DNSSEC vulnerabilities

[MaoriPanda]

The security cases which refer to this are CVE-2023-50387 and CVE-2023-50868. Both vulnerabilities are remote exploitable and rated “high” severity. But Ubound 1.19.1 fixes these

[ZSamuels28]

@aleksanderbl29 please update Unbound and PiHole. Looks like there is a new version of Unbound and PiHole FTL v5.25

[aleksanderbl29]

Thank you for bringing this to my attention. A new release is on the way - will be on dockerhub shortly

[aleksanderbl29]

A new release is on the way - will be on dockerhub shortly

Please let me know if you experience any issues

[ZSamuels28]

Thanks! Upgraded and so far so good.

[MaoriPanda]

Unbound is still on 1.17.1

…

On Wed, Feb 14, 2024, 10:32 PM Aleksander Bang-Larsen < ***@***.***> wrote: A new release is on the way - will be on dockerhub shortly Please let me know if you experience any issues — Reply to this email directly, view it on GitHub <#40 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AN4VVNFCMPY6H5SSRQRITOLYTWTYFAVCNFSM6AAAAABDHR5CRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBVGQ2DSNRYGU> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[vwfast]

Unbound is still on 1.17.1
…
On Wed, Feb 14, 2024, 10:32 PM Aleksander Bang-Larsen < @.> wrote: A new release is on the way - will be on dockerhub shortly Please let me know if you experience any issues — Reply to this email directly, view it on GitHub <#40 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN4VVNFCMPY6H5SSRQRITOLYTWTYFAVCNFSM6AAAAABDHR5CRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBVGQ2DSNRYGU . You are receiving this because you authored the thread.Message ID: @.>

The Dockerfile is installing Unbound using the command below:
RUN apt-get update && apt-get -t bullseye-backports install -y unbound

And the unbound Debian bullseye-backport package hasn't been updated yet.
https://packages.debian.org/bullseye-backports/unbound

Here's the tracking page for unbound
https://tracker.debian.org/pkg/unbound

[aleksanderbl29]

And the unbound Debian bullseye-backport package hasn't been updated yet.

I will change the install method so that the image uses the bookworm-repo and then I will update this image when 1.19.1 is pushed to this tag. It seems to currently be in the unstable sid channel which I will not base the image on

[aleksanderbl29]

I have now published dev-pr-45-2024-02-18 that has unbound version 1.19.1 installed. You are all free to use it until it ships with the latest version of the image

[MaoriPanda]

Awesome, thanks for the update!

…

On Sun, Feb 18, 2024, 2:10 PM Aleksander Bang-Larsen < ***@***.***> wrote: I have now published dev-pr-45-2024-02-18 <https://hub.docker.com/layers/aleksanderbl/pihole-unbound/dev-pr-45-2024-02-18/images/sha256-a1dffb4cc7208d2868f7efc6afa36dcca4bfa93daf277a673f517549775f2b37?context=explore> that has unbound version 1.19.1 installed. You are all free to use it until it ships with the *latest* version of the image — Reply to this email directly, view it on GitHub <#40 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AN4VVNEB2CPNHB23JZQV2ODYUJ34PAVCNFSM6AAAAABDHR5CRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJRGQ3DANRXGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[aleksanderbl29]

I have now updated the underlying image to pihole:2024.02.2. The appropriate image is now dev-45-2024-02-28.
A tag called dev-45 is also now available and will contain all further image updates with the sid repository (and therefore also the 1.19.1 version of unbound for the time being)

[vwfast]

Thanks for all of your efforts! I deployed dev-45 shortly after you posted it yesterday. No issues to report.

[aleksanderