Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DNSSEC vulnerabilities #40

Open
MaoriPanda opened this issue Feb 14, 2024 · 28 comments · May be fixed by #45
Open

DNSSEC vulnerabilities #40

MaoriPanda opened this issue Feb 14, 2024 · 28 comments · May be fixed by #45
Labels
enhancement New feature or request

Comments

@MaoriPanda
Copy link

The security cases which refer to this are CVE-2023-50387 and CVE-2023-50868. Both vulnerabilities are remote exploitable and rated “high” severity. But Ubound 1.19.1 fixes these

@ZSamuels28
Copy link

@aleksanderbl29 please update Unbound and PiHole. Looks like there is a new version of Unbound and PiHole FTL v5.25

@aleksanderbl29
Copy link
Owner

Thank you for bringing this to my attention. A new release is on the way - will be on dockerhub shortly

@aleksanderbl29
Copy link
Owner

A new release is on the way - will be on dockerhub shortly

Please let me know if you experience any issues

@ZSamuels28
Copy link

Thanks! Upgraded and so far so good.

@MaoriPanda
Copy link
Author

MaoriPanda commented Feb 15, 2024 via email

@vwfast
Copy link

vwfast commented Feb 15, 2024

Unbound is still on 1.17.1

On Wed, Feb 14, 2024, 10:32 PM Aleksander Bang-Larsen < @.> wrote: A new release is on the way - will be on dockerhub shortly Please let me know if you experience any issues — Reply to this email directly, view it on GitHub <#40 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN4VVNFCMPY6H5SSRQRITOLYTWTYFAVCNFSM6AAAAABDHR5CRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBVGQ2DSNRYGU . You are receiving this because you authored the thread.Message ID: @.>

The Dockerfile is installing Unbound using the command below:
RUN apt-get update && apt-get -t bullseye-backports install -y unbound

And the unbound Debian bullseye-backport package hasn't been updated yet.
https://packages.debian.org/bullseye-backports/unbound

Here's the tracking page for unbound
https://tracker.debian.org/pkg/unbound

@aleksanderbl29
Copy link
Owner

And the unbound Debian bullseye-backport package hasn't been updated yet.

I will change the install method so that the image uses the bookworm-repo and then I will update this image when 1.19.1 is pushed to this tag. It seems to currently be in the unstable sid channel which I will not base the image on

This was referenced Feb 16, 2024
@aleksanderbl29 aleksanderbl29 linked a pull request Feb 18, 2024 that will close this issue
@aleksanderbl29
Copy link
Owner

I have now published dev-pr-45-2024-02-18 that has unbound version 1.19.1 installed. You are all free to use it until it ships with the latest version of the image

@MaoriPanda
Copy link
Author

MaoriPanda commented Feb 18, 2024 via email

@aleksanderbl29
Copy link
Owner

I have now updated the underlying image to pihole:2024.02.2. The appropriate image is now dev-45-2024-02-28.
A tag called dev-45 is also now available and will contain all further image updates with the sid repository (and therefore also the 1.19.1 version of unbound for the time being)

@vwfast
Copy link

vwfast commented Feb 29, 2024

Thanks for all of your efforts! I deployed dev-45 shortly after you posted it yesterday. No issues to report.

@aleksanderbl29 aleksanderbl29 added the enhancement New feature or request label Mar 9, 2024
@aleksanderbl29
Copy link
Owner

I have now updated the base image to 2024.03.02. You can pull the new version of tag dev-45 or use tag dev-45-2024-04-04

@rbnet
Copy link

rbnet commented Apr 5, 2024

Got an error with version dev-45-2024-04-04:

...
stdout 05/04/2024 08:54:10  [✗] DNS service is NOT running
stdout 05/04/2024 08:54:10
stderr 05/04/2024 08:54:10 fatal: unable to access 'https://github.com/pi-hole/pi-hole/': Could not resolve host: github.com
stderr 05/04/2024 08:54:10 fatal: unable to access 'https://github.com/pi-hole/web/': Could not resolve host: github.com
stderr 05/04/2024 08:54:10 ./run: line 41:   337 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
stdout 05/04/2024 08:54:10 Stopping pihole-FTL
stderr 05/04/2024 08:54:10 pihole-FTL: no process found
stdout 05/04/2024 08:54:10 Stopping lighttpd
stderr 05/04/2024 08:54:10 lighttpd: no process found
stderr 05/04/2024 08:54:11 ./run: line 41:   488 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
stdout 05/04/2024 08:54:11 Stopping pihole-FTL
...

No problems with the previous version dev-45-2024-02-28 or the latest 2024.03.02.

@aleksanderbl29
Copy link
Owner

I can't seem to reproduce the error.
Do you see any errors prior to the notification that the DNS service is not running?

