DNSSEC vulnerabilities - Githubissues

MaoriPanda commented 9 months ago

The security cases which refer to this are CVE-2023-50387 and CVE-2023-50868. Both vulnerabilities are remote exploitable and rated “high” severity. But Ubound 1.19.1 fixes these

ZSamuels28 commented 9 months ago

@aleksanderbl29 please update Unbound and PiHole. Looks like there is a new version of Unbound and PiHole FTL v5.25

aleksanderbl29 commented 9 months ago

Thank you for bringing this to my attention. A new release is on the way - will be on dockerhub shortly

aleksanderbl29 commented 9 months ago

A new release is on the way - will be on dockerhub shortly

Please let me know if you experience any issues

ZSamuels28 commented 9 months ago

Thanks! Upgraded and so far so good.

MaoriPanda commented 9 months ago

Unbound is still on 1.17.1

On Wed, Feb 14, 2024, 10:32 PM Aleksander Bang-Larsen < @.***> wrote:

A new release is on the way - will be on dockerhub shortly

Please let me know if you experience any issues

— Reply to this email directly, view it on GitHub https://github.com/aleksanderbl29/docker-pihole-unbound/issues/40#issuecomment-1945449685, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN4VVNFCMPY6H5SSRQRITOLYTWTYFAVCNFSM6AAAAABDHR5CRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBVGQ2DSNRYGU . You are receiving this because you authored the thread.Message ID: @.***>

vwfast commented 9 months ago

Unbound is still on 1.17.1 … On Wed, Feb 14, 2024, 10:32 PM Aleksander Bang-Larsen < @.> wrote: A new release is on the way - will be on dockerhub shortly Please let me know if you experience any issues — Reply to this email directly, view it on GitHub <#40 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN4VVNFCMPY6H5SSRQRITOLYTWTYFAVCNFSM6AAAAABDHR5CRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBVGQ2DSNRYGU . You are receiving this because you authored the thread.Message ID: @.>

The Dockerfile is installing Unbound using the command below: RUN apt-get update && apt-get -t bullseye-backports install -y unbound

And the unbound Debian bullseye-backport package hasn't been updated yet. https://packages.debian.org/bullseye-backports/unbound

Here's the tracking page for unbound https://tracker.debian.org/pkg/unbound

aleksanderbl29 commented 9 months ago

And the unbound Debian bullseye-backport package hasn't been updated yet.

I will change the install method so that the image uses the bookworm-repo and then I will update this image when 1.19.1 is pushed to this tag. It seems to currently be in the unstable sid channel which I will not base the image on

aleksanderbl29 commented 9 months ago

I have now published dev-pr-45-2024-02-18 that has unbound version 1.19.1 installed. You are all free to use it until it ships with the latest version of the image

MaoriPanda commented 9 months ago

Awesome, thanks for the update!

On Sun, Feb 18, 2024, 2:10 PM Aleksander Bang-Larsen < @.***> wrote:

I have now published dev-pr-45-2024-02-18 https://hub.docker.com/layers/aleksanderbl/pihole-unbound/dev-pr-45-2024-02-18/images/sha256-a1dffb4cc7208d2868f7efc6afa36dcca4bfa93daf277a673f517549775f2b37?context=explore that has unbound version 1.19.1 installed. You are all free to use it until it ships with the latest version of the image

— Reply to this email directly, view it on GitHub https://github.com/aleksanderbl29/docker-pihole-unbound/issues/40#issuecomment-1951460671, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN4VVNEB2CPNHB23JZQV2ODYUJ34PAVCNFSM6AAAAABDHR5CRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJRGQ3DANRXGE . You are receiving this because you authored the thread.Message ID: @.***>

aleksanderbl29 commented 8 months ago

I have now updated the underlying image to pihole:2024.02.2. The appropriate image is now dev-45-2024-02-28. A tag called dev-45 is also now available and will contain all further image updates with the sid repository (and therefore also the 1.19.1 version of unbound for the time being)

vwfast commented 8 months ago

Thanks for all of your efforts! I deployed dev-45 shortly after you posted it yesterday. No issues to report.

aleksanderbl29 commented 7 months ago

I have now updated the base image to 2024.03.02. You can pull the new version of tag dev-45 or use tag dev-45-2024-04-04

rbnet commented 7 months ago

Got an error with version dev-45-2024-04-04:

