Pi-hole FTL v6.3, Web v6.3 and Core v6.2 Released!

As always, please read through the changelogs before updating with pihole -up

Don’t forget, you can use Teleporter to export your configuration. It can be found under the settings menu of the web interface or on the command line with pihole-FTL --teleporter

This release has also been tagged on Docker as 2025.10.0

Highlights

Security & TLS Enhancements

Shorter validity for self-signed TLS certificate (#2463) – The default validity period for self-signed TLS certificates has been reduced, aligning with modern security best practices and ensuring compatibility with Apple devices. To compensate for the shorter validity, automatic renewal has been implemented. Certificates now default to a 47-day validity period (configurable via webserver.tls.validity) and automatically renew when nearing expiration.

Improved Content Security Policy (#2575) – Improved default CSP headers provide better protection against XSS attacks while maintaining functionality.

Security Advisories:

Thank you to the folks who responsibly disclosed potential vulnerabilities since our last realease. Details of which can be read at the following links:

• https://github.com/pi-hole/web/security/advisories/GHSA-5v79-p56f-x7c4
• https://github.com/pi-hole/web/security/advisories/GHSA-7w6h-3gwc-qhq5
• https://github.com/pi-hole/web/security/advisories/GHSA-8hr3-47jh-25vr
• https://github.com/pi-hole/web/security/advisories/GHSA-w8f8-92rx-4f6w

Network & DNS Improvements

Smart Interface Detection (#2456, #2607) – FTL now automatically detects the appropriate DNS interface when dns.interface is empty in pihole.toml, eliminating manual configuration in most scenarios.

Netlink ARP Cache Handling (#2600) – Replaced external ip neigh show calls with internal netlink-based communication, dramatically improving performance and reducing resource usage. This addresses “database locked” issues seen in some environments.

Special Domain Handling (#2474) – Added support for .internal domain blocking (following RFC draft-davies-internal-tld-03), preventing these queries from being sent to upstream DNS servers while still allowing local resolution.

DNS Localization (#2524) – New dns.localise configuration option provides better control over DNS query handling.

IPv6 DHCP Support (#2554) – Enhanced the DHCP API to properly support IPv6 addresses and configurations.

Platform & Installation

Alpine Linux Support (pi-hole/pi-hole#6275) – Full native support for Alpine Linux has been added, including proper package management with apk, OpenRC init system support, and comprehensive testing. This expands Pi-hole’s reach to lightweight container environments and minimal installations.

User Interface & Experience

CLI Autocomplete (#2593, pi-hole/pi-hole#6376) – Added bash-style completion support for pihole-FTL commands, making configuration much more user-friendly. Tab completion works for the entire --config path and suggests appropriate values.

Web Interface Improvements (web#3530, web#3551, web#3533, web#3592, FTL#2645, FTL#2647, FTL#2644, web#3622) – Many small improvements: better visualization of DNS metrics, improved query log handling, enhanced gravity output with colors, refined button styling for blocked/allowed domain actions, improved load average detection and better system information gathering.

Configuration & Management

Advanced Web Server Options (#2635) – New webserver.advancedOpts configuration for fine-tuning web server behavior.

Enhanced API Endpoints (#2530, #2632, #2466) – Multiple API improvements including better error handling, optional restart parameters, and enhanced response formatting.

Web documentation for the config file – https://docs.pi-hole.net/ftldns/configfile/ – we have added some automation and a Python script to parse the latest pihole-FTL config file and to keep the documentation up to date on the web

Performance & Reliability

Updated Core Components (#2544, #2576, #2592, #2570, #2587, #2603, #2614, #2621, #2579):

• SQLite3 updated to 3.50.4 for better database performance
• dnsmasq updated to v2.92test21 with latest fixes
• CivetWeb updated for improved web server functionality
• Migrate TOML library to tomlc17 (tomlc99 has been marked as deprecated)

Memory Management (#2617) – Improved memory handling throughout the codebase to reduce resource usage and improve stability.

Database Resilience (#2605, #2602, #2646) – Enhanced gravity database handling with custom SQLite busy callbacks and better error recovery.

