• just another dev@lemmy.my-box.dev
    link
    fedilink
    English
    arrow-up
    11
    ·
    10 months ago

    Wouldn’t the attacker have to be on the same network as the resolver for this to work? Or could it be triggered by a “dirty hostname”? Because in the former case, most home networks would not be at much risk.

  • Nunya@lemdro.id
    link
    fedilink
    English
    arrow-up
    4
    ·
    10 months ago

    Sorry if this is a basic question. So if I have a pihole, do I just need to update the Raspberry Pi software, along with updating pihole software to resolve the insecurities? Or do I need to change the DNS settings of the pihole?

    • BlackEco@lemmy.blackeco.comOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      10 months ago

      If you use a third-party’s DNS server (such as Cloudflare, Quad9 or Google) as your upstream DNS server, you only have to update PiHole.

      If you have set up your own upstream DNS server using a DNS resolver like unbound or Bind9, update it as well as your PiHole.

  • Fedegenerate@lemmynsfw.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    10 months ago

    My unbound is on v1.13.1 (Raspbian) after update/upgrade. I’ve read it lags behind the main release by alot, should I trust the process that everything is fine.

    • 9tr6gyp3@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      10 months ago

      Its up to your distros package maintainer to make the patched version available. You can find who maintains it and contact them so they are aware.

      • ARNiM@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        10 months ago

        Debian usually backports security fixes to older versions, so you may wanna check to Debian if they have an updated version of the package with the security fix.

        This can be done by taking the CVE number related to this vulnerability and look at the package changelog.

    • Chaotic Entropy@feddit.uk
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      10 months ago

      I’m on DietPi 9 and the latest version for Debian 12 is 1.17.1, sadly. Though I do see 1.19.1 is in testing as of today, according to Debian’s package tracker site. Probably not worth trying to install an unstable version of it.

      • Rooki@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        10 months ago

        I installed it now, it is working fine with my pihole. It wasnt that much of a hussle but a bit of googling.

    • BlackEco@lemmy.blackeco.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      I struggle to find if it uses DNSSEC or even a change log. If it does, contact the maintainer and disable DNSSEC (if you can) until a fix is released.

  • ratzki
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    10 months ago

    Not sure why, but on Synology with docker, the pihole:latest releases are usually a mess and restoring settings and client lists does not work. Unfortunately, only “latest -2” seems to work most of the time.

    ¯\_(ツ)_/¯

    • BlackEco@lemmy.blackeco.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      10 months ago

      I’m not familiar with off-the-shelf DNS filtering on mobile, but since running a DNS resolver on-device would be impractical, I think they must be using a DNS server that they maintain. Which means that unless I’m wrong, the vulnerability lies on their end, you should be fine.