Originally published at: https://pi-hole.net/2018/04/08/psa-issue-with-pi-hole-doh-and-dnsmasq/
[UPDATE: 2018-04-18: 05:51]
The latest version of FTLDNS (vDev-3656ba2) now fixes this issue. We have modified it to spawn child processes for handling individual TCP queries. By this, Netflix (or any other application) shouldn’t be able to claim the resolver for itself, thus solving the issue.
If you have been beta testing FTLDNS, and want to get this update you’ll need to run a few commands:
cd /etc/.pihole git fetch && git pull pihole -r
Subsequent updates can simply be acquired with
pihole -up, which didn’t work until you have the latest code acquired from the previous commands.
[UPDATE: 2018-04-10: 14:39]
We have determined the crash happens when
dnsmasq stalls out after receiving an invalid TCP request from Netflix.
In the short term, you can run these
iptables commands if you want to prevent the issue from happening:
sudo iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j REJECT sudo iptables -A INPUT -i eth0 -p udp --destination-port 53 -j ACCEPT
This will reject TCP requests on port 53 but still allow UDP. It’s a band-aid fix, but can get you up in running for now.
More information on our troubleshooting process can be found in the original thread, starting here.
A user on Discourse reported an issue when using Cloudflare’s new DNS over HTTPS, which Netflix would cause Pi-hole to completely stop working.
dnsmasq (and subsequently FTLDNS) locks up under certain conditions.
It’s not clear at this point if the issue is with
dnsmasq, Cloudflare, or some combination of the two. We’ve reached out to Simon Kelley for comment and we are still investigating the issue.