@rbnet
Copy link

rbnet commented Apr 5, 2024

Sorry, I was a bit hurried earlier in posting the log. That is the complete log:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service cron: starting
s6-rc: info: service cron successfully started
s6-rc: info: service _uid-gid-changer: starting
  [i] Changing ID for user: www-data (33 => 999)
configuration error - unknown item 'NONEXISTENT' (notify administrator)
s6-rc: info: service _uid-gid-changer successfully started
s6-rc: info: service _startup: starting
  [i] Starting docker specific checks & setup for docker pihole/pihole
  [i] Setting capabilities on pihole-FTL where possible
  [!] WARNING: Unable to set capabilities for pihole-FTL.
              Please ensure that the container has the required capabilities.
s6-rc: info: service _startup successfully started
s6-rc: info: service pihole-FTL: starting
s6-rc: info: service pihole-FTL successfully started
s6-rc: info: service lighttpd: starting
s6-rc: info: service lighttpd successfully started
s6-rc: info: service _postFTL: starting
s6-rc: info: service _postFTL successfully started
s6-rc: info: service legacy-services: starting
  Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
services-up: info: copying legacy longrun unbound (no readiness notification)
s6-rc: info: service legacy-services successfully started
Starting unbound
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [✓] Preparing new gravity database
  [✓] Creating new gravity databases
  [i] Using libz compression

  [i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  [✗] Status: Connection Refused
  [✗] List download failed: using previously cached list
Stopping lighttpd
lighttpd: no process found
  [✓] Parsed 131355 exact domains and 0 ABP-style domains (ignored 1 non-domain entries)
      Sample of non-domain entries:
        - "0.0.0.0"

./run: line 41:   165 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
Stopping pihole-FTL

  [✗] Unable to update status of adlist with ID 1 in database /etc/pihole/gravity.db_temp
  
  [✓] Cleaning up stray matter
  [✗] DNS service is NOT running
./run: line 41:   287 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
Stopping pihole-FTL
pihole-FTL: no process found
Stopping lighttpd
lighttpd: no process found
./run: line 41:   342 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
Stopping pihole-FTL
pihole-FTL: no process found
Stopping lighttpd
lighttpd: no process found
...

Note that my configuration is quite customized, but aside from the workaround to avoid the "attempt to write a readonly database" error that affects every one of my pihole installations on Raspberry Pi 5 and the fact that I use Pi-Hole as a DHCP server for my LAN (so I'm forced to use dhcphelper as a dhcp relay), the rest is pretty standard. The strange thing is that it is only the latest dev-45 version that does not work and returns the error given above.

services:

  pihole:
    image: aleksanderbl/pihole-unbound:dev-45
    container_name: pihole
    hostname: pihole
    ipc: private
    cap_add:
        - NET_ADMIN
    depends_on:
      - dhcphelper
    entrypoint:
      - /bin/bash
      - -c
      - ./s6-init
    environment:
      - FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4}
      - TZ=${TZ:-UTC}
      - DNSSEC="false"
      - DNS1=127.0.0.1#5335
      - DNS2=127.0.0.1#5335
      - PATH=${PATH}
      - PHP_ERROR_LOG=${PHP_ERROR_LOG}
      - IPv6=${IPv6}
      - DNSMASQ_USER=${DNSMASQ_USER}
      - DNSMASQ_LISTENING=all
      - WEBPASSWORD_FILE=/run/secrets/pihole_webpw
      - WEBTHEME=${WEBTHEME}
      # Avoid error "attempt to write a readonly database"
      #- PIHOLE_UID=1000
      #- PIHOLE_GID=1000
      - WEB_UID=999
      #- WEB_GID=1000
    networks:
      pihole_network:
        ipv4_address: 172.31.0.10
    ports:
      - 53:53/tcp
      - 53:53/udp
      - ${PIHOLE_WEBPORT}:80/tcp
    dns: 127.0.0.1 # avoid "DNS resolution is currently unavailable" error
    volumes:
      - ./config/dns:/etc/dnsmasq.d
      - ./config:/etc/pihole
      - ./config/01-memory.ini:/etc/php/7.4/cgi/conf.d/01-memory.ini
    restart: always
    secrets:
      - pihole_webpw
    labels:
      - "diun.enable=true"

  dhcphelper:
    container_name: dhcphelper
    network_mode: "host"
    image: homeall/dhcphelper:latest
    environment:
      - IP=172.31.0.10
      - TZ=${TZ:-UTC}
    labels:
      - "diun.enable=true"
    cap_add:
      - NET_ADMIN
    restart: always

networks:
  pihole_network:
    name: pihole_network
    ipam:
      config:
        - subnet: 172.31.0.0/16

secrets:
  pihole_webpw:
    file: ${SECRETSDIR}/pihole_webpw.txt

@aleksanderbl29
Copy link
Owner

The strange thing is that it is only the latest dev-45 version that does not work and returns the error given above.

I have tried multiple times with different images and can't get this error to show. Can you try building the image locally from the dockerfile?
I have also rebuilt the image available at dev-45 (can also be found as dev-45-2024-04-06). Please try again with this one

@rbnet
Copy link

rbnet commented Apr 7, 2024

I think that the problem does not depend on your Unbound implementation, but on something introduced in Sid that clashes with my configuration. I ran a few tests:

Host: Raspberry Pi 5 (arm64) with Raspberry OS Lite (Bookworm).

  • the latest dev-45 doesn't work, but since it has changed practically nothing I expected that
  • building using repositories from Debian Sid (unbound 1.19.2), same error
  • building using Debian testing/Trixie (unbound 1.19.1), works without any problem

No errors are reported during the build other than the ones below, which are present in all versions (eg. from image based on Debian Sid):

...
#7 30.79 Setting up unbound (1.19.2-1) ...
#7 30.86 configuration error - unknown item 'NONEXISTENT' (notify administrator)
#7 30.88 configuration error - unknown item 'NONEXISTENT' (notify administrator)
#7 31.16 invoke-rc.d: could not determine current runlevel
#7 31.17 invoke-rc.d: policy-rc.d denied execution of start.
#7 31.17 Processing triggers for libc-bin (2.37-15.1) ...
#7 DONE 31.4s

Then I realized that with the Debian Sid-based image, I had this warning when starting the container:

...
[i] Starting docker specific checks & setup for docker pihole/pihole
[i] Setting capabilities on pihole-FTL where possible
[!] WARNING: Unable to set capabilities for pihole-FTL.
             Please ensure that the container has the required capabilities.
...

while normally it should appear similar to the following:

...
[i] Starting docker specific checks & setup for docker pihole/pihole
[i] Setting capabilities on pihole-FTL where possible
[i] Applying the following caps to pihole-FTL:
      * CAP_CHOWN
      * CAP_NET_BIND_SERVICE
      * CAP_NET_RAW
      * CAP_NET_ADMIN
...

A little search led me to pi-hole/docker-pi-hole#963 and a number of similar comments in the Pi-Hole GitHub repo. I wasn't able to solve it 100%, but I made some progress by playing with the DNSMASQ_USER, PIHOLE_UID/GID and WEB_UID/GID envs values. Waiting to find a final fix I am using the local build with Debian testing.

@aleksanderbl29
Copy link
Owner

Looks like you're on the right track. Now that unbound 1.19.1 is in the trixie distribution i will let the image use that instead. I figure that it would be marginally more stable than the absolute cutting edge. The new image will be published tonight

Copy link

github-actions bot commented Sep 8, 2024

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

@github-actions github-actions bot added the stale label Sep 8, 2024
@aqtoo
Copy link

aqtoo commented Oct 28, 2024

Is there any update to updating to the latest version of unbound? I just tried dev-67 yet it seems to still be on unbuond 1.17.1

@aleksanderbl29
Copy link
Owner

Hi @aqtoo
Please try dev-45. I haven't cleaned up the dev-releases in a while. I will do that :)

@aqtoo
Copy link

aqtoo commented Oct 29, 2024

Thanks for replying, I'll try when home, is dev-45 running the latest pihole 2024.07.0? or is it running 2024.06.0 due to being last committed 5 months ago?

Lemme know if you can! I'm just double checking.

@aleksanderbl29
Copy link
Owner

I have just updated the image to use 2024.07.0. The new image should be published as dev-45 later today.

Thanks for noticing

@aqtoo
Copy link

aqtoo commented Oct 30, 2024

No problem, thanks for updating!

@aqtoo
Copy link

aqtoo commented Oct 30, 2024

@aleksanderbl29 any update on the new dev-45 build? or will it take longer than today?

@aleksanderbl29
Copy link
Owner

@aleksanderbl29 any update on the new dev-45 build? or will it take longer than today?

Oh sorry. Looks like the build with the updated image failed. I will take a look at it tomorrow before lunch.

@aqtoo
Copy link

aqtoo commented Oct 30, 2024

Much thanks, just thought I'd let you know.

@aleksanderbl29
Copy link
Owner

aleksanderbl29 commented Oct 31, 2024

Quick update.
I get an error that unbound cannot be installed. I can't seem to figure out how to fix it. It's probably something simple I am missing. Thus no new image today :)

Here is the errors if anyone has any ideas.

5.630 Preparing to unpack .../base-files_13.5_arm64.deb ...
5.643
5.643
5.643 ******************************************************************************
5.643 *
5.643 * The base-files package cannot be installed because
5.643 * /bin is a directory, but should be a symbolic link.
5.643 *
5.643 * Please install the usrmerge package to convert this system to merged-/usr.
5.643 *
5.643 * For more information please read https://wiki.debian.org/UsrMerge.
5.643 *
5.643 ******************************************************************************
5.643
5.643
5.643 dpkg: error processing archive /var/cache/apt/archives/base-files_13.5_arm64.deb (--unpack):
5.643  new base-files package pre-installation script subprocess returned error exit status 1
5.659 Errors were encountered while processing:
5.659  /var/cache/apt/archives/base-files_13.5_arm64.deb
5.674 E: Sub-process /usr/bin/dpkg returned an error code (1)
------
Dockerfile:11
--------------------
  10 |     # RUN apt-get upgrade -y
  11 | >>> RUN apt-get -t trixie install -y unbound -V
  13 |
  14 |     COPY lighttpd-external.conf /etc/lighttpd/external.conf
--------------------
ERROR: failed to solve: process "/bin/bash -c apt-get install -y unbound -V" did not complete successfully: exit code: 100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants