Merge branch 'master' into import_pihole_toml

Author: rdwebdesign

.devcontainer/devcontainer.json

@@ -20,7 +20,7 @@
     "GIT_EDITOR": "nano"
   },
   "mounts": [
-    "type=bind,source=/home/${localEnv:USER}/.ssh,target=/home/node/.ssh,readonly"
+    "type=bind,source=${localEnv:HOME}/.ssh,target=/home/node/.ssh,readonly"
   ],
   "forwardPorts": [8000]
 }

.github/CODEOWNERS

@@ -0,0 +1,5 @@
+# see https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-syntax
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+*       @pi-hole/docs-maintainers

.github/dependabot.yml

@@ -9,8 +9,6 @@ updates:
     target-branch: master
     open-pull-requests-limit: 10
     versioning-strategy: increase
-    reviewers:
-      - "pi-hole/docs-maintainers"
     groups:
       npm-dependencies:
         patterns:
@@ -26,8 +24,6 @@ updates:
     allow:
       - dependency-type: direct
       - dependency-type: indirect
-    reviewers:
-      - "pi-hole/docs-maintainers"
     groups:
       pip-dependencies:
         patterns:
@@ -38,57 +34,8 @@ updates:
       interval: weekly
       day: saturday
       time: "10:00"
-    reviewers:
-      - "pi-hole/docs-maintainers"
     groups:
       github_action-dependencies:
         patterns:
           - "*"
     target-branch: master
-
-# As above, but for development-v6
-  - package-ecosystem: npm
-    directory: "/"
-    schedule:
-      interval: weekly
-      day: saturday
-      time: "10:00"
-    target-branch: release/v6.0
-    open-pull-requests-limit: 10
-    versioning-strategy: increase
-    reviewers:
-      - "pi-hole/docs-maintainers"
-    groups:
-      npm-dependencies:
-        patterns:
-          - "*"
-  - package-ecosystem: pip
-    directory: "/"
-    schedule:
-      interval: weekly
-      day: saturday
-      time: "10:00"
-    target-branch: release/v6.0
-    open-pull-requests-limit: 10
-    allow:
-      - dependency-type: direct
-      - dependency-type: indirect
-    reviewers:
-      - "pi-hole/docs-maintainers"
-    groups:
-      pip-dependencies:
-        patterns:
-          - "*"
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: weekly
-      day: saturday
-      time: "10:00"
-    reviewers:
-      - "pi-hole/docs-maintainers"
-    groups:
-      github_action-dependencies:
-        patterns:
-          - "*"
-    target-branch: release/v6.0

.github/workflows/calibreapp-image-actions.yml

@@ -3,10 +3,10 @@ name: Compress Images
 on:
   pull_request:
     paths:
-      - '**.jpg'
-      - '**.jpeg'
-      - '**.png'
-      - '**.webp'
+      - "**.jpg"
+      - "**.jpeg"
+      - "**.png"
+      - "**.webp"
 
 jobs:
   build:
@@ -15,8 +15,10 @@ jobs:
     name: calibreapp/image-actions
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout Repo
+      - name: Clone repository
         uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Compress Images
         uses: calibreapp/image-actions@1.1.0 # TODO: if they start using a tag like v1, switch to that

.github/workflows/ci.yml

@@ -17,19 +17,21 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4.2.2
+      - name: Clone repository
+        uses: actions/checkout@v4.2.2
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Set up Python
-        uses: actions/setup-python@v5.4.0
+        uses: actions/setup-python@v5.6.0
         with:
           python-version: "${{ env.PYTHON_VERSION }}"
           architecture: "x64"
           cache: pip
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4.2.0
+        uses: actions/setup-node@v4.4.0
         with:
           node-version: "${{ env.NODE }}"
           cache: npm
@@ -40,8 +42,5 @@ jobs:
       - name: Install npm dependencies
         run: npm ci
 
-      - name: Build docs
-        run: mkdocs build --strict
-
-      - name: Test
+      - name: Build and test
         run: npm test

.github/workflows/codespell.yml

@@ -8,12 +8,13 @@ jobs:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
     steps:
-    -
-      name: Checkout repository
-      uses: actions/checkout@v4.2.2
-    -
-      name: Spell-Checking
-      uses: codespell-project/actions-codespell@master
-      with:
-        ignore_words_file: .codespellignore
-        skip: ./docs/routers/fritzbox-de.md,./mkdocs.yml,./package.json,./package-lock.json,./.markdownlint.json,./requirements.txt, ./MathJax-es5/*
+      - name: Clone repository
+        uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Spell-Checking
+        uses: codespell-project/actions-codespell@master
+        with:
+          ignore_words_file: .codespellignore
+          skip: ./docs/routers/fritzbox-de.md,./mkdocs.yml,./package.json,./package-lock.json,./.markdownlint.json,./requirements.txt, ./MathJax-es5/*

