Researchers recently found a vulnerability in the way DNS resolvers handle DNSSEC validation that allow attackers to DoS resolvers with a single DNS request
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
It is highly recommended to upgrade your resolvers to the following versions:
- unbound: 1.91.1
- PiHole: FTL 5.25 or Docker 2024.02.0
- Bind9: 9.19.17
- dnsmasq: 2.90
- and probably any other resolver you use
Sorry if this is a basic question. So if I have a pihole, do I just need to update the Raspberry Pi software, along with updating pihole software to resolve the insecurities? Or do I need to change the DNS settings of the pihole?
If you use a third-party’s DNS server (such as Cloudflare, Quad9 or Google) as your upstream DNS server, you only have to update PiHole.
If you have set up your own upstream DNS server using a DNS resolver like unbound or Bind9, update it as well as your PiHole.
My unbound is on v1.13.1 (Raspbian) after update/upgrade. I’ve read it lags behind the main release by alot, should I trust the process that everything is fine.
Its up to your distros package maintainer to make the patched version available. You can find who maintains it and contact them so they are aware.
Debian usually backports security fixes to older versions, so you may wanna check to Debian if they have an updated version of the package with the security fix.
This can be done by taking the CVE number related to this vulnerability and look at the package changelog.
What’s the status of SmartDNS (that is used by OpenWRT and DD-WRT) on this? Anyone knows anything?