...
stdout 05/04/2024 08:54:10  [✗] DNS service is NOT running
stdout 05/04/2024 08:54:10
stderr 05/04/2024 08:54:10 fatal: unable to access 'https://github.com/pi-hole/pi-hole/': Could not resolve host: github.com
stderr 05/04/2024 08:54:10 fatal: unable to access 'https://github.com/pi-hole/web/': Could not resolve host: github.com
stderr 05/04/2024 08:54:10 ./run: line 41:   337 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
stdout 05/04/2024 08:54:10 Stopping pihole-FTL
stderr 05/04/2024 08:54:10 pihole-FTL: no process found
stdout 05/04/2024 08:54:10 Stopping lighttpd
stderr 05/04/2024 08:54:10 lighttpd: no process found
stderr 05/04/2024 08:54:11 ./run: line 41:   488 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
stdout 05/04/2024 08:54:11 Stopping pihole-FTL
...

No problems with the previous version dev-45-2024-02-28 or the latest 2024.03.02.

aleksanderbl29 commented 7 months ago

I can't seem to reproduce the error. Do you see any errors prior to the notification that the DNS service is not running?

rbnet commented 7 months ago

Sorry, I was a bit hurried earlier in posting the log. That is the complete log:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service cron: starting
s6-rc: info: service cron successfully started
s6-rc: info: service _uid-gid-changer: starting
  [i] Changing ID for user: www-data (33 => 999)
configuration error - unknown item 'NONEXISTENT' (notify administrator)
s6-rc: info: service _uid-gid-changer successfully started
s6-rc: info: service _startup: starting
  [i] Starting docker specific checks & setup for docker pihole/pihole
  [i] Setting capabilities on pihole-FTL where possible
  [!] WARNING: Unable to set capabilities for pihole-FTL.
              Please ensure that the container has the required capabilities.
s6-rc: info: service _startup successfully started
s6-rc: info: service pihole-FTL: starting
s6-rc: info: service pihole-FTL successfully started
s6-rc: info: service lighttpd: starting
s6-rc: info: service lighttpd successfully started
s6-rc: info: service _postFTL: starting
s6-rc: info: service _postFTL successfully started
s6-rc: info: service legacy-services: starting
  Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
services-up: info: copying legacy longrun unbound (no readiness notification)
s6-rc: info: service legacy-services successfully started
Starting unbound
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [✓] Preparing new gravity database
  [✓] Creating new gravity databases
  [i] Using libz compression

  [i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  [✗] Status: Connection Refused
  [✗] List download failed: using previously cached list
Stopping lighttpd
lighttpd: no process found
  [✓] Parsed 131355 exact domains and 0 ABP-style domains (ignored 1 non-domain entries)
      Sample of non-domain entries:
        - "0.0.0.0"

./run: line 41:   165 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
Stopping pihole-FTL

  [✗] Unable to update status of adlist with ID 1 in database /etc/pihole/gravity.db_temp

  [✓] Cleaning up stray matter
  [✗] DNS service is NOT running
./run: line 41:   287 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
Stopping pihole-FTL
pihole-FTL: no process found
Stopping lighttpd
lighttpd: no process found
./run: line 41:   342 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
Stopping pihole-FTL
pihole-FTL: no process found
Stopping lighttpd
lighttpd: no process found
...

Note that my configuration is quite customized, but aside from the workaround to avoid the "attempt to write a readonly database" error that affects every one of my pihole installations on Raspberry Pi 5 and the fact that I use Pi-Hole as a DHCP server for my LAN (so I'm forced to use dhcphelper as a dhcp relay), the rest is pretty standard. The strange thing is that it is only the latest dev-45 version that does not work and returns the error given above.

