FLTDNS Locks up updating block list when using Cloudflare

Recently updated to the FTLDNS beta and had issues when updating the block lists using Cloudflare DNS. If i change to Google it updates with no problems.

It seems to be the zeustracker.abuse.ch list that is gets stuck on, and Pi Hole then seems to fail updating any more lists and DNS stops working. Restarting the pihole-FTL service gets DNS running again until the next attempted list update.

Log from the update gui below:

[i] Neutrino emissions detected...
[βœ“] Pulling blocklist source list into range

[i] Target: raw.githubusercontent.com (hosts)
[βœ“] Status: Retrieval successful

[i] Target: mirror1.malwaredomains.com (justdomains)
[βœ“] Status: No changes detected

[i] Target: sysctl.org (hosts)
[βœ“] Status: No changes detected

[i] Target: zeustracker.abuse.ch (blocklist.php?download=domainblocklist)
[βœ—] Status: Connection Refused
[βœ—] List download failed: using previously cached list

[i] Target: s3.amazonaws.com (simple_tracking.txt)
[βœ—] Status: Connection Refused
[βœ—] List download failed: using previously cached list

[i] Target: s3.amazonaws.com (simple_ad.txt)
[βœ—] Status: Connection Refused
[βœ—] List download failed: using previously cached list

[i] Target: hosts-file.net (ad_servers.txt)
[βœ—] Status: Connection Refused
[βœ—] List download failed: using previously cached list

[βœ“] Consolidating blocklists
[βœ“] Extracting domains from blocklists
[i] Number of domains being pulled in by gravity: 144628
[βœ“] Removing duplicate domains
[i] Number of unique domains trapped in the Event Horizon: 121618
[i] Nothing to whitelist!
[βœ“] Parsing domains into hosts format
[βœ“] Cleaning up stray matter

[βœ—] DNS service is NOT running

Are you able to get to the Zeus list directly (i.e. not using Pi-hole to download the list)?

Nope, just loads forever, I’m guessing that maybe cloudflare do some sort of blocking? Perhaps they think the list is malware.

[Update] I now seem to be getting the same issue under other DNS providers too. Not sure if it’s my config? Was a fresh Raspbian install, PiHole installed and then upgraded to FTL. Static ip set via dhcpcd.conf

How often did you try updating? Some of the lists have rate limits on them so you may have to wait a period of time before trying again.

Ah - it looks like you could be right there! I'm now getting the same result after switching back to Google DNS.

Either way, it still seems to hit the Zeus list, refuse the connection and then kill the FTL DNS service as per the last line:

'[βœ—] DNS service is NOT running'

Restarting the server or SSH'ing and restarting the FTLpihole service gets it running again.

I assume it should just continue using the locally cached list and leave the DNS service running.

Do you lost all connectivity or does it resume? Just wondering if it's related to this:

Bingo!
That looks like it's done the trick. I'll monitor for a few days and see how it goes.

What are the downsides to running with TCP blocked, will it have any effect on anything?

1 Like

Whenever the request to too large to fit into a single UDP packet, applications retry with a TCP request. This commonly happens when you enable DNSSEC as the key info can be quite extensive. However, they are rarely used without DNSSEC, still, they could, in principle, be used for very large replies, e.g., when a huge number of IP addresses corresponds to a given domain.

TL;DR: Yes, DNS over TCP is part of the standard and disabling may have a negative effect, but it is unlikely that you experience it without DNSSEC.

That article has been updated and the iptables rules are no longer needed if you are running the lastest beta of FTLDNS.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.