docs: add Pi-hole AI blocklist / claude.ai ERR_CONNECTION_REFUSED article

- New: 05-troubleshooting/networking/pihole-blocks-claude-desktop.md
  Covers diagnosis via FTL SQLite query log, gravity DB adlist lookup,
  fix via type-0 domainlist whitelist entry + pihole reloaddns, and
  why NULL blocking mode produces TCP refused instead of NXDOMAIN.
- Updated SUMMARY.md and 05-troubleshooting/index.md with new entry

05-troubleshooting/index.md

@@ -1,6 +1,6 @@
 ---
 created: 2026-03-15T06:37
-updated: 2026-04-19T04:57
+updated: 2026-04-22T18:11
 ---
 # 🔧 General Troubleshooting
 
@@ -15,6 +15,7 @@ Practical fixes for common Linux, networking, and application problems.
 - [firewalld: Mail Ports Wiped After Reload](networking/firewalld-mail-ports-reset.md)
 - [Tailscale SSH: Unexpected Re-Authentication Prompt](networking/tailscale-ssh-reauth-prompt.md)
 - [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md)
+- [Pi-hole AI Blocklist Blocks Claude Desktop (ERR_CONNECTION_REFUSED)](networking/pihole-blocks-claude-desktop.md)
 - [ISP SNI Filtering & Caddy](isp-sni-filtering-caddy.md)
 - [yt-dlp YouTube JS Challenge Fix](yt-dlp-fedora-js-challenge.md)
 - [wget/curl: URLs with Special Characters Fail in Bash](wget-url-special-characters.md)
@@ -23,9 +24,6 @@ Practical fixes for common Linux, networking, and application problems.
 - [SSH Timeout During dnf upgrade on Fedora Hosts](ansible-ssh-timeout-dnf-upgrade.md)
 - [Vault Password File Missing](ansible-vault-password-file-missing.md)
 - [ansible.cfg Ignored on WSL2 Windows Mounts](ansible-wsl2-world-writable-mount-ignores-cfg.md)
-- [Ansible Check Mode False Positives in Verify/Assert Tasks](ansible-check-mode-false-positives.md)
-- [Ansible Fails with Permission Denied While `ssh <alias>` Works (Host Alias Bypass)](ansible-ssh-host-alias-bypass.md)
-- [Fedora usrmerge: ebtables Symlink Blocks Directory Consolidation](fedora-usrmerge-ebtables-blocker.md)
 
 ## 📦 Docker & Systems
 - [Docker & Caddy Recovery After Reboot (Fedora + SELinux)](docker-caddy-selinux-post-reboot-recovery.md)