services:

  pihole:
    image: aleksanderbl/pihole-unbound:dev-45
    container_name: pihole
    hostname: pihole
    ipc: private
    cap_add:
        - NET_ADMIN
    depends_on:
      - dhcphelper
    entrypoint:
      - /bin/bash
      - -c
      - ./s6-init
    environment:
      - FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4}
      - TZ=${TZ:-UTC}
      - DNSSEC="false"
      - DNS1=127.0.0.1#5335
      - DNS2=127.0.0.1#5335
      - PATH=${PATH}
      - PHP_ERROR_LOG=${PHP_ERROR_LOG}
      - IPv6=${IPv6}
      - DNSMASQ_USER=${DNSMASQ_USER}
      - DNSMASQ_LISTENING=all
      - WEBPASSWORD_FILE=/run/secrets/pihole_webpw
      - WEBTHEME=${WEBTHEME}
      # Avoid error "attempt to write a readonly database"
      #- PIHOLE_UID=1000
      #- PIHOLE_GID=1000
      - WEB_UID=999
      #- WEB_GID=1000
    networks:
      pihole_network:
        ipv4_address: 172.31.0.10
    ports:
      - 53:53/tcp
      - 53:53/udp
      - ${PIHOLE_WEBPORT}:80/tcp
    dns: 127.0.0.1 # avoid "DNS resolution is currently unavailable" error
    volumes:
      - ./config/dns:/etc/dnsmasq.d
      - ./config:/etc/pihole
      - ./config/01-memory.ini:/etc/php/7.4/cgi/conf.d/01-memory.ini
    restart: always
    secrets:
      - pihole_webpw
    labels:
      - "diun.enable=true"

  dhcphelper:
    container_name: dhcphelper
    network_mode: "host"
    image: homeall/dhcphelper:latest
    environment:
      - IP=172.31.0.10
      - TZ=${TZ:-UTC}
    labels:
      - "diun.enable=true"
    cap_add:
      - NET_ADMIN
    restart: always

networks:
  pihole_network:
    name: pihole_network
    ipam:
      config:
        - subnet: 172.31.0.0/16

secrets:
  pihole_webpw:
    file: ${SECRETSDIR}/pihole_webpw.txt

aleksanderbl29 commented 7 months ago

The strange thing is that it is only the latest dev-45 version that does not work and returns the error given above.

I have tried multiple times with different images and can't get this error to show. Can you try building the image locally from the dockerfile? I have also rebuilt the image available at dev-45 (can also be found as dev-45-2024-04-06). Please try again with this one

rbnet commented 7 months ago

I think that the problem does not depend on your Unbound implementation, but on something introduced in Sid that clashes with my configuration. I ran a few tests:

Host: Raspberry Pi 5 (arm64) with Raspberry OS Lite (Bookworm).

the latest dev-45 doesn't work, but since it has changed practically nothing I expected that
building using repositories from Debian Sid (unbound 1.19.2), same error
building using Debian testing/Trixie (unbound 1.19.1), works without any problem

No errors are reported during the build other than the ones below, which are present in all versions (eg. from image based on Debian Sid):

...
#7 30.79 Setting up unbound (1.19.2-1) ...
#7 30.86 configuration error - unknown item 'NONEXISTENT' (notify administrator)
#7 30.88 configuration error - unknown item 'NONEXISTENT' (notify administrator)
#7 31.16 invoke-rc.d: could not determine current runlevel
#7 31.17 invoke-rc.d: policy-rc.d denied execution of start.
#7 31.17 Processing triggers for libc-bin (2.37-15.1) ...
#7 DONE 31.4s

Then I realized that with the Debian Sid-based image, I had this warning when starting the container:

...
[i] Starting docker specific checks & setup for docker pihole/pihole
[i] Setting capabilities on pihole-FTL where possible
[!] WARNING: Unable to set capabilities for pihole-FTL.
             Please ensure that the container has the required capabilities.
...

while normally it should appear similar to the following:

...
[i] Starting docker specific checks & setup for docker pihole/pihole
[i] Setting capabilities on pihole-FTL where possible
[i] Applying the following caps to pihole-FTL:
      * CAP_CHOWN
      * CAP_NET_BIND_SERVICE
      * CAP_NET_RAW
      * CAP_NET_ADMIN
...

A little search led me to https://github.com/pi-hole/docker-pi-hole/issues/963 and a number of similar comments in the Pi-Hole GitHub repo. I wasn't able to solve it 100%, but I made some progress by playing with the DNSMASQ_USER, PIHOLE_UID/GID and WEB_UID/GID envs values. Waiting to find a final fix I am using the local build with Debian testing.

aleksanderbl29 commented 7 months ago

Looks like you're on the right track. Now that unbound 1.19.1 is in the trixie distribution i will let the image use that instead. I figure that it would be marginally more stable than the absolute cutting edge. The new image will be published tonight

github-actions[bot] commented 2 months ago

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.