Bug Fixes & Stability

• Fixed PTR query handling for .localhost domains (#2517)
• Resolved DHCP string processing issues (#2519)
• Fixed cache-optimizer query display in logs (#2619)
• Improved NTP IPv6 crash handling (#2569)
• Better foreign fork PR handling in CI (#2543)
• Enhanced debug output and logging throughout (#2594)

Diagnostics

Improved Debug Output (#2600, #2594) – More comprehensive debug information across networking, ARP processing, and system diagnostics.

Full Release Notes can be found below.

FTL v6.3

What’s Changed

• Tests – fix PTR test by @rrobgill in https://github.com/pi-hole/FTL/pull/2516
• Reply to address queries in .localhost domain (RFC6171) by @rrobgill in https://github.com/pi-hole/FTL/pull/2517
• dhcp-discover: Fix string processing by @rrobgill in https://github.com/pi-hole/FTL/pull/2519
• [RFC] Prevent .internal queries from being upstreamed. Draft draft-davies-internal-tld-03 by @Tooa in https://github.com/pi-hole/FTL/pull/2474
• Add dns.localise by @Manakuremati in https://github.com/pi-hole/FTL/pull/2524
• Webserver: Allow webhome to be root by @rrobgill in https://github.com/pi-hole/FTL/pull/2521
• api/network Avoid NULL string comparison logspam by @rrobgill in https://github.com/pi-hole/FTL/pull/2526
• request_info.is_authenticated needs to be initialized explicitly with… by @DL6ER in https://github.com/pi-hole/FTL/pull/2533
• Allow forcing color in CLI output by @DL6ER in https://github.com/pi-hole/FTL/pull/2538
• Simplify CI build by removing the composite action by @yubiuser in https://github.com/pi-hole/FTL/pull/2511
• Rename flushing arp > flushing network by @yubiuser in https://github.com/pi-hole/FTL/pull/2541
• Update embedded SQLite3 engine to 3.50.2 by @DL6ER in https://github.com/pi-hole/FTL/pull/2544
• Add pihole-FTL create-default-config option and use it to upload pihole.toml to ftl.pi-hole.net by @yubiuser in https://github.com/pi-hole/FTL/pull/2540
• Allow low-level header manipulation from Lua pages by @DL6ER in https://github.com/pi-hole/FTL/pull/2535
• Fix foreign fork PRs by @DL6ER in https://github.com/pi-hole/FTL/pull/2543
• Update package-lock.json to fix npm vuln by @XhmikosR in https://github.com/pi-hole/FTL/pull/2555
• Update rapidoc to v9.3.8 by @XhmikosR in https://github.com/pi-hole/FTL/pull/2556
• Add missing ‘took’ fields to API spec response examples by @tsutsu3 in https://github.com/pi-hole/FTL/pull/2466
• Remove domain type from domainNeeded help text by @yubiuser in https://github.com/pi-hole/FTL/pull/2564
• Update embedded dnsmasq to v2.92test16 by @DL6ER in https://github.com/pi-hole/FTL/pull/2570
• Config typo correction by @rrobgill in https://github.com/pi-hole/FTL/pull/2572
• Support IPv6 in the DHCP API by @DL6ER in https://github.com/pi-hole/FTL/pull/2554
• Add sigrtmin option by @jacklul in https://github.com/pi-hole/FTL/pull/2574
• NTP ipv6 crash fix – ntp reply & logging by @rrobgill in https://github.com/pi-hole/FTL/pull/2569
• Add ‘never-stale’ to stale issue exempt lable list by @yubiuser in https://github.com/pi-hole/FTL/pull/2578
• Upgrade TOML library to tomlc17 by @DL6ER in https://github.com/pi-hole/FTL/pull/2579
• Add warning to the config markdown by @yubiuser in https://github.com/pi-hole/FTL/pull/2580
• Automatically detect DNS interface when empty in pihole.toml by @DL6ER in https://github.com/pi-hole/FTL/pull/2456
• Make type a required parameter for PUT and DELETE /lists by @DL6ER in https://github.com/pi-hole/FTL/pull/2530
• Update embedded SQLite3 to 3.50.3 by @DL6ER in https://github.com/pi-hole/FTL/pull/2576
• Remove remaining traces of ARP flush by @yubiuser in https://github.com/pi-hole/FTL/pull/2545
• Improve CNAME behavior of pi.hole by @DL6ER in https://github.com/pi-hole/FTL/pull/2585
• Add colors to the –config output by @DL6ER in https://github.com/pi-hole/FTL/pull/2584
• fix: change type of disk parameter for GET /queries by @ninjack-dev in https://github.com/pi-hole/FTL/pull/2589
• Improve default CSP headers by @DL6ER in https://github.com/pi-hole/FTL/pull/2575
• Improve already running detection by @DL6ER in https://github.com/pi-hole/FTL/pull/2591
• Update embedded SQLite3 to 3.50.4 by @DL6ER in https://github.com/pi-hole/FTL/pull/2592
• Fix debug output association by @DL6ER in https://github.com/pi-hole/FTL/pull/2594
