In-depth manual
Available interfaces¶
Pi-hole stats can be accessed via a standard Unix socket (var/run/pihole/FTL.sock
), a telnet-like connection (TCP socket on port 4711
) as well as indirectly via the Web API (admin/api.php
), and the command line (pihole -c -j
). You can out find more details below.
Command-line arguments¶
debug
- Don't go into daemon mode (stay in foreground) + more verbose loggingtest
- StartFTL
and process everything, but shut down immediately afterwardversion
- Don't startFTL
, only show the versiontag
- Don't startFTL
, show only git tagbranch
- Don't startFTL
, show only git branchFTL
was compiled fromno-daemon
or-f
- Don't go into background (daemon mode)help
or-h
- Don't startFTL
, show helpdnsmasq-test
- Test resolver config file syntax--
everything behind--
will be passed as options to the internal resolver
Command-line arguments can be arbitrarily combined, e.g. pihole-FTL debug test
File locations¶
/var/log/pihole-FTL.log
log file/var/run/pihole-FTL.pid
PID file/var/run/pihole-FTL.port
file containing port on whichFTL
is listening/var/run/pihole/FTL.sock
Unix socket
Domain lists format¶
Since Pi-hole v4.0, we use a simpler domain list format for the two important blocklist files gravity.list
and black.list
. In contrast to the traditional HOSTS format (which caused a lot of overhead), the domain list format is the minimal possible solution for saving memory while still using plain text lists for your convenience. When FTLDNS imports these two files, they are walked by our improved list parser speeding up the loading of blocklists significantly. Regardless of which blocking mode (IP
or NXDOMAIN
) is selected, FTLDNS will always load the lists into its internal hashed cache to be able to determine the blocking status within a few milliseconds, even when you're using huge blocking lists on low-end devices. With everything we do, we design FTLDNS for maximum efficiency also on low-performance devices.
Linux capabilities¶
Capabilities (POSIX 1003.1e, capabilities(7)) provide fine-grained control over superuser permissions, allowing the use of the root
user to be avoided.
To perform permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (superuser or root
), and unprivileged processes. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (user and group permissions and supplementary process capabilities). Capabilities are implemented on Linux using extended attributes (xattr(7)) in the security
namespace. Extended attributes are supported by all major Linux file systems, including Ext2, Ext3, Ext4, Btrfs, JFS, XFS, and ReiserFS.
For your safety and comfort, pihole-FTL
is run by the entirely unprivileged user pihole
.
Whereas dnsmasq
is running as root
process, we designed pihole-FTL
to be run by the entirely unprivileged user pihole
. As a consequence, pihole-FTL
will not be able to access the files of any other user on this system or mess around with your system's configuration.
However, this also implies that FTLDNS cannot bind to ports 53 (DNS) among some other necessary capabilities related to DHCP services. To establish a strong security model, we explicitly grant the pihole-FTL
process additional capabilities so that pihole-FTL
(but no other processes which may be started by pihole
) can bind to port 53, etc., without giving any additional permissions to the pihole
user.
We specifically add the following capabilities to pihole-FTL
:
CAP_NET_BIND_SERVICE
: Allows FTLDNS binding to TCP/UDP sockets below 1024 (specifically DNS service on port 53)CAP_NET_RAW
: use raw and packet sockets (we need a RAW socket for handling DHCPv6 requests)CAP_NET_ADMIN
: modify routing tables and other network-related operations (to allow for handling DHCP requests)
Users that cannot use Linux capabilities for various reasons (lacking kernel or file system support) can modify the startup scripts of pihole-FTL
to ensure the daemon is started as root
. However, be aware that you do so on your own risk (although we don't expect problems to arise).