Researchers recently found a vulnerability in the way DNS resolvers handle DNSSEC validation that allow attackers to DoS resolvers with a single DNS request
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
It is highly recommended to upgrade your resolvers to the following versions:
- unbound: 1.91.1
- PiHole: FTL 5.25 or Docker 2024.02.0
- Bind9: 9.19.17
- dnsmasq: 2.90
- and probably any other resolver you use
- Wouldn’t the attacker have to be on the same network as the resolver for this to work? Or could it be triggered by a “dirty hostname”? Because in the former case, most home networks would not be at much risk. - It’s the latter. Unless you run your own DNS resolver, most people are safe 
 
- Thanks for the heads -up. 
- Sorry if this is a basic question. So if I have a pihole, do I just need to update the Raspberry Pi software, along with updating pihole software to resolve the insecurities? Or do I need to change the DNS settings of the pihole? - If you use a third-party’s DNS server (such as Cloudflare, Quad9 or Google) as your upstream DNS server, you only have to update PiHole. - If you have set up your own upstream DNS server using a DNS resolver like unbound or Bind9, update it as well as your PiHole. - Makes sense, thanks for the response. 
 
- You need to update Pihole 
 
- My unbound is on v1.13.1 (Raspbian) after update/upgrade. I’ve read it lags behind the main release by alot, should I trust the process that everything is fine. - Its up to your distros package maintainer to make the patched version available. You can find who maintains it and contact them so they are aware. - Debian usually backports security fixes to older versions, so you may wanna check to Debian if they have an updated version of the package with the security fix. - This can be done by taking the CVE number related to this vulnerability and look at the package changelog. 
- Cheers 
 
- I’m on DietPi 9 and the latest version for Debian 12 is 1.17.1, sadly. Though I do see 1.19.1 is in testing as of today, according to Debian’s package tracker site. Probably not worth trying to install an unstable version of it. - I installed it now, it is working fine with my pihole. It wasnt that much of a hussle but a bit of googling. 
 
 
- What’s the status of SmartDNS (that is used by OpenWRT and DD-WRT) on this? Anyone knows anything? - I struggle to find if it uses DNSSEC or even a change log. If it does, contact the maintainer and disable DNSSEC (if you can) until a fix is released. 
 
- Not sure why, but on Synology with docker, the pihole:latest releases are usually a mess and restoring settings and client lists does not work. Unfortunately, only “latest -2” seems to work most of the time. - ¯\_(ツ)_/¯ 
- What about on mobile? Those of us who use dns filtering on mobile. - I’m not familiar with off-the-shelf DNS filtering on mobile, but since running a DNS resolver on-device would be impractical, I think they must be using a DNS server that they maintain. Which means that unless I’m wrong, the vulnerability lies on their end, you should be fine. - I been using rethink dns but ik their are other for android at least. Works by making a local vpn magic. - They maintain their own resolver, so they have to patch it if not done already. 
 
 
 