• Fix FTL running behing reverse-proxy with prefix by @DL6ER in https://github.com/pi-hole/FTL/pull/2595
• Update embedded dnsmasq by @DL6ER in https://github.com/pi-hole/FTL/pull/2587
• Implement netlink ARP cache handling by @DL6ER in https://github.com/pi-hole/FTL/pull/2600
• Add autocomplete feature by @DL6ER in https://github.com/pi-hole/FTL/pull/2593
• Update embedded dnsmasq to v2.92test19 by @DL6ER in https://github.com/pi-hole/FTL/pull/2603
• Fix dns.interface comment by @rdwebdesign in https://github.com/pi-hole/FTL/pull/2597
• Fix logic in automatic interface determination (when dns.interface = “”) by @DL6ER in https://github.com/pi-hole/FTL/pull/2607
• Fix default value autocomplete suggestions by @DL6ER in https://github.com/pi-hole/FTL/pull/2609
• Update dnsmasq to v2.92test21 by @DL6ER in https://github.com/pi-hole/FTL/pull/2614
• Fix cache-optimizer queries in Query Log by @DL6ER in https://github.com/pi-hole/FTL/pull/2619
• Update embedded CivetWeb by @DL6ER in https://github.com/pi-hole/FTL/pull/2621
• Do not set domainname when the kernel replies with “(none)” by @DL6ER in https://github.com/pi-hole/FTL/pull/2620
• Fix dns.hosts help text to show multiple hostnames per IP are allowed by @rdwebdesign in https://github.com/pi-hole/FTL/pull/2623
• Improve memory handling by @DL6ER in https://github.com/pi-hole/FTL/pull/2617
• Pin github actions to SHA by @yubiuser in https://github.com/pi-hole/FTL/pull/2615
• Bump the github_action-dependencies group across 1 directory with 6 updates by @dependabot[bot] in https://github.com/pi-hole/FTL/pull/2628
• Be more gracefully when validating dns_hosts by @yubiuser in https://github.com/pi-hole/FTL/pull/2624
• Implement automatic TLS/SSL certificate renewals by @DL6ER in https://github.com/pi-hole/FTL/pull/2463
• Fix HOSTS file rotation test which was hiding in fast runners by @yubiuser in https://github.com/pi-hole/FTL/pull/2630
• Suggest IP addresses instead of names for upstream by @DL6ER in https://github.com/pi-hole/FTL/pull/2444
• Make restarting optional in API config endpoints by @DL6ER in https://github.com/pi-hole/FTL/pull/2632
• Ensure queries with ID 0 are stored to the long-term queries database by @DL6ER in https://github.com/pi-hole/FTL/pull/2633
• Ensure we can log until the very end by @DL6ER in https://github.com/pi-hole/FTL/pull/2634
• Bump github/codeql-action from 3.30.3 to 3.30.5 in the github_action-dependencies group across 1 directory by @dependabot[bot] in https://github.com/pi-hole/FTL/pull/2636
• Fix long-term database insertion by @DL6ER in https://github.com/pi-hole/FTL/pull/2583
• Add webserver.advancedOpts by @DL6ER in https://github.com/pi-hole/FTL/pull/2635
• Add new dns.domain.local and rename dns.domain -> dns.domain.name by @DL6ER in https://github.com/pi-hole/FTL/pull/2531
• Bump the github_action-dependencies group across 1 directory with 3 updates by @dependabot[bot] in https://github.com/pi-hole/FTL/pull/2641
• Allow escaping special single-character wildcard “_” when doing partial matching by @DL6ER in https://github.com/pi-hole/FTL/pull/2550
• Expose both total and enabled for gravity tables by @DL6ER in https://github.com/pi-hole/FTL/pull/2177
• Improve gravity database resilience by @DL6ER in https://github.com/pi-hole/FTL/pull/2605
• Add custom SQLite busy callback by @DL6ER in https://github.com/pi-hole/FTL/pull/2602
• Add %MEM and %CPU of FTL to GET info/system by @DL6ER in https://github.com/pi-hole/FTL/pull/2645
• Try to load system load averages from /proc/loadavg first by @tpjanssen in https://github.com/pi-hole/FTL/pull/2644
• Fix database busy handler initialization by @DL6ER in https://github.com/pi-hole/FTL/pull/2646
• Fix POST /lists example by @DL6ER in https://github.com/pi-hole/FTL/pull/2649
• Improve CPU utilization reporting by @DL6ER in https://github.com/pi-hole/FTL/pull/2647
• Bump the github_action-dependencies group across 1 directory with 2 updates by @dependabot[bot] in https://github.com/pi-hole/FTL/pull/2651
• Implement selection of TLS ciphers for mbedtls by @DL6ER in https://github.com/pi-hole/FTL/pull/2638
• Bump the github_action-dependencies group across 1 directory with 3 updates by @dependabot[bot] in https://github.com/pi-hole/FTL/pull/2654

