From ae563efc9e719189bb03f67292d54fd7c623f856 Mon Sep 17 00:00:00 2001 From: majorlinux Date: Wed, 22 Apr 2026 18:12:08 -0400 Subject: [PATCH] docs: add Pi-hole AI blocklist / claude.ai ERR_CONNECTION_REFUSED article - New: 05-troubleshooting/networking/pihole-blocks-claude-desktop.md Covers diagnosis via FTL SQLite query log, gravity DB adlist lookup, fix via type-0 domainlist whitelist entry + pihole reloaddns, and why NULL blocking mode produces TCP refused instead of NXDOMAIN. - Updated SUMMARY.md and 05-troubleshooting/index.md with new entry --- 05-troubleshooting/index.md | 6 +- .../pihole-blocks-claude-desktop.md | 136 ++++++++++++++++++ SUMMARY.md | 3 +- 3 files changed, 140 insertions(+), 5 deletions(-) create mode 100644 05-troubleshooting/networking/pihole-blocks-claude-desktop.md diff --git a/05-troubleshooting/index.md b/05-troubleshooting/index.md index bc67333..d16d37e 100644 --- a/05-troubleshooting/index.md +++ b/05-troubleshooting/index.md @@ -1,6 +1,6 @@ --- created: 2026-03-15T06:37 -updated: 2026-04-19T04:57 +updated: 2026-04-22T18:11 --- # 🔧 General Troubleshooting @@ -15,6 +15,7 @@ Practical fixes for common Linux, networking, and application problems. - [firewalld: Mail Ports Wiped After Reload](networking/firewalld-mail-ports-reset.md) - [Tailscale SSH: Unexpected Re-Authentication Prompt](networking/tailscale-ssh-reauth-prompt.md) - [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md) +- [Pi-hole AI Blocklist Blocks Claude Desktop (ERR_CONNECTION_REFUSED)](networking/pihole-blocks-claude-desktop.md) - [ISP SNI Filtering & Caddy](isp-sni-filtering-caddy.md) - [yt-dlp YouTube JS Challenge Fix](yt-dlp-fedora-js-challenge.md) - [wget/curl: URLs with Special Characters Fail in Bash](wget-url-special-characters.md) @@ -23,9 +24,6 @@ Practical fixes for common Linux, networking, and application problems. - [SSH Timeout During dnf upgrade on Fedora Hosts](ansible-ssh-timeout-dnf-upgrade.md) - [Vault Password File Missing](ansible-vault-password-file-missing.md) - [ansible.cfg Ignored on WSL2 Windows Mounts](ansible-wsl2-world-writable-mount-ignores-cfg.md) -- [Ansible Check Mode False Positives in Verify/Assert Tasks](ansible-check-mode-false-positives.md) -- [Ansible Fails with Permission Denied While `ssh ` Works (Host Alias Bypass)](ansible-ssh-host-alias-bypass.md) -- [Fedora usrmerge: ebtables Symlink Blocks Directory Consolidation](fedora-usrmerge-ebtables-blocker.md) ## 📦 Docker & Systems - [Docker & Caddy Recovery After Reboot (Fedora + SELinux)](docker-caddy-selinux-post-reboot-recovery.md) diff --git a/05-troubleshooting/networking/pihole-blocks-claude-desktop.md b/05-troubleshooting/networking/pihole-blocks-claude-desktop.md new file mode 100644 index 0000000..4dd7809 --- /dev/null +++ b/05-troubleshooting/networking/pihole-blocks-claude-desktop.md @@ -0,0 +1,136 @@ +--- +title: "Pi-hole AI Blocklist Blocks Claude Desktop (ERR_CONNECTION_REFUSED)" +domain: troubleshooting +category: networking +tags: [pihole, dns, claude, adlist, blocklist, ai-blocklist] +status: published +created: 2026-04-22 +updated: 2026-04-22 +--- +# Pi-hole AI Blocklist Blocks Claude Desktop (ERR_CONNECTION_REFUSED) + +## 🛑 Problem + +Claude Desktop throws a `[remoteMarketplaceClient] transport error: net::ERR_CONNECTION_REFUSED` error when attempting to install or load a plugin. The app itself loads fine and API calls work, but the marketplace client silently fails. + +--- + +## 🔍 Diagnosis + +### Step 1 — Check the Pi-hole query log for claude.ai + +```bash +sudo pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db \ + "SELECT datetime(timestamp, 'unixepoch', 'localtime') as time, domain, status \ + FROM queries \ + WHERE domain LIKE '%anthropic%' OR domain LIKE '%claude%' \ + ORDER BY timestamp DESC LIMIT 50;" +``` + +Look for `claude.ai` entries with **status `1`** (gravity/adlist block). Status `2` or `3` means it's resolving fine. + +**FTL status codes relevant here:** + +| Status | Meaning | +|--------|---------| +| 1 | Blocked — gravity (adlist) | +| 2 | Forwarded (allowed) | +| 3 | Cached (allowed) | +| 4 | Blocked — regex domainlist | +| 5 | Blocked — exact domainlist | + +### Step 2 — Identify which adlist is blocking it + +```bash +sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \ + "SELECT a.address, a.comment \ + FROM gravity g \ + JOIN adlist a ON g.adlist_id = a.id \ + WHERE g.domain = 