Pi-Hole Mitigates Two Newly Discovered DNSSEC Vulnerabilities

Pi-Hole has announced that they are addressing two new DNSSEC vulnerabilities in their upcoming versions. The vulnerabilities are found in dnsmasq, the DNS resolver that Pi-hole FTL is forked from. These vulnerabilities can be exploited through specially crafted DNSSEC answers, leading to degraded performance and denial of service attacks. It is important to note that the vulnerabilities are not limited to Pi-hole and can affect other DNSSEC validating DNS resolvers as well.

The author of dnsmasq, Simon Kelley, explains that the vulnerabilities are due to a failure in the DNSSEC specification. The solution for dnsmasq is to impose hard limits on the amount of “work” a DNSSEC validation can take. These limits have been set with significant headroom and can be overridden if necessary. The vulnerabilities have been assigned the CVE numbers CVE-2023-50387 and CVE-2023-50868 and are rated as “high” severity.

Pi-Hole has already released fixes for these vulnerabilities in their beta version of Pi-hole v6.0 and is preparing to release them in the stable version as well. Disabling DNSSEC validation entirely can remove the vulnerability, but Pi-Hole strongly advises upgrading to the fixed version instead. Upgrading to the fixed version will ensure that DNSSEC validation does not impede other server workloads.

For users still using the stable versions of Pi-hole (v5.x), it is recommended to either manually check out the development branch or disable DNSSEC for the time being and rely on the upstream server for DNSSEC validation. However, it is important to ensure that the upstream server is on a sufficiently recent version, such as unbound version 1.19.1, which has been fixed.

Update: Pi-Hole has now released the update. Run pihole -up to apply.