Pi-hole v4.0 Released With FTLDNS, Improved Blocking Modes, Regex, Docker, and More

Originally published at: https://pi-hole.net/2018/08/06/pi-hole-v4-0-released-with-ftldns-improved-blocking-modes-regex-docker-and-more/

We're very pleased to release Pi-hole v4.0 today, which includes fixes, tweaks, and lots of new stuff, including FTLDNS (special thanks to our beta testers!) In a sentence, FTLDNS is dnsmasq with Pi-hole's special sauce baked in.

FTLDNS does everything dnsmasq does because it is dnsmasq--just our fork of it. So all of your existing config files will still work with it. We intentionally modified the original dnsmasq source code as little as possible so that we can easily integrate any upstream changes as they are released.

Read on to find out everything included in this release or read the technical details in the changelogs.

How Do I Update To This Version?

Running the pihole -up command will update your Pi-hole installation.

What If I Was A Beta Tester Or I'm On A Different Branch?

You should pihole checkout master, which should get you there, but you may need to run pihole -up.

What If I Have Problems After Updating?

Please contact us via our Discourse forums first (we're still available on other social platforms but Discourse is our official support forum). Issues can be tagged with v4-0.

Special Thanks

Thanks to everyone who has continued to support over the past few months during our beta test of 4.0. We'd also like to especially thanks our patrons and those of you who have donated to our fundraiser. Your support helps keep us motivated and keep Pi-hole free.

Official Docker Image

We're pleased to announce an official Pi-hole Docker image. @diginc is our Docker master and many of you have been using his image for some time now. We've always worked closely with him, but now he's part of the team and in our GitHub organization and we're all working together.

@diginc's image will still be around if you want to use it, but we'll be using pihole/pihole as the "official" image going forward.

New Documentation Site

We've loaded up https://docs.pi-hole.net with all sorts of good technical documentation, guides, and more. We still have our Discourse FAQs, but they are not always easy to find and you might just stumble upon them via Google. The new docs site is a more centralized way to browse and easily find what you are looking for.

If you find old or outdated information in Discourse, please message one of the developers, so we can get it updated (or link to the new docs site). There is a lot of documentation out there and we do our best to keep it up-to-date, so any help keeping it relevant is appreciated.

In addition to the online documentation, we have also added man pages for pihole, pihole-FTL, and pihole-FTL.conf.

Regex Blocking

We have introduced regex blocking. More details on that can be found on our documentation site. With this feature, you are able to specify an arbitrary amount of arbitrarily complex blocking filters.

The wildcard button is a compatibility wrapper function, which outputs a regex that acts like the old wildcard blocking.

New Privacy Levels

We introduced several different privacy levels, which can be used to fine tune the level of detail displayed in your Pi-hole statistics.

New Blocking Modes

Default Block Mode Is Different (And The Block Page Is Disabled)

Pi-hole has used IP-based blocking since it's inception. With 4.0, we introduce several different choices of blocking methods. And after much discussion internally, we decided to change the default blocking mode to NULL blocking.

The main reason for this is that it eliminates the need for iptables rules currently needed for slow-loading pages. Having to make these adjustments post-install is a hassle for new and experienced users alike, plus NULL blocking provides the same end result without the negative side effects. A result of this change is that the block page will no longer work (unless you choose to use an IP blocking mode).

NULL blocking is just the new default, and there are several different blocking modes you can choose from, so use the one that fits your needs the best.

Important Notes About This Release

Existing Installs Of dnsmasq Will Be Disabled (What?!)

Since we're distributing our fork of dnsmasq and you shouldn't have two different DNS servers trying to bind to the same port, our installer will disable existing installations of dnsmasq if we detect it is already installed and it will be replaced with pihole-FTL (FTLDNS). The good news is, if you have things that require dnsmasq you won't notice a difference in functionality because as we mentioned, FTLDNS is dnsmasq.

So why did we do this? One reason is that distributing our own fork lets us control what version of dnsmasq is installed as opposed to trying to account for all the different versions out there.

Bundling the resolver with FTL also allows us closer access to the software, so much so that we don't even need the log file anymore to get statistics. It also allows us to do things like increase the cache limit and gather stats about how many domains are receiving cached responses. There are many benefits to this decision, and hopefully you'll see them all when you finish reading what else is included in this release.

What's Fixed?

We have fixed several bugs in this release, including the infamous bug of the clients over time graph getting cut off.

