LuLu issue with Catalina, Browsers Firefox, Chrome and Pihole

[tonytruand92]

Hello,

I've just upgrade my macOS to Catalina. I uninstall LuLu 1.2.3 and install 2.0. First I was not able to access internet through firefox. Then it was possible after a reinstall of LuLu and a complete restart. But now internet browsing thhrough Firefox or Chrome is very very slow. It come to normal when a disable LuLu. It seems that this is not the case with Safari. I have a PiHole and when a change my DNS from pihole to my internet provider, no issue, even with LuLu. It is very strange, I can't understand where is the issue : Pihole ? LuLu ? Browsers ? Catalina ? a combination of these 4 items ?

[justauserid]

@objective-see ~~should Catalina users stay on https://github.com/objective-see/LuLu/releases/tag/v1.2.3? Because, lulu website clearly states upgrade to Big Sur before using Lulu. Is that before using "latest Lulu" or even older Lulu?~~

~~I do not see this mentioned anywhere. I had installed 2.1.0 and broke in every possible way, so had to uninstall. Can you please suggest here?~~

Found it and update it here https://github.com/objective-see/LuLu/issues/286#issuecomment-765830231

I am not sure whether it can be added on git repo readme as well.

[tobiasf88]

I have the same problem. Chrome and Firefox is sometimes extremely slow when I have pi-hole enabled. I then sometimes change the DNS to 1.1.1.1, then it gets better (but also not super fast). On the iPhone and on all other devices everything goes fast...all use the pi-hole for DNS resolution (have even switched to AdguardHome for testing --> same problem). I still thought it was always the DNS server. However, in the network analysis of the browser the DNS resolutions are made very quickly. Most of the time the browser spends waiting. Partly several seconds. Have now researched and came across Lulu, that the problem may be the firewall. LULU deactivated and everything in Chrome and Firfox loads extremely fast again.

Have the problem for months. Currently use BigSure 11.2 and LULU 2.1.0.

[didusee]

Same under 11.2.1 with LuLu 2.3. on a MBP 16" Lulu enabled: Websites do load extremly slow LuLu disabled: instantly loading, up and running

[objective-see]

Sorry about this issue ...looking into this!

Few questions that will help!

1. Does this impact Safari as well?
2. Are you using the block list option?
3. Can you run from the terminal: log stream --level debug --predicate="subsystem='com.objective-see.lulu'" ...and then try browse. Is there anything relevant in the log? Anything where LuLu is blocking (look for setting verdict to: BLOCK)
4. Are any core macOS/system processes blocked? (some are required / break all things if blocked).

[didusee]

Hi @objective-see, thanks for getting back! :)

To answer your questions:

• Yes. Safari, too but not exclusively. All Browsers are indeed affected by the described behaviour.
• No, I am not using any blocklist. ("Allow Apple Programs" is checked, "Allow Installed Programs" and "Blocklist" is unchecked, Under "Mode" tab, all of the three checkboxes are unchecked)
• there is nothing from the terminal output that seems to be blocked (verdict: BLOCK), except apps that should be, because of my rules.
• I attached an example where trying to reach the nike website, using Chrome without anything that I would remark "suspicious" in the logs, while their websites’ searchfield remains inactive or broken as long as I switch off LuLu (which, like usually, solves the problem in an instant)

