PSA: Issue With Pi-hole, DoH, and dnsmasq
[UPDATE: 2018-04-18: 05:51]
The latest version of FTLDNS (vDev-3656ba2) now fixes this issue. We have modified it to spawn child processes for handling individual TCP queries. By this, Netflix (or any other application) shouldn’t be able to claim the resolver for itself, thus solving the issue.
If you have been beta testing FTLDNS, and want to get this update you’ll need to run a few commands:
cd /etc/.pihole git fetch && git pull pihole -r
Subsequent updates can simply be acquired with pihole -up
, which didn’t work until you have the latest code acquired from the previous commands.
[UPDATE: 2018-04-10: 14:39]
We have determined the crash happens when dnsmasq
stalls out after receiving an invalid TCP request from Netflix.
In the short term, you can run these iptables
commands if you want to prevent the issue from happening:
sudo iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j REJECT sudo iptables -A INPUT -i eth0 -p udp --destination-port 53 -j ACCEPT
This will reject TCP requests on port 53 but still allow UDP. It’s a band-aid fix, but can get you up in running for now.
More information on our troubleshooting process can be found in the original thread, starting here.
A user on Discourse reported an issue when using Cloudflare’s new DNS over HTTPS, which Netflix would cause Pi-hole to completely stop working. dnsmasq
(and subsequently FTLDNS) locks up under certain conditions.
It’s not clear at this point if the issue is with dnsmasq
, Cloudflare, or some combination of the two. We’ve reached out to Simon Kelley for comment and we are still investigating the issue.
Can you clarify if a basic pihole installation (including the current beta for the FTLDNS) implements DnS over HTTPS (DoH)? From what I see, implementing DoH actually required a few other steps from the user (eg installing cloudflared) - thus if we didn't do anything like this, are we affected?
If not, should it be OK to conintue using Cloudflare's DNS (1.1.1.1 and 1.0.0.1)?
We don't currently implement DoH, so using 1.1.1.1 and 1.0.0.1 as normal will be OK
No, dnsmasq (the DNS server embedded into FTLDNS and used by FTL in v3.3.1 and below) does not support DNS over HTTPS. This bug is only active if you are using DoH, so it is fine to use Cloudflare's DNS normally.