PSA: Issue With Pi-hole, DoH, and dnsmasq


#1

Originally published at: https://pi-hole.net/2018/04/08/psa-issue-with-pi-hole-doh-and-dnsmasq/

[UPDATE: 2018-04-18: 05:51]

The latest version of FTLDNS (vDev-3656ba2) now fixes this issue. We have modified it to spawn child processes for handling individual TCP queries. By this, Netflix (or any other application) shouldn’t be able to claim the resolver for itself, thus solving the issue.

If you have been beta testing FTLDNS, and want to get this update you’ll need to run a few commands:

cd /etc/.pihole
git fetch && git pull
pihole -r

Subsequent updates can simply be acquired with pihole -up, which didn’t work until you have the latest code acquired from the previous commands.

[UPDATE: 2018-04-10: 14:39]

We have determined the crash happens when dnsmasq stalls out after receiving an invalid TCP request from Netflix.

In the short term, you can run these iptables commands if you want to prevent the issue from happening:

sudo iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j REJECT 
sudo iptables -A INPUT -i eth0 -p udp --destination-port 53 -j ACCEPT

This will reject TCP requests on port 53 but still allow UDP. It’s a band-aid fix, but can get you up in running for now.

More information on our troubleshooting process can be found in the original thread, starting here.


A user on Discourse reported an issue when using Cloudflare’s new DNS over HTTPS, which Netflix would cause Pi-hole to completely stop working. dnsmasq (and subsequently FTLDNS) locks up under certain conditions.

It’s not clear at this point if the issue is with dnsmasq, Cloudflare, or some combination of the two. We’ve reached out to Simon Kelley for comment and we are still investigating the issue.


FLTDNS Locks up updating block list when using Cloudflare
#2

Can you clarify if a basic pihole installation (including the current beta for the FTLDNS) implements DnS over HTTPS (DoH)? From what I see, implementing DoH actually required a few other steps from the user (eg installing cloudflared) - thus if we didn’t do anything like this, are we affected?

If not, should it be OK to conintue using Cloudflare’s DNS (1.1.1.1 and 1.0.0.1)?


Implement DNS-over-TLS capability in Pi-hole
#3

We don’t currently implement DoH, so using 1.1.1.1 and 1.0.0.1 as normal will be OK


#4

No, dnsmasq (the DNS server embedded into FTLDNS and used by FTL in v3.3.1 and below) does not support DNS over HTTPS. This bug is only active if you are using DoH, so it is fine to use Cloudflare’s DNS normally.


#5