05-troubleshooting/networking/pihole-blocks-claude-desktop.md

@@ -0,0 +1,136 @@
+---
+title: "Pi-hole AI Blocklist Blocks Claude Desktop (ERR_CONNECTION_REFUSED)"
+domain: troubleshooting
+category: networking
+tags: [pihole, dns, claude, adlist, blocklist, ai-blocklist]
+status: published
+created: 2026-04-22
+updated: 2026-04-22
+---
+# Pi-hole AI Blocklist Blocks Claude Desktop (ERR_CONNECTION_REFUSED)
+
+## 🛑 Problem
+
+Claude Desktop throws a `[remoteMarketplaceClient] transport error: net::ERR_CONNECTION_REFUSED` error when attempting to install or load a plugin. The app itself loads fine and API calls work, but the marketplace client silently fails.
+
+---
+
+## 🔍 Diagnosis
+
+### Step 1 — Check the Pi-hole query log for claude.ai
+
+```bash
+sudo pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db \
+  "SELECT datetime(timestamp, 'unixepoch', 'localtime') as time, domain, status \
+   FROM queries \
+   WHERE domain LIKE '%anthropic%' OR domain LIKE '%claude%' \
+   ORDER BY timestamp DESC LIMIT 50;"
+```
+
+Look for `claude.ai` entries with **status `1`** (gravity/adlist block). Status `2` or `3` means it's resolving fine.
+
+**FTL status codes relevant here:**
+
+| Status | Meaning |
+|--------|---------|
+| 1 | Blocked — gravity (adlist) |
+| 2 | Forwarded (allowed) |
+| 3 | Cached (allowed) |
+| 4 | Blocked — regex domainlist |
+| 5 | Blocked — exact domainlist |
+
+### Step 2 — Identify which adlist is blocking it
+
+```bash
+sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \
+  "SELECT a.address, a.comment \
+   FROM gravity g \
+   JOIN adlist a ON g.adlist_id = a.id \
+   WHERE g.domain = 'claude.ai';"
+```
+
+**Root cause:** `claude.ai` appears in AI-focused blocklists because they target AI scraper and training crawlers by domain. Claude Desktop's marketplace client makes outbound requests to `claude.ai`, which Pi-hole resolves to `0.0.0.0` in NULL blocking mode — resulting in `ERR_CONNECTION_REFUSED` at the TCP layer.
+
+Known adlists that include `claude.ai`:
+- **uBlockOrigin HUGE AI Blocklist** (`laylavish/uBlockOrigin-HUGE-AI-Blocklist`)
+- **Super SEO Spam Suppressor** (`NotaInutilis/Super-SEO-Spam-Suppressor`)
+
+---
+
+## ✅ Fix
+
+Add `claude.ai` as an exact whitelist entry (type 0) in Pi-hole's domainlist. This overrides any gravity block.
+
+```bash
+sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \
+  "INSERT OR IGNORE INTO domainlist (type, domain, enabled, comment) \
+   VALUES (0, 'claude.ai', 1, 'Whitelisted — blocked by AI/SEO adlists, needed for Claude Desktop marketplace client');"
+```
+
+Then reload DNS to apply:
+
+```bash
+sudo pihole reloaddns
+```
+
+### Verify the whitelist entry is active
+
+```bash
+sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \
+  "SELECT domain, type, enabled, comment FROM domainlist WHERE domain = 'claude.ai';"
+```
+
+Expected output:
+```
+claude.ai|0|1|Whitelisted — blocked by AI/SEO adlists, needed for Claude Desktop marketplace client
+```
+
+---
+
+## 🔁 Why This Happens
+
+Pi-hole in NULL blocking mode resolves blocked domains to `0.0.0.0`. When Claude Desktop's marketplace client tries to connect to `claude.ai`, the TCP handshake to `0.0.0.0` is immediately refused by the OS — producing `ERR_CONNECTION_REFUSED` rather than a timeout or DNS error. This makes it look like a network or server issue rather than a DNS block.
+
+AI-focused blocklists cast a wide net and include domains like `claude.ai` alongside actual AI scraper hostnames. The fix is a precision whitelist entry rather than removing the adlist.
+
+---
+
+## ⚠️ Note on the Custom Domainlist
+
+`claude.ai` may also appear as an accidental **exact deny** entry in the Pi-hole custom domainlist if it was added via "Block" in the Pi-hole query log UI. This compounds the adlist block. Clean the domainlist if needed:
+
+```bash
+# Check for exact deny entries
+sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \
+  "SELECT id, domain, type, enabled FROM domainlist WHERE domain = 'claude.ai';"
+
+# Remove an unwanted deny entry (type 1 = exact deny)
+sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \
+  "DELETE FROM domainlist WHERE domain = 'claude.ai' AND type = 1;"
+
+sudo pihole reloaddns
+```
+
+---
+
+## 🔎 Quick Reference
+
+```bash
+# Check if claude.ai is blocked
+sudo pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db \
+  "SELECT datetime(timestamp, 'unixepoch', 'localtime'), domain, status \
+   FROM queries WHERE domain = 'claude.ai' ORDER BY timestamp DESC LIMIT 10;"
+
+# Find which adlist is blocking it
+sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \
+  "SELECT a.address FROM gravity g JOIN adlist a ON g.adlist_id = a.id \
+   WHERE g.domain = 'claude.ai';"
+
+# Whitelist it
+sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \
+  "INSERT OR IGNORE INTO domainlist (type, domain, enabled, comment) \
+   VALUES (0, 'claude.ai', 1, 'Claude Desktop marketplace client');"
+
+# Reload
+sudo pihole reloaddns
+```

SUMMARY.md

@@ -1,6 +1,6 @@
 ---
 created: 2026-04-02T16:03
-updated: 2026-04-21T09:17
+updated: 2026-04-22T18:11
 ---
 * [Home](index.md)
 * [Linux & Sysadmin](01-linux/index.md)
@@ -85,6 +85,7 @@ updated: 2026-04-21T09:17
     * [mdadm RAID Recovery After USB Hub Disconnect](05-troubleshooting/storage/mdadm-usb-hub-disconnect-recovery.md)
     * [Windows OpenSSH Server (sshd) Stops After Reboot](05-troubleshooting/networking/windows-sshd-stops-after-reboot.md)
     * [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md)
+    * [Pi-hole AI Blocklist Blocks Claude Desktop (ERR_CONNECTION_REFUSED)](05-troubleshooting/networking/pihole-blocks-claude-desktop.md)
     * [Ollama Drops Off Tailscale When Mac Sleeps](05-troubleshooting/ollama-macos-sleep-tailscale-disconnect.md)
     * [macOS: Repeating Alert Tone from Mirrored iPhone Notification](05-troubleshooting/macos-mirrored-notification-alert-loop.md)
     * [ClamAV CPU Spike: Safe Scheduling with nice/ionice](05-troubleshooting/security/clamscan-cpu-spike-nice-ionice.md)