• just another dev@lemmy.my-box.dev
    link
    fedilink
    English
    arrow-up
    11
    ·
    9 months ago

    Wouldn’t the attacker have to be on the same network as the resolver for this to work? Or could it be triggered by a “dirty hostname”? Because in the former case, most home networks would not be at much risk.

  • Nunya@lemdro.id
    link
    fedilink
    English
    arrow-up
    4
    ·
    9 months ago

    Sorry if this is a basic question. So if I have a pihole, do I just need to update the Raspberry Pi software, along with updating pihole software to resolve the insecurities? Or do I need to change the DNS settings of the pihole?

    • BlackEco@lemmy.blackeco.comOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      9 months ago

      If you use a third-party’s DNS server (such as Cloudflare, Quad9 or Google) as your upstream DNS server, you only have to update PiHole.

      If you have set up your own upstream DNS server using a DNS resolver like unbound or Bind9, update it as well as your PiHole.

    • BlackEco@lemmy.blackeco.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      I struggle to find if it uses DNSSEC or even a change log. If it does, contact the maintainer and disable DNSSEC (if you can) until a fix is released.

  • ratzki@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    9 months ago

    Not sure why, but on Synology with docker, the pihole:latest releases are usually a mess and restoring settings and client lists does not work. Unfortunately, only “latest -2” seems to work most of the time.

    ¯\_(ツ)_/¯

    • BlackEco@lemmy.blackeco.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      9 months ago

      I’m not familiar with off-the-shelf DNS filtering on mobile, but since running a DNS resolver on-device would be impractical, I think they must be using a DNS server that they maintain. Which means that unless I’m wrong, the vulnerability lies on their end, you should be fine.