New Contributors

• @Tooa made their first contribution in https://github.com/pi-hole/FTL/pull/2474
• @Manakuremati made their first contribution in https://github.com/pi-hole/FTL/pull/2524
• @ninjack-dev made their first contribution in https://github.com/pi-hole/FTL/pull/2589
• @tpjanssen made their first contribution in https://github.com/pi-hole/FTL/pull/2644

Full Changelog: https://github.com/pi-hole/FTL/compare/v6.2.3…v6.3

Core v6.2

What’s Changed

• Remove readonly from list.sh to avoid errors by @rdwebdesign in https://github.com/pi-hole/pi-hole/pull/6349
• Remove netcat from the list of dependencies by @darkexplosiveqwx in https://github.com/pi-hole/pi-hole/pull/6343
• Re-order authentication errors in verbose mode by @yubiuser in https://github.com/pi-hole/pi-hole/pull/6338
• Speed up pihole –query by @rrobgill in https://github.com/pi-hole/pi-hole/pull/6334
• Use RTMIN value provided by FTL when possible by @jacklul in https://github.com/pi-hole/pi-hole/pull/6358
• Speed up pihole api by @rrobgill in https://github.com/pi-hole/pi-hole/pull/6336
• Update man page – remove “reconfigure” option by @rdwebdesign in https://github.com/pi-hole/pi-hole/pull/6361
• Tweak ARP flushing function by @yubiuser in https://github.com/pi-hole/pi-hole/pull/6319
• Fix gravity and error on pihole-FTL –config failures by @yubiuser in https://github.com/pi-hole/pi-hole/pull/6352
• Use ‘true’/’false’ strings instead of 0/1 integers for boolean root user check in pihole command by @yubiuser in https://github.com/pi-hole/pi-hole/pull/6351
• Do not call pihole-FTL –config interactively by @DL6ER in https://github.com/pi-hole/pi-hole/pull/6368
• Explicitly check for the existence of FTL binary before attempting to stop it. Prevents warning message on fresh installs by @PromoFaux in https://github.com/pi-hole/pi-hole/pull/6364
• Add “setpassword” to pihole Bash completion by @deHakkelaar in https://github.com/pi-hole/pi-hole/pull/6369
• Add FTL bash autocomplete by @yubiuser in https://github.com/pi-hole/pi-hole/pull/6376
• Alpine Linux Support and Tests by @mgziminsky in https://github.com/pi-hole/pi-hole/pull/6275
• uninstall refactor and improvement by @rrobgill in https://github.com/pi-hole/pi-hole/pull/6339
• Fix typo found during install by @jbirddog in https://github.com/pi-hole/pi-hole/pull/6406
• Add Debian 13 Trixie to the test suite by @yubiuser in https://github.com/pi-hole/pi-hole/pull/6382
• Adjust .shellcheckrc to 0.11 and enable some optional checks by @yubiuser in https://github.com/pi-hole/pi-hole/pull/6374
• Use SHA to pin github actions by @yubiuser in https://github.com/pi-hole/pi-hole/pull/6392
• Rename views, upgrade gravity database and bump gravity database version by @DL6ER in https://github.com/pi-hole/pi-hole/pull/6386
• Tiny change to make prev2 also a local variable by @casperklein in https://github.com/pi-hole/pi-hole/pull/6420
• Fix gravity indention by @yubiuser in https://github.com/pi-hole/pi-hole/pull/6427

