this post was submitted on 16 Feb 2024
145 points (99.3% liked)

Selfhosted

40633 readers
318 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Researchers recently found a vulnerability in the way DNS resolvers handle DNSSEC validation that allow attackers to DoS resolvers with a single DNS request

https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

It is highly recommended to upgrade your resolvers to the following versions:

top 20 comments
sorted by: hot top controversial new old
[–] admin@lemmy.my-box.dev 11 points 10 months ago (1 children)

Wouldn't the attacker have to be on the same network as the resolver for this to work? Or could it be triggered by a "dirty hostname"? Because in the former case, most home networks would not be at much risk.

[–] BlackEco@lemmy.blackeco.com 4 points 10 months ago

It's the latter. Unless you run your own DNS resolver, most people are safe

[–] kindenough@kbin.social 7 points 10 months ago

Thanks for the heads -up.

[–] Nunya@lemdro.id 4 points 10 months ago (2 children)

Sorry if this is a basic question. So if I have a pihole, do I just need to update the Raspberry Pi software, along with updating pihole software to resolve the insecurities? Or do I need to change the DNS settings of the pihole?

[–] BlackEco@lemmy.blackeco.com 8 points 10 months ago* (last edited 10 months ago) (1 children)

If you use a third-party's DNS server (such as Cloudflare, Quad9 or Google) as your upstream DNS server, you only have to update PiHole.

If you have set up your own upstream DNS server using a DNS resolver like unbound or Bind9, update it as well as your PiHole.

[–] Nunya@lemdro.id 2 points 10 months ago

Makes sense, thanks for the response.

[–] EpicVision@monero.town 4 points 10 months ago

You need to update Pihole

[–] Fedegenerate@lemmynsfw.com 3 points 10 months ago (2 children)

My unbound is on v1.13.1 (Raspbian) after update/upgrade. I've read it lags behind the main release by alot, should I trust the process that everything is fine.

[–] 9tr6gyp3@lemmy.world 11 points 10 months ago (2 children)

Its up to your distros package maintainer to make the patched version available. You can find who maintains it and contact them so they are aware.

[–] ARNiM@lemmy.world 4 points 10 months ago

Debian usually backports security fixes to older versions, so you may wanna check to Debian if they have an updated version of the package with the security fix.

This can be done by taking the CVE number related to this vulnerability and look at the package changelog.

[–] Fedegenerate@lemmynsfw.com 1 points 10 months ago
[–] ChaoticEntropy@feddit.uk 1 points 10 months ago* (last edited 10 months ago) (1 children)

I'm on DietPi 9 and the latest version for Debian 12 is 1.17.1, sadly. Though I do see 1.19.1 is in testing as of today, according to Debian's package tracker site. Probably not worth trying to install an unstable version of it.

[–] Rooki@lemmy.world 2 points 10 months ago

I installed it now, it is working fine with my pihole. It wasnt that much of a hussle but a bit of googling.

[–] TCB13@lemmy.world 2 points 10 months ago (1 children)

What's the status of SmartDNS (that is used by OpenWRT and DD-WRT) on this? Anyone knows anything?

[–] BlackEco@lemmy.blackeco.com 1 points 10 months ago

I struggle to find if it uses DNSSEC or even a change log. If it does, contact the maintainer and disable DNSSEC (if you can) until a fix is released.

[–] muntedcrocodile@lemmy.world 1 points 10 months ago (1 children)

What about on mobile? Those of us who use dns filtering on mobile.

[–] BlackEco@lemmy.blackeco.com 1 points 10 months ago* (last edited 10 months ago) (1 children)

I'm not familiar with off-the-shelf DNS filtering on mobile, but since running a DNS resolver on-device would be impractical, I think they must be using a DNS server that they maintain. Which means that unless I'm wrong, the vulnerability lies on their end, you should be fine.

[–] muntedcrocodile@lemmy.world 2 points 10 months ago (1 children)

I been using rethink dns but ik their are other for android at least. Works by making a local vpn magic.

[–] BlackEco@lemmy.blackeco.com 2 points 10 months ago

They maintain their own resolver, so they have to patch it if not done already.

[–] ratzki@discuss.tchncs.de 1 points 10 months ago

Not sure why, but on Synology with docker, the pihole:latest releases are usually a mess and restoring settings and client lists does not work. Unfortunately, only “latest -2” seems to work most of the time.

¯\_(ツ)_/¯