Pi-hole 4.3 Now Available

Pi-hole 4.3 Now Available

2019-05-18 Uncategorized 14

Today, we’re pleased to announce the release of Pi-hole 4.3! Thank you to to our patrons and everyone else who continue to support us.

Highlights

Network Information Table

We have added a new page to the web interface which displays some enhanced information about the devices on your network.

Fixes And Tweaks

  • Improved support for HTTPS on the block page
  • We have removed jQuery Input mask, which prevented correct entry of IP addresses on mobile
  • Fixed a vulnerability in the web interface that could have triggered remote code execution when adding or removing white/blacklist entries.
  • Support for more granular debugging configurations for FTL

More information can be found at https://changes.pi-hole.net

Notable Replies

  1. bgx says:

    On my odroid xu4 running Debian and last pihole the network information table is empty. How can I fix this?

    Here debug token

    https://tricorder.pi-hole.net/9qty6e4d3v!

    On my raspberry pi running pihole it works.

    EDIT:
    Fixed it by deleting /etc/pihole/pihole-FTL.db followed by pihole -r

    Seems that database was malformed.

  2. Works perfectly fine on 2 RPi3B+. I completed apt update with 6 new updates and everything is running smooth.

  3. So far so good with this update. The new network page provides a good summary of devices that have been seen and if they use the pi-hole.

  4. ExIT says:

    Also keep in mind that DoH / DoT is not the holy grail for privacy. Your ISP (and others) will still be able to see where you connect to.

    Think of it like this:

    DNS is like asking someone for directions. After you got them, you go there. So even if you trust the person whom you got the directions from more than your ISP, your ISP can still just follow you walking over there and see who you visit.

    Example: when your laptop gets a DNS reply from somewhere (e.g.: ISP, root server, anything upstream really) for website.com, and receives IP address 1.2.3.4 as a reply… then your browser connects to 1.2.3.4 which is visible to your ISP (and others upstream). Even when the DNS query was done over DoT or DoH.

    It does not matter even if the IP you connect to hosts multiple websites. While TLS (HTTPS) may encrypt the HTTP-protocol host-header which is needed for virtual hosts, its SNI outside of the encrypted stream that is easily readable for anyone along the way.

    Folks are working on ESNI, which could encrypt this. But this is far from being the standard yet. It also is far from being perfect, as the ESNI proposal still has a flaw in the design itself.

    Even with ESNI or an improved successor, your ISP and others “along the way” will still be able to see which IP you connect to. So its not hard to figure out what site you visit if “they” wanted to.

    Since its a rather complex topic, with lots of stuff involved, let me try somewhat to give an overview:

    Browser ad-blocker

    • Versatile in blocking individual ads and objects in content.
    • Not protecting all of your network or device, just 1 browser.

    Pi-hole

    • Protecting all of your network and devices, if configured right.
    • Can only block on a DNS (domain) level, not individual ads and objects in content.

    TLS (HTTPS)

    • Prevents parties from viewing/altering the content you receive and send.
    • Does not hide what sites you connect to.
    • Could be circumvented by ISP’s using MitM (for DPI/content-injection).

    DNSSEC

    • Prevents parties from altering DNS responses along the way back to you.
    • Handy to prevent DNS-based ad-injections by ISP’s and other foul play.
    • Does not protect against ISP content-injected ads.

    DoH/DoT

    • Prevents parties from viewing DNS queries & responses to some extend.
    • Root servers do not offer encryption, so you will need a third-party (can you trust them?).
    • The “last mile” to the root servers is always unencrypted (thus far).
    • You can host your own DoH script on an external server, as an alternative to Google/CF/Quad9.
    • No true privacy benefits against ISP’s, since you connect through them after you received your DNS response anyways.

    VPN

    • More privacy (your ISP can’t see what you visit, unlike just DoH/DoT). But your VPN provider can.
    • Costs money (faster/decent ones do at least).
    • Only as good as you trust them to be (do they really not keep logs or mess with your connection?).
    • Harder to do your own DNS (e.g.: use pi-hole as an (ad-)blocker) out-of-the-box.

    As you can see filtering out ads and other bad stuff, and also keeping a high level of privacy, is a major undertaking that requires a combination of techniques and a lot of technical know-how. And even then its never perfect I’m sure.

Continue the discussion discourse.pi-hole.net

9 more replies

Participants