  • several fixes for unattended installations have been implemented
  • hostnames now resolve in Long Term Data
  • we fixed some query log sorting issues
  • we fixed some issues with the uninstaller

What's Else?

  • custom ports can be used for upstream servers (perfect for use with the all around DNS solution)
  • CloudFlare DNS has been added to available upstream servers
  • If you were previously were using -wild it is now --wild
  • the blocklist sources are no longer whitelisted by default
  • several API improvements have been implemented including a versions endpoint and completely removing the PHP-only API
  • DNSSEC information displays in the query log
  • a field for an administrator email address has been added for use with the block page
  • a scroll box is now used when tailing the logs in the Web interface
  • the query log page layout will be remembered now
  • persistent logins are available via cookie

I upgraded my beta version to 4.0, and it works like a charm.:grinning:

Thank you for your excellent work.

Now if you fix your PayPal donation I will be happy to donate to your work. Currently you refuse PayPal donations unless there is a credit card on the PayPal account. :rage:

I updated, it went smoothly and is running like a charm. I love all the changes and bug fixes, really great release. Great job to the entire team!


good job - thank you all


Hate to tell you, but the "clients over time graph" is still getting cut off for me (Chrome). I'll play around and see if it works on other OSs/browsers.

I'm running Chrome (latest) on MacOS High Sierra (latest) and the clients pop-over is not cut off for me.

Upgrade from beta to 4.0 on Rpi 2 with no problems.
(followed instructions).
Thank You, Nice job! :slight_smile:

1 Like

Did you try flushing your browser cache?

Seems to be working as expected in Chrome/Win10. My issue was in Chrome/Android (but that's not always 100% compatible on a good day). I'll continue to troubleshoot.

Following up: Clearing the browser cache solved all of the issues I was seeing in Chrome/Android. Thanks for the help.

Congrats on the release of the new version!

Just a quick question about the changelog:

What prompted this change, can I turn it back on / what is the proper method to prevent your blocklists from blocking each other?

What prompted the change. We didn't want to whitelist domains automatically for users as that could potentially whitelist some ad serving domains if we weren't careful an example of this would be s3.amazonaws.com. We also noticed that in our tests not many of the lists contained other list sources as blocked domains.

No at this time it is not a user adjustable setting. I like this idea though

Best method would be to look at your blocklist domains and whitelist IF they fail to download on a run of pihole -g

There are a few block lists out there that pretty much throw in everything but the kitchen sink for domains to block, and aren't really tailored to work with a DNS-based solution like Pi-Hole.

In my experience, one of the worst offenders is https://adblock.mahakala.is. This blocks a lot of block list sites, as well as many reputable commercial sites like walmart.com (not just the ad-serving subdomains), etc. I deleted it shortly after I started using it.

1 Like

I am trying to make pihole as automatic as I can, using one of WaLLy3K blacklists and anudeepND whitelist, downloading both lists automatically and running pihole -g. This works until one of WaLLy3K's lists starts blocking other lists.

I understand you don't want to add whole domains (like s3.amazonaws.com) to the whitelist, but I have no problem allowing a specific list like https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt from a well curated Blocklist Collection.

In gravity.sh line 220:

httpCode=$(curl -s -L ${cmd_ext} ${heisenbergCompensator} -w "%{http_code}" -A "${agent}" "${url}" -o "${patternBuffer}" 2> /dev/null)

--dns-servers could be added to the curl command to allow the lookup of the entries in the blocklist collection. Unfortunately, the --dns-servers option is not available on Raspbian:

$ curl pi-hole.net --dns-servers
curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

Any other ways you can think of (other then disabling pihole temporarily) to allow the download of the blocklist entries?

If you add a block list, you can whitelist the domain manually.

I am trying to whitelist the entries in the blocklist. Not statically(manually), but dynamically, depending on the content of the blocklist collection.

This works pulling the file, even as hosts-file.net is blacklisted

curl --resolve hosts-file.net:443:`dig @ +short hosts-file.net` https://hosts-file.net/grm.txt

Are you trying to whitelist the list domains though? That seems to be what you are trying to do. The best way to do that is to just whitelist them manually.

In addition to the other comments, having a pre-populated whitelist also confused some users and some thought we were showing favoritism. So those were a couple other reasons we took them out.

No, I'm not trying to whitelist the domains, I'm trying to find a way to download the url's in a blocklist regardless of the current blacklist or whitelist.