Pi-hole, COVID-19 and a special Easter gift

Pi-hole, COVID-19 and a special Easter gift

2020-04-12 Uncategorized 1

Like you, we’ve been thinking a lot about the current global COVID-19 pandemic. During the Beta testing period, many of us were unaffected by this outbreak, but as the effects have intensified around the world, it has got a bit tougher for us to work on some things due to restrictions that have come up for us and having to adapt to changes in our work environments. Many of us were asked to work from home, to practice social distancing, or even to remain under quarantine. This has unfortunately decelerated the release process, even when one would assume that this might mean more time for open source contributions. In fact, it often actually means additional stress as we have to care for others. These days, there are a lot of uncertainties that keep us busy.

However, we are pleased to announce a special Easter gift for you all as we’re making the just released version of dnsmasq available for the Pi-hole users now. This new version features a lot of new features, tweaks and a substantial amount of bug fixes, many related to DNSSEC issues you’ve reported over the last couple of months. To get it now, you must be participating in our public Pi-hole v5.0 beta testing. For all others, it will be shipped when Pi-hole v5.0 lands. We’re currently squashing the last few remaining bugs and hope to ship the new version, soon™.

Next to some new DHCP options and improvements, it features a lot of internal tweaks such as

  • Improved cache behavior for TCP connections
    For ease of implementation, we always forked a new process to handle each incoming TCP connection. A side-effect of this is that any DNS queries answered from TCP connections are not cached: when TCP connections were rare, this was not a problem. With the coming of DNSSEC, it’s now the case that some DNSSEC queries have answers which spill to TCP, and if, for instance, this applies to the keys for the root then those never get cached, and performance is very bad. This fix passes cache entries back from the TCP child process to the main server process, and fixes the problem
  • Support TCP-fastopen (RFC-7413) on both incoming and outgoing TCP connections, if supported and enabled in the OS
  • Improve kernel-capability manipulation code under Linux. Dnsmasq now fails early if a required capability is not available, and tries not to request capabilities not required by its configuration. This supplements capability checks which were already available in pihole-FTL before
  • Add shared-network config. This enables allocation of addresses by the DHCP server in subnets where the server (or relay) does not have an interface on the network in that subnet
  • Add dhcp-ignore-clid. This disables reading of DHCP client identifier option (option 61), so clients are only identified by MAC addresses
  • Add caching of SRV records
  • Pruning of DHCP lease as soon as they are expired (an often requested feature on our platforms)
  • Support prefixed ranges of ipv6 addresses in dhcp-host. This eases problems chain-netbooting, where each link in the chain requests an address using a different UID. With a single address, only one gets the “static” address, but with this fix, enough addresses can be reserved for all the stages of the boot
  • Add filtering by tag of dhcp-host directives
  • Many bug fixes and improvements for DNSSEC handling such as fixing spurious DNSSEC validation failures and support for the most recent version of the nettle crypto library
  • And many more!

You can read the official dnsmasq change log. For those interested in in more technical details, we have compiled a somewhat more verbose change log.

Keep yourself safe and thank you very much for your dedication to Pi-hole.
You are a great community and we want to say Thank you to all of you!

Start the discussion at discourse.pi-hole.net

One Response

  1. […] Pi-hole have just announced as an Easter gift that they have included dnsmasq 2.81 in their Pi-hole 5.0 beta testing program and it aims to fix many DNSSEC issues that have been reported during the past few months. I didn’t have time to test it and probably will wait for the final release as me and my wife use it while working from home. If you are in the same situation as I am, disable DNSSEC setting have been a good workaround. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.