.github/workflows/editorconfig-checker.yml

@@ -9,6 +9,9 @@ jobs:
     name: editorconfig-checker
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4.2.2
+      - name: Clone repository
+        uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: false
       - uses: editorconfig-checker/action-editorconfig-checker@main
       - run: editorconfig-checker

.github/workflows/stale_pr.yml

@@ -5,12 +5,11 @@ name: Close stale PR
 
 on:
   schedule:
-    - cron: '0 10 * * *'
+    - cron: "0 10 * * *"
   workflow_dispatch:
 
 jobs:
   stale:
-
     runs-on: ubuntu-latest
     permissions:
       issues: write
@@ -27,9 +26,9 @@ jobs:
           # Close PRs immediately, after marking them 'stale'
           days-before-pr-close: 0
           # only run the action on merge conflict PR
-          any-of-labels: 'Merge Conflict'
-          exempt-pr-labels: 'Internal, Never Stale, On Hold, WIP'
+          any-of-labels: "Merge Conflict"
+          exempt-pr-labels: "Internal, Never Stale, On Hold, WIP"
           exempt-all-pr-assignees: true
           operations-per-run: 300
-          stale-pr-message: ''
-          close-pr-message: 'Existing merge conflicts have not been addressed. This PR is considered abandoned.'
+          stale-pr-message: ""
+          close-pr-message: "Existing merge conflicts have not been addressed. This PR is considered abandoned."

README.md

@@ -42,7 +42,7 @@ Please make sure you fork the repo and change the clone URL in the example below
     pip3 install -r requirements.txt
     ```
 
-    - Enter the virtual enviorment (if exited):
+    - Enter the virtual environment (if exited):
 
     ```bash
     source .venv/bin/activate

docs/abbreviations.md

@@ -3,7 +3,7 @@
 *[API]: Application Programming Interface (a set of subroutine definitions, protocols, and tools for building application software)
 *[CSRF]: Cross-site request forgery
 *[DNS]: Domain Name Service (decentralized naming system for computers, services, or other resources connected to the Internet)
-*[DnyDNS]: Dynamic DNS record pointing to a frequently changing IP address
+*[DynDNS]: Dynamic DNS record pointing to a frequently changing IP address
 *[DHCP]: Dynamic Host Configuration Protocol (network management protocol for configuring Internet Protocol version 4 (IPv4) hosts with IP addresses)
 *[DHCPv6]: Dynamic Host Configuration Protocol version 6 (a network protocol for configuring Internet Protocol version 6 (IPv6) hosts with IP addresses)
 *[FTL]: Pi-hole's Faster Than Light daemon

docs/docker/configuration.md

@@ -44,6 +44,10 @@ Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 
 To set a specific password for the web interface, use the environment variable `FTLCONF_webserver_api_password` (per the quick-start example). If this variable is not detected, and you have not already set one previously inside the container via `pihole setpassword` or `pihole-FTL --config webserver.api.password`, then a random password will be assigned on startup, and will be printed to the log. You can find this password with the command `docker logs pihole | grep random password` on your host to find this password. See [Notes On Web Interface Password](#notes-on-web-interface-password) below for usage examples.
 
+!!! note
+    To _explicitly_ set no password, set `FTLCONF_webserver_api_password: ''`<br/><br/>
+    Using `pihole setpassword` for the purpose of setting an empty password will not persist between container restarts
+
 #### `FTLCONF_dns_upstreams` (Default: `8.8.8.8;8.8.4.4`)
 
 - Upstream DNS server(s) for Pi-hole to forward queries to, separated by a semicolon

docs/docker/index.md

@@ -55,7 +55,7 @@ docker run --name pihole -p 53:53/tcp -p 53:53/udp -p 80:80/tcp -p 443:443/tcp -
 
 ## Note On Capabilities
 
-[FTLDNS](https://docs.pi-hole.net/ftldns/in-depth/#linux-capabilities) expects to have the following capabilities available:
+[FTLDNS](https://docs.pi-hole.net/ftldns/) expects to have the following capabilities available:
 
 - `CAP_NET_BIND_SERVICE`: Allows FTLDNS binding to TCP/UDP sockets below 1024 (specifically DNS service on port 53)
 - `CAP_NET_RAW`: use raw and packet sockets (needed for handling DHCPv6 requests, and verifying that an IP is not in use before leasing it)

docs/ftldns/dnsmasq_warn.md

@@ -179,7 +179,7 @@ Warnings commonly seen in `dnsmasq`'s log file (`/var/log/pihole/pihole.log`) an
 
 !!! warning "LOUD WARNING: listening on `ADDRESS` may accept requests via interfaces other than `IFNAME`"
 
-    When using `bind-interfaces`, the only access control is the addresses `dnsmasq` is listening on. There's nothing to avoid a query to the address of an internal interface arriving via an external interface where we don't want to accept queries, except that in the usual case the addresses of internal interfaces are RFC1918. When `bind-interfaces` in use, and we listen on an address that looks like it's probably globally routeable, this warning is printed.
+    When using `bind-interfaces`, the only access control is the addresses `dnsmasq` is listening on. There's nothing to avoid a query to the address of an internal interface arriving via an external interface where we don't want to accept queries, except that in the usual case the addresses of internal interfaces are RFC1918. When `bind-interfaces` in use, and we listen on an address that looks like it's probably globally routable, this warning is printed.
 
