Pi-Hole has announced that they are addressing two new DNSSEC vulnerabilities in their upcoming versions. The vulnerabilities are found in dnsmasq, the DNS resolver that Pi-hole FTL is forked from. These vulnerabilities can be exploited through specially crafted DNSSEC answers, leading to degraded performance and denial of service attacks. It is important to note that the vulnerabilities are not limited to Pi-hole and can affect other DNSSEC validating DNS resolvers as well.

The author of dnsmasq, Simon Kelley, explains that the vulnerabilities are due to a failure in the DNSSEC specification. The solution for dnsmasq is to impose hard limits on the amount of “work” a DNSSEC validation can take. These limits have been set with significant headroom and can be overridden if necessary. The vulnerabilities have been assigned the CVE numbers CVE-2023-50387 and CVE-2023-50868 and are rated as “high” severity.

Pi-Hole has already released fixes for these vulnerabilities in their beta version of Pi-hole v6.0 and is preparing to release them in the stable version as well. Disabling DNSSEC validation entirely can remove the vulnerability, but Pi-Hole strongly advises upgrading to the fixed version instead. Upgrading to the fixed version will ensure that DNSSEC validation does not impede other server workloads.

For users still using the stable versions of Pi-hole (v5.x), it is recommended to either manually check out the development branch or disable DNSSEC for the time being and rely on the upstream server for DNSSEC validation. However, it is important to ensure that the upstream server is on a sufficiently recent version, such as unbound version 1.19.1, which has been fixed.

Update: Pi-Hole has now released the update. Run pihole -up to apply.

Pi-hole has released updates to its FTL (v5.24) and Core (v5.17.3) components. These updates bring several changes and improvements to enhance the performance and functionality of Pi-hole.

While the development team is primarily focused on the upcoming v6.0 beta, they remain committed to supporting and enhancing v5. They understand that many users still rely on v5 and want to ensure that it remains robust and up-to-date. Consequently, certain improvements and changes developed for v6.0 will be backported to v5, providing the best experience for all users, whether they are part of the public beta or not.

The FTL changes in this release include updating the dependabot.yml file, adding pihole-FTL sqlite3 -ni, fixing a possible crash with high client activity, and implementing special domains whitelisting. These changes aim to improve the stability and performance of Pi-hole FTL.

On the other hand, the Core changes include adding “-ni” to all sqlite3 invocations in v5. This modification ensures the proper functioning of sqlite3 in Pi-hole Core.

Users are advised to read the detailed changelogs before updating to these latest versions. The FTL changelog can be found here, and the Core changelog can be accessed here.

Source: Pi-Hole.

AdGuard Home, the popular ad-blocker, has released its latest version, v0.108.0-b.51. This update brings several improvements and fixes compared to the previous beta, v0.108.0-b.50.

In terms of security, the Go version has been updated to address potential vulnerabilities. This update specifically prevents the exploitation of the CVE-2023-39326, CVE-2023-45283, and CVE-2023-45285 Go vulnerabilities. These vulnerabilities have been fixed in Go 1.20.12, ensuring a more secure experience for users.

One notable addition in this release is the ability to set a client’s custom DNS cache. This feature, requested by users, allows for more personalized DNS caching, enhancing the overall performance and customization options of AdGuard Home.

Furthermore, this update also addresses a memory leak issue when using parallel queries. The fix for this problem, identified as issue #6438, ensures better memory management and stability.

For a complete list of changes and updates in AdGuard Home v0.108.0-b.51, please refer to the CHANGELOG.md file.

Pi-Hole, the popular network-wide ad blocker, is rolling out its latest version, V6.0, and is inviting users to participate in beta testing and troubleshooting. The Pi-hole team is looking for brave users who are comfortable with digging into any issues that may arise. The beta version introduces several fundamental changes, and it is important to note that updating from Pi-hole 5.x to 6.0 is a one-way operation.

Some of the new features and improvements in Pi-hole V6.0 include:

• A new REST API and webserver directly embedded into the pihole-FTL binary, eliminating the need for lighttpd and php dependencies. This change reduces the installation size of Pi-hole.
• Subscribed allowlists, known as Antigravity, which allow users to whitelist specific domains while still blocking entries in subscribed blocklists.
• Consolidated settings files, with all settings now contained in a single file located at /etc/pihole/pihole.toml. The file is well-commented, making it easier for users to understand and modify settings.
• Server-side pagination of the query log, improving the performance of the query log page by loading results one page at a time.
• Redesigned settings menu in the web interface, categorized into Basic, Advanced, and Expert levels, with different settings available based on the selected mode.
• Built-in HTTPS support in FTL, allowing users to use their own certificates or generate a self-signed certificate.
• Docker image now based on Alpine, reducing the image size and potentially enabling support for more systems in the future.

The Pi-hole team emphasizes that the beta version is not yet stable for a full release. They are actively working on improving stability and addressing issues as they arise. Users who are interested in participating in the beta testing can visit the Pi-hole Discourse Forum to discuss the beta and report any findings. Contributions and suggestions for improvements are also welcome.

To try out the beta version, users can either install it as a fresh installation or switch to the v6 branches. Detailed instructions are provided for both bare metal and Docker installations.

Pi-hole V6.0 does not have a specific release date yet, but the team is working on it in their free time, aiming to release it when it’s stable and ready for production use.

Source: Pi-Hole.