PSA: update your DNS resolvers (PiHole, unbound, Bind9, dsnmasq) to patch DNSSEC vulnerability

Selfhosted@lemmy.world – 145 points – 5 months ago

Researchers recently found a vulnerability in the way DNS resolvers handle DNSSEC validation that allow attackers to DoS resolvers with a single DNS request

https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

It is highly recommended to upgrade your resolvers to the following versions:

unbound: 1.91.1
PiHole: FTL 5.25 or Docker 2024.02.0
Bind9: 9.19.17
dnsmasq: 2.90
and probably any other resolver you use

You are viewing a single comment

View all comments

Sorry if this is a basic question. So if I have a pihole, do I just need to update the Raspberry Pi software, along with updating pihole software to resolve the insecurities? Or do I need to change the DNS settings of the pihole?

If you use a third-party's DNS server (such as Cloudflare, Quad9 or Google) as your upstream DNS server, you only have to update PiHole.

If you have set up your own upstream DNS server using a DNS resolver like unbound or Bind9, update it as well as your PiHole.

Makes sense, thanks for the response.

You need to update Pihole