021-02-15 16:10:22.594092+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] method '-[FilterDataProvider handleNewFlow:]' invoked
2021-02-15 16:10:22.594445+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] flow: 
        identifier = D89B5B5D-793C-4940-1C9F-91B7E13F0300
        sourceAppIdentifier = EQHXZ8M8AV.com.google.Chrome.helper
        sourceAppVersion = 88.0.4324.150
        sourceAppUniqueIdentifier = 20:{length = 20, bytes = 0x7a45ac2258c711adc5c028de0f354d45e0835281}
        procPID = 553
        eprocPID = 553
        direction = outbound
        inBytes = 0
        outBytes = 0
        signature = 32:{length = 32, bytes = 0xd098bda4 aaa82e1d 354ca855 44ecbfa1 ... 856a2191 89b02e67 }
        socketID = 33fe1b7919f1c
        localEndpoint = 0.0.0.0:0
        remoteEndpoint = 0.0.0.0:443
        protocol = 6
        family = 2
        type = 1
        procUUID = 6C4BAD99-482F-3133-9125-6F614636C936
        eprocUUID = 6C4BAD99-482F-3133-9125-6F614636C936
2021-02-15 16:10:22.594492+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] remote endpoint: 0.0.0.0:443 / url: (null)
2021-02-15 16:10:22.594738+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] found process object in cache: /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/88.0.4324.150/Helpers/Google Chrome Helper.app (pid: 553)
2021-02-15 16:10:22.594958+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] looking for rule for com.google.Chrome.helper:Developer ID Application: Google, Inc. (EQHXZ8M8AV) -> /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/88.0.4324.150/Helpers/Google Chrome Helper.app
2021-02-15 16:10:22.595020+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] rule match: 'any'
2021-02-15 16:10:22.595129+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] found matching rule for 553/Chrome Helper: RULE: pid: all, path: /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/88.0.4324.150/Helpers/Google Chrome Helper.app, name: Chrome Helper, code signing info: {
    signatureAuthorities =     (
        "Developer ID Application: Google, Inc. (EQHXZ8M8AV)",
        "Developer ID Certification Authority",
        "Apple Root CA"
    );
    signatureIdentifier = "com.google.Chrome.helper";
    signatureSigner = 3;
    signatureStatus = 0;
}, endpoint addr: *, endpoint port: *, action: 1, type: 3
2021-02-15 16:10:22.595163+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] rule says: ALLOW
2021-02-15 16:10:22.595237+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] verdict: 
    drop = NO
    remediate = NO
    needRules = NO
    shouldReport = NO
    pause = NO
    urlAppendString = NO
    filterInbound = NO
    peekInboundBytes = 0
    filterOutbound = NO
    peekOutboundBytes = 0
    statisticsReportFrequency = none
2021-02-15 16:10:23.595063+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] method '-[FilterDataProvider handleNewFlow:]' invoked
2021-02-15 16:10:23.595321+0100 0x5f9fd    Debug       0x0                  247    0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] flow: 
        identifier = D89B5B5D-793C-4940-F9E5-8C7BE33F0300
        sourceAppIdentifier = EQHXZ8M8AV.com.google.Chrome.helper
        sourceAppVersion = 88.0.4324.150

• to my knowledge, there are no core or system processes blocked. If you have any further hints where to look at, please let me know. Happy to provide you with further information.

Best regards and thank you for your awesome work!

[noelg77]

Hi folks, I have the same issue with pihole and ad guard dns. It seems a bug in the network extension framework:

https://www.reddit.com/r/pihole/comments/kfsv0f/big_sur_slow_web_browsing_with_pihole/

Hope that help Best Regards

[M-D-M]

All, I am having the same problem -- there definitely seems to be a problem with running Lulu and Pihole at the same time. See the following testing:

Speed to load arstechnica.com, pihole on, lulu disabled: 4.4sec Speed to load asrtechnica.com, pihole on, lulu enabled: 44sec Speed to load arstechnica.com, pihole off, lulu enabled: 8sec

Like with the poster above, Safari seems to be immune to this problem.

Could Lulu somehow be configured to ignore any dns entries that are being "blackholed" by pihole?

[Diegus83]

I'm glad to see I'm not alone in this issue! I been having it for a while now and after trying different DNS servers, browsers, etc I finally remember I had Lulu installed, it honestly does such a good job of stating out of the way that I forgot about since I haven't installed that much stuff after a clean install of Catalina.

I'm running macOS 10.15.7, Lulu 2.4.1 and Pihole v5.5.

1. In my system this doesn't seem to affect Safari (15.1) but it does affect Firefox (94.0.1). I do a lot of image searches for work using DuckDuckGo and Safari loads the images in half the time than Firefox when Lulu is enabled. With Lulu disabled the loading time is the same on both browsers.

2. No block lists configured on Lulu

3. No hits when browsing and running log stream --level debug --predicate="subsystem='com.objective-see.lulu'" | grep -i block

4. I have "Allow Apple Programs check", the rest unchecked, deleted the rules.plist file and enabled the apps as I'm prompted when using them.

I can also confirm that disabling Pihole/enabling Lulu makes the issue go away. Also enabling DNS over HTTPS in Firefox makes the issue go away (since it is not using the Pihole for resolution).

Any other helpful information or logs I can provide?

Thanks for your time!

[didusee]

now running 12.0.1 and lulu 2.4.1., at least here everything seems to run fine. can anyoune confirm?