Pi-hole v4.2 Available With Shared Memory, New Blocking Modes, And More


#1

Originally published at: https://pi-hole.net/2019/02/03/pi-hole-v4-2-available-with-shared-memory-new-blocking-modes-and-more/

We’re always happy when we can release a new version of Pi-hole, so today we’re announcing v4.2 of Pi-hole. Thank you to to our patrons and everyone else who continue to support us. Along with many other things, we’ve merged in the upstream code from dnsmasq v2.80. For anyone who doesn’t know, FTLDNS (pihole-FTL) is our fork of dnsmasq.

Highlights

New Blocking Mode

We’ve added a new blocking mode (NODATA), where blocked requested are replied with a status code of NOERROR and A / AAAA records are empty. It’s unclear if there are advantages to this mode over others, but you’re welcome to experiment with it.

Shared Memory

In preparation of the new API we are working on, FTLDNS will now store its data in a shared-memory space, so that the API can come in and read from that memory to fulfill requests. In short, this means FTLDNS will be even lighter as it doesn’t have to care about sending the statistics to some requester. Instead, it will concentrate on generating the statistics and the API can read FTL’s data directly, resulting in reduced delays in the API.

wpad Vulnerability Fix

We previously mentioned how you could work around a vulnerability regarding wpad entries. This fix is now in place as suggested by dnsmaq.conf.example.

Fixes And Tweaks

  • We updated SQLite to 3.26.0
  • We fixed the query status if a forwarded query was partially replied to from the cache
  • We now prevent multiple static DHCP entries with same IP
  • And more…

Docker Version Also Updated

We heard your feedback and we made sure to coordinate better to release our traditional install and our Docker install at the same time.


pinned #2

made this a banner . It will appear at the top of every page until it is dismissed by the user. #3

#4

Thanks for the new version and I will try it soon.

I am looking at the new blocking option for IPv4 by returning NODATA. I have good results with Null blocking and you just throw a bone to the requester and tell have much fun with it.

NODATA is more specific which (subdomain.)domain.tld is no existent. NXDOMAIN is telling that the domain.tld is not existing.

However, as indicated, it is how the requester is dealing with this negative answer.
I don’t expect a better reaction then with NXDOMAIN which made me to be a fanboy of Null blocking.

Then, NODATA is much much better than NXDOMAIN, it is like a scapel cutting out specific replies and not squash the whole domain like NXDOMAIN does.

https://prefetch.net/blog/2016/09/28/the-subtleties-between-the-nxdomain-noerror-and-nodata-dns-response-codes/


#5

“NODATA responses have to be algorithmically determined from the response’s contents as there is no RCODE value to indicate NODATA. In some cases to determine with certainty that NODATA is the correct response it can be necessary to send another query.”


#6

And I think there is some confusion, domain.tld is a domain, sub.domain.tld is also a domain. NXDOMAIN does not stop at the top level, or any level, it is a response that the requested domain does not exist. You can NXDOMAIN my.domain.tld and still have a valid domain.tld query and response.


#7
dschaper@Mariner:/c/Users/DanSchaper$ dig blue.pi-hole.net

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> blue.pi-hole.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55207
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blue.pi-hole.net.              IN      A

;; AUTHORITY SECTION:
pi-hole.net.            3600    IN      SOA     dina.ns.cloudflare.com. dns.cloudflare.com. 2030049905 10000 2400 604800 3600

;; Query time: 22 msec
;; SERVER: 192.168.100.2#53(192.168.100.2)
;; WHEN: Sun Feb 03 13:54:58 STD 2019
;; MSG SIZE  rcvd: 107

dschaper@Mariner:/c/Users/DanSchaper$ dig pi-hole.net

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> pi-hole.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21280
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; ANSWER SECTION:
pi-hole.net.            300     IN      A       206.189.252.21

;; Query time: 439 msec
;; SERVER: 192.168.100.2#53(192.168.100.2)
;; WHEN: Sun Feb 03 13:55:02 STD 2019
;; MSG SIZE  rcvd: 56

#8

I interpreted that wrong and both are working like scapels.


#9

I switched to “nodata”, because the Safari browser on my ipad often stuck in reloading pages (i have to close the current browser session or switch the tab). Nodata looks better to me. And the Safari is faster at all.
The current problem with 4.2: The GUI won’t longer log blocked sites correctly…


#10

This is known and will be fixed by FTL v4.2.1 which is about to be released


#11

Updated to 4.2.1 today, without obvious problems so far. Thanks for the new version :+1:

Short side note: the following reported behavior is unchanged. As soon as the “Use DNSSEC” option is enabled the cache doesn’t work anymore.