'claude.ai';" +``` + +**Root cause:** `claude.ai` appears in AI-focused blocklists because they target AI scraper and training crawlers by domain. Claude Desktop's marketplace client makes outbound requests to `claude.ai`, which Pi-hole resolves to `0.0.0.0` in NULL blocking mode — resulting in `ERR_CONNECTION_REFUSED` at the TCP layer. + +Known adlists that include `claude.ai`: +- **uBlockOrigin HUGE AI Blocklist** (`laylavish/uBlockOrigin-HUGE-AI-Blocklist`) +- **Super SEO Spam Suppressor** (`NotaInutilis/Super-SEO-Spam-Suppressor`) + +--- + +## ✅ Fix + +Add `claude.ai` as an exact whitelist entry (type 0) in Pi-hole's domainlist. This overrides any gravity block. + +```bash +sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \ + "INSERT OR IGNORE INTO domainlist (type, domain, enabled, comment) \ + VALUES (0, 'claude.ai', 1, 'Whitelisted — blocked by AI/SEO adlists, needed for Claude Desktop marketplace client');" +``` + +Then reload DNS to apply: + +```bash +sudo pihole reloaddns +``` + +### Verify the whitelist entry is active + +```bash +sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \ + "SELECT domain, type, enabled, comment FROM domainlist WHERE domain = 'claude.ai';" +``` + +Expected output: +``` +claude.ai|0|1|Whitelisted — blocked by AI/SEO adlists, needed for Claude Desktop marketplace client +``` + +--- + +## 🔁 Why This Happens + +Pi-hole in NULL blocking mode resolves blocked domains to `0.0.0.0`. When Claude Desktop's marketplace client tries to connect to `claude.ai`, the TCP handshake to `0.0.0.0` is immediately refused by the OS — producing `ERR_CONNECTION_REFUSED` rather than a timeout or DNS error. This makes it look like a network or server issue rather than a DNS block. + +AI-focused blocklists cast a wide net and include domains like `claude.ai` alongside actual AI scraper hostnames. The fix is a precision whitelist entry rather than removing the adlist. + +--- + +## ⚠️ Note on the Custom Domainlist + +`claude.ai` may also appear as an accidental **exact deny** entry in the Pi-hole custom domainlist if it was added via "Block" in the Pi-hole query log UI. This compounds the adlist block. Clean the domainlist if needed: + +```bash +# Check for exact deny entries +sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \ + "SELECT id, domain, type, enabled FROM domainlist WHERE domain = 'claude.ai';" + +# Remove an unwanted deny entry (type 1 = exact deny) +sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \ + "DELETE FROM domainlist WHERE domain = 'claude.ai' AND type = 1;" + +sudo pihole reloaddns +``` + +--- + +## 🔎 Quick Reference + +```bash +# Check if claude.ai is blocked +sudo pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db \ + "SELECT datetime(timestamp, 'unixepoch', 'localtime'), domain, status \ + FROM queries WHERE domain = 'claude.ai' ORDER BY timestamp DESC LIMIT 10;" + +# Find which adlist is blocking it +sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \ + "SELECT a.address FROM gravity g JOIN adlist a ON g.adlist_id = a.id \ + WHERE g.domain = 'claude.ai';" + +# Whitelist it +sudo pihole-FTL sqlite3 /etc/pihole/gravity.db \ + "INSERT OR IGNORE INTO domainlist (type, domain, enabled, comment) \ + VALUES (0, 'claude.ai', 1, 'Claude Desktop marketplace client');" + +# Reload +sudo pihole reloaddns +``` diff --git a/SUMMARY.md b/SUMMARY.md index f55df4c..75f2fb9 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -1,6 +1,6 @@ --- created: 2026-04-02T16:03 -updated: 2026-04-21T09:17 +updated: 2026-04-22T18:11 --- * [Home](index.md) * [Linux & Sysadmin](01-linux/index.md) @@ -85,6 +85,7 @@ updated: 2026-04-21T09:17 * [mdadm RAID Recovery After USB Hub Disconnect](05-troubleshooting/storage/mdadm-usb-hub-disconnect-recovery.md) * [Windows OpenSSH Server (sshd) Stops After Reboot](05-troubleshooting/networking/windows-sshd-stops-after-reboot.md) * [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md) + * [Pi-hole AI Blocklist Blocks Claude Desktop (ERR_CONNECTION_REFUSED)](05-troubleshooting/networking/pihole-blocks-claude-desktop.md) * [Ollama Drops Off Tailscale When Mac Sleeps](05-troubleshooting/ollama-macos-sleep-tailscale-disconnect.md) * [macOS: Repeating Alert Tone from Mirrored iPhone Notification](05-troubleshooting/macos-mirrored-notification-alert-loop.md) * [ClamAV CPU Spike: Safe Scheduling with nice/ionice](05-troubleshooting/security/clamscan-cpu-spike-nice-ionice.md)