 !!! warning "LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)"
 

docs/ftldns/signals.md

@@ -33,15 +33,13 @@ When FTL receives a `SIGHUP`, it clears the entire DNS cache, and then
 
 While `SIGHUP` updates/flushes almost everything, such a massive operation is often not necessary. Hence, we added several small real-time signals available for fine-grained control of what FTL does. When you see `SIGHUP` as a "big gun", the real-time signals are rather the "scalpel" to serve rather specific needs.
 
-Real-time signals are not guaranteed to have the same number on all operating systems. FTL will adapt accordingly. For the signals described below, we will always specify them with the real-time signal ID and the *typical* signal number in parentheses.
-
-Real-time signal can always be executed relative to the first (= minimum) real-time signal just like (for real-time signal 0):
+Real-time signals are not guaranteed to have the same number on all operating systems as the value of the constant `SIGRTMIN` may vary. For the signals described below, we recommend using the exact signal number described in the parentheses, e.g., real-time signal 0 (35) can be sent like:
 
 ```bash
-sudo pkill -SIGRTMIN+0 pihole-FTL
+sudo pkill -SIG35 pihole-FTL
 ```
 
-## Real-time signal 0
+## Real-time signal 0 (35)
 
 This signal does:
 
@@ -55,30 +53,30 @@ The most important difference to `SIGHUP` is that the DNS cache itself is **not*
 
 This is the preferred signal to be used after manipulating the `gravity.db` database manually as it reloads only what is needed in this case.
 
-## Real-time signal 1
+## Real-time signal 1 (36)
 
 *Reserved* - Currently ignored
 
-## Real-time signal 2
+## Real-time signal 2 (37)
 
 *Reserved* - Used for internal signaling that a fork or thread crashed and needs to inform the main process to shut down, storing the last (valid) queries still into the long-term database.
 
-## Real-time signal 3
+## Real-time signal 3 (38)
 
 Reimport alias-clients from the database and recompute affected client statistics.
 
-## Real-time signal 4
+## Real-time signal 4 (39)
 
 Re-resolve all clients and forward destination hostnames. This forces refreshing hostnames as in that the usual "resolve only recently active clients" condition is ignored. The re-resolution adheres to the specified `REFRESH_HOSTNAMES` config option meaning that this option may not try to resolve all hostnames.
 
-## Real-time signal 5
+## Real-time signal 5 (40)
 
 Re-parse ARP/neighbour-cache now to update the Network table now
 
-## Real-time signal 6
+## Real-time signal 6 (41)
 
 *reserved* - Signal used internally to terminate the embedded `dnsmasq`. Please do not use this signal to prevent misbehaviour.
 
-## Real-time signal 7
+## Real-time signal 7 (42)
 
 Scan binary search lookup tables for hash collisions and report if any are found. This is a debugging signal and not meaningful production. Scanning the lookup tables is a time-consuming operation and may stall DNS resolution for a while on low-end devices.

docs/guides/dns/unbound.md

@@ -145,6 +145,13 @@ server:
     private-address: 10.0.0.0/8
     private-address: fd00::/8
     private-address: fe80::/10
+
+    # Ensure no reverse queries to non-public IP ranges (RFC6303 4.2)
+    private-address: 192.0.2.0/24
+    private-address: 198.51.100.0/24
+    private-address: 203.0.113.0/24
+    private-address: 255.255.255.255/32
+    private-address: 2001:db8::/32
 ```
 
 Start your local recursive server and test that it's operational:

docs/guides/dns/upstream-dns-providers.md

@@ -1,11 +1,10 @@
-The Pi-hole setup offers 10 options for an upstream DNS provider during the initial setup.
+The Pi-hole setup offers nine options for an upstream DNS provider during the initial setup.
 
 ```text
 Google
 OpenDNS
 Level3
 Comodo
-DNS.WATCH
 Quad9
 Quad9 (unfiltered)
 Quad9 (ECS)
@@ -64,17 +63,6 @@ SecureDNS references a real-time block list (RBL) of harmful websites (i.e. phis
 
 [More information on Comodo Secure DNS](https://www.comodo.com/secure-dns/)
 
-### DNS.WATCH
-
-DNS.WATCH offers Fast, free and uncensored DNS resolution.
-
-- 84.200.69.80
-- 84.200.70.40
-- 2001:1608:10:25::1c04:b12f (IPv6)
-- 2001:1608:10:25::9249:d69b (IPv6)
-
-[More information on DNS.WATCH](https://dns.watch/)
-
 ### Quad9
 
 Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy.