Author: DL6ER

A lock

Fixing two new DNSSEC vulnerabilities

  Today, we have been informed about two DNSSEC vulnerabilities in dnsmasq, which Pi-hole FTL is forked from. Both vulnerabilities, via specially crafted DNSSEC answers, can lead DNSSEC validators down a very CPU intensive and time costly validation/NSEC3 hash calculation path. This results in degraded performance and denial of service in trivially orchestrated attacks. In…
Read more

Understanding DNSSEC validation using Pi-hole’s Query Log

The Domain Name System Security Extensions (DNSSEC) is an Internet standard that adds security mechanisms to the Domain Name System (DNS). It ensures both the authenticity and integrity of the DNS data. From FTL v5.9 on, Pi-hole shows and analyzes the internally generated DNSSEC queries needed to build the chain-to-trust. This feature is enabled by…
Read more

Pi-hole FTL v5.10.1, Web v5.7 and Core v5.5 released

As always, please read through the changelog before updating with pihole -up. A new tag for docker image will arrive shortly. Highlights Changes in the embedded dnsmasq-v2.87rc1: Fix crash if combining server=/domain/# is combined with address=/domain/1.2.3.4(issue reported by Pi-hole) Add all defined RR types to the table of type names used for query logging (Pi-hole…
Read more

Pi-hole FTL v5.9, Web v5.6 and Core v5.4 released

As always, please read through the changelog before updating with pihole -up. After a successful beta round, we are excited to announce that the next version(s) of Pi-hole are now available in the main branches! A great big “Thank You” to all those who not only tested the beta, but actively reported back with any…
Read more

Join us beta-testing Pi-hole FTL v5.9, Web v5.6 and Core v5.4

As always, please read through the changelog before updating to the beta versions. Read first: Please do not run this if you are not comfortable with digging into any issues that may arise. That said, we would like to have some support in making sure we have every imaginable configuration covered before release. Pi-hole can…
Read more

Pi-hole FTL v5.8, Web v5.5 and Core v5.3 released

As always, please read through the changelog before updating with pihole -up. Highlights More details for your adlists The web dashboard does now provide health-status and statistics about downloaded and processed adlists. You can see when they were last downloaded, when they were last changed and it they work at all or contain invalid domains.…
Read more

Help us test FTL v5.8 / dnsmasq v2.85

Pi-hole embeds the DNS server dnsmasq, which is currently in release-candidate state for version 2.85. Please join us in the final testing of this version of dnsmasq, to help us ensure there are no major bugs before the final release. You may be receiving a few updates on this branch. To get the release candidate…
Read more

Pi-hole FTL v5.7 and Web v5.4 released

Today, we release Pi-hole FTL v5.7 and Web v5.4. This release improves the security and reliability of your Pi-hole. The most important enhancements are summarized below: Fix security flaws on the web interface Thanks to Veno Eivazian who pointed us to three security flaws in the web interface. They could have been used to run…
Read more

Pi-hole FTL v5.6 released

Another release so soon after v5.5(.1) was released? Yes! FTL v5.5(.1) brought you the bleeding-edge dnsmasq v2.83 and our attentive users have quickly reported an issue with queries for the same domain coming from different network sockets. The updated dnsmasq has a new feature to group queries that need to be forwarded so only one…
Read more

Pi-hole FTL v5.5 released – UPDATE TODAY

In September 2020, the JSOF Research Lab discovered seven security vulnerabilities in dnsmasq. They named the set of vulnerabilities dnspooq. We’ve been in contact with them and, over the last couple of weeks, we’ve partnered and worked closely with Cisco, Red Hat and, Simon Kelley (the maintainer of dnsmasq) [the order of mentioning does not…
Read more