PSA: Issue With Pi-hole, DoH, and dnsmasq

[UPDATE: 2018-04-18: 05:51]

The latest version of FTLDNS (vDev-3656ba2) now fixes this issue. We have modified it to spawn child processes for handling individual TCP queries. By this, Netflix (or any other application) shouldn’t be able to claim the resolver for itself, thus solving the issue.

If you have been beta testing FTLDNS, and want to get this update you’ll need to run a few commands:

cd /etc/.pihole
git fetch && git pull
pihole -r

Subsequent updates can simply be acquired with pihole -up, which didn’t work until you have the latest code acquired from the previous commands.

[UPDATE: 2018-04-10: 14:39]

We have determined the crash happens when dnsmasq stalls out after receiving an invalid TCP request from Netflix.

In the short term, you can run these iptables commands if you want to prevent the issue from happening:

sudo iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j REJECT 
sudo iptables -A INPUT -i eth0 -p udp --destination-port 53 -j ACCEPT

This will reject TCP requests on port 53 but still allow UDP. It’s a band-aid fix, but can get you up in running for now.

More information on our troubleshooting process can be found in the original thread, starting here.

A user on Discourse reported an issue when using Cloudflare’s new DNS over HTTPS, which Netflix would cause Pi-hole to completely stop working. dnsmasq (and subsequently FTLDNS) locks up under certain conditions.

It’s not clear at this point if the issue is with dnsmasq, Cloudflare, or some combination of the two. We’ve reached out to Simon Kelley for comment and we are still investigating the issue.