New Contributors

• @mgziminsky made their first contribution in https://github.com/pi-hole/pi-hole/pull/6275
• @jbirddog made their first contribution in https://github.com/pi-hole/pi-hole/pull/6406

Full Changelog: https://github.com/pi-hole/pi-hole/compare/v6.1.4…v6.2

Web v6.3

What’s Changed

• Clarify client description priorities on the groups/client interface by @DL6ER in https://github.com/pi-hole/web/pull/3521
• Remove superfluous settings-level-expert class by @yubiuser in https://github.com/pi-hole/web/pull/3503
• Remove link to rate limit documentation which does not add further etails by @yubiuser in https://github.com/pi-hole/web/pull/3526
• Add some color to gravity output by @yubiuser in https://github.com/pi-hole/web/pull/3530
• settings-system : Avoid division by zero in DNS metrics by @rrobgill in https://github.com/pi-hole/web/pull/3533
• Make the “Add to denied/allowed domains” buttons red and green by @darkexplosiveqwx in https://github.com/pi-hole/web/pull/3551
• Remove query type from domainNeeded option by @yubiuser in https://github.com/pi-hole/web/pull/3557
• Handle pie chart item style conditionally by @yubiuser in https://github.com/pi-hole/web/pull/3532
• Use label-primary for number of enabled list icon on sidebar by @yubiuser in https://github.com/pi-hole/web/pull/3563
• Use innerHTML instead of append to fix gravity color output by @yubiuser in https://github.com/pi-hole/web/pull/3566
• Trim whitespaces before adding custom DNS record by @yubiuser in https://github.com/pi-hole/web/pull/3569
• Bind address to new element instead of raw HTML construction by @DL6ER in https://github.com/pi-hole/web/pull/3567
• Use /flush/network instead of /flush/arp by @yubiuser in https://github.com/pi-hole/web/pull/3553
• Prevents getting stuck loading unlimited query log results by @ablankenship10 in https://github.com/pi-hole/web/pull/3592
• Fix 2FA icon styles #3431 by @idotj in https://github.com/pi-hole/web/pull/3585
• Fix header.lp closing head tag formatting by @h3xcat in https://github.com/pi-hole/web/pull/3607
• Fix the link on the upstream chart legend by @rdwebdesign in https://github.com/pi-hole/web/pull/3606
• Rename config key dns.domain > dns.domain.name by @yubiuser in https://github.com/pi-hole/web/pull/3611
• Improve line graph tooltip by @yubiuser in https://github.com/pi-hole/web/pull/3601
• Make DNSSEC icon conditional in Queries Log (redo of https://github.com/pi-hole/web/pull/3399/) by @yubiuser in https://github.com/pi-hole/web/pull/3535
• Query Log: The underscore is special by @DL6ER in https://github.com/pi-hole/web/pull/3578
• Fix addList function to include type in API request URL by @PromoFaux in https://github.com/pi-hole/web/pull/3620
• Pin github action to SHA by @yubiuser in https://github.com/pi-hole/web/pull/3593
• Adjust domain count according to pi-hole/FTL#2177 by @yubiuser in https://github.com/pi-hole/web/pull/3619
• Also pin editorconfigchecker by sha by @yubiuser in https://github.com/pi-hole/web/pull/3621
• Update FTL %cpu and %mem everytime total CPU stats are updated by @yubiuser in https://github.com/pi-hole/web/pull/3622
• Clarify uptime in container matching the host uptime with a tooltip by @yubiuser in https://github.com/pi-hole/web/pull/3624
• Adjust text BitWarden to Bitwarden by @jprusik in https://github.com/pi-hole/web/pull/3629

New Contributors

• @darkexplosiveqwx made their first contribution in https://github.com/pi-hole/web/pull/3551
• @ablankenship10 made their first contribution in https://github.com/pi-hole/web/pull/3592
• @idotj made their first contribution in https://github.com/pi-hole/web/pull/3585
• @h3xcat made their first contribution in https://github.com/pi-hole/web/pull/3607
• @jprusik made their first contribution in https://github.com/pi-hole/web/pull/3629

Full Changelog: https://github.com/pi-hole/web/compare/v6.2.1…v6.3