihole-FTL) is just our fork of dnsmasq.

v4.2.1 Hotfix

We have released a small hotfix which addresses possible crashes experienced for users without libcap capabilities (running FTLDNS under root). For most users, this update will not change anything.

Highlights

New Blocking Mode

We’ve added a new blocking mode (NODATA), where blocked requested are replied with a status code of NOERROR and A / AAAA records are empty.  It’s unclear if there are advantages to this mode over others, but you’re welcome to experiment with it.

Shared Memory

In preparation of the new API we are working on, FTLDNS will now store its data in a shared-memory space, so that the API can come in and read from that memory to fulfill requests.  In short, this means FTLDNS will be even lighter as it doesn’t have to care about sending the statistics to some requester.  Instead, it will concentrate on generating the statistics and the API can read FTL’s data directly, resulting in reduced delays in the API.

wpad Vulnerability Fix

We previously mentioned how you could work around a vulnerability regarding wpad entries.  This fix is now in place as suggested by dnsmaq.conf.example.

Fixes And Tweaks

  • We updated SQLite to 3.26.0
  • We fixed the query status if a forwarded query was partially replied to from the cache
  • We now prevent multiple static DHCP entries with same IP
  • And more…

Docker Version Also Updated

We heard your feedback and we made sure to coordinate better to release our traditional install and our Docker install together. The docker image will be released when testing is complete.

Notable Replies

  1. Thanks for the new version and I will try it soon.

    I am looking at the new blocking option for IPv4 by returning NODATA. I have good results with Null blocking and you just throw a bone to the requester and tell have much fun with it.

    NODATA is more specific which (subdomain.)domain.tld is no existent. NXDOMAIN is telling that the domain.tld is not existing.

    However, as indicated, it is how the requester is dealing with this negative answer.
    I don’t expect a better reaction then with NXDOMAIN which made me to be a fanboy of Null blocking.

    Then, NODATA is much much better than NXDOMAIN, it is like a scapel cutting out specific replies and not squash the whole domain like NXDOMAIN does.

    https://prefetch.net/blog/2016/09/28/the-subtleties-between-the-nxdomain-noerror-and-nodata-dns-response-codes/

  2. And I think there is some confusion, domain.tld is a domain, sub.domain.tld is also a domain. NXDOMAIN does not stop at the top level, or any level, it is a response that the requested domain does not exist. You can NXDOMAIN my.domain.tld and still have a valid domain.tld query and response.

  3. dschaper@Mariner:/c/Users/DanSchaper$ dig blue.pi-hole.net
    
    ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> blue.pi-hole.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55207
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;blue.pi-hole.net.              IN      A
    
    ;; AUTHORITY SECTION:
    pi-hole.net.            3600    IN      SOA     dina.ns.cloudflare.com. dns.cloudflare.com. 2030049905 10000 2400 604800 3600
    
    ;; Query time: 22 msec
    ;; SERVER: 192.168.100.2#53(192.168.100.2)
    ;; WHEN: Sun Feb 03 13:54:58 STD 2019
    ;; MSG SIZE  rcvd: 107
    
    dschaper@Mariner:/c/Users/DanSchaper$ dig pi-hole.net
    
    ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> pi-hole.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21280
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pi-hole.net.                   IN      A
    
    ;; ANSWER SECTION:
    pi-hole.net.            300     IN      A       206.189.252.21
    
    ;; Query time: 439 msec
    ;; SERVER: 192.168.100.2#53(192.168.100.2)
    ;; WHEN: Sun Feb 03 13:55:02 STD 2019
    ;; MSG SIZE  rcvd: 56
    
  4. Updated to 4.2.1 today, without obvious problems so far. Thanks for the new version :+1:

    Short side note: the following reported behavior is unchanged. As soon as the “Use DNSSEC” option is enabled the cache doesn’t work anymore.

Continue the discussion discourse.pi-hole.net

3 more replies

Participants

11 Responses

  1. Ton van Moll says:

    I have this problem with the last update

    [✓] Checking for php5-cgi
    [✓] Checking for php5-sqlite

    [✓] Enabling lighttpd service to start on reboot…

    [i] FTL Checks…

    [✓] Detected ARM-hf architecture (armv7+)
    [i] Checking for existing FTL binary…
    curl: (6) Could not resolve host: ftl.pi-hole.net
    [i] Checksums do not match, downloading from ftl.pi-hole.net.
    [✗] Downloading and Installing FTL
    Error: Unable to get latest release location from GitHub
    [✗] FTL Engine not installed
    pi@raspberrypi:~ $

  2. Jerry Anderson says:

    I’m seeing that an update is available on the Pi Hole TFTPi display that still shows up after I have run a pihole -up, and rebooted. I thought the last time I did that that the update flag disappeared. When I run pihole -up the command it says I am updated. Keli

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.