Netflix Brought Down My Home Network

(Maybe it has a timeout, maybe it sends keepalives at some point, I never actually investigated)If the Pi-Hole DNS server can only handle one request at a time then as this TCP connection has been held open maybe it just sits waiting to serve this request and can’t service the rest.To check if this was what is happening I attached strace to the pihole-FTL process that does the actual DNS resolution on the Pi-Hole and looked at what was happening.When everything is working it’s a steady stream of reading in data from the socket, resolving the name and writing it back out to the socket.And when DNS resolution stops working…We hang on a read syscall on file descriptor 15, which is indeed a socketroot@61b30b99d173:/# ls -lah /proc/509/fd/15lrwx—— 1 root root 64 Dec 30 00:02 /proc/509/fd/15 -> 'socket:[1131721]'(As an aside I tried various methods to map that socket back to information about the connection but none seemed to work, but we know from the packet capture what it is anyway)So it does appear that the Pi-Hole gets stuck waiting for the open TCP connection to send it more data and not servicing any other requests.With some new words to Google I was finally able to track down other people with this issue and confirm my theory— https://discourse.pi-hole.net/t/cloudflare-doh-netflix-problems-on-smarttv/8677/21Apparently this happens on SmartTvs and Xbox’s also!Interestingly the thread claims the issue is fixed in what looks like a dev commit but I’m running the latest version of Pi-Hole and still see the issue, Github suggests the commit referenced just updates docs — https://github.com/pi-hole/FTL/commit/3656ba229de502e50dcbd51143329f4652b8d532I needed a fix to get my network back online so I removed the mapping of port 53 for TCP connections from the container to the host and now Netflix works fine on the PS4 without taking down DNS resolution for the entire network!I haven’t noticed any weird issues not being able to resolve DNS queries over TCP which is nice..If I do start having issues because of this, I’ll probably put Nginx with a bunch of workers in front of the Pi-Hole that can handle the persistent TCP connections and only pass work off to the Pi-Hole when necessary.Follow me on Twitter @AaronKalair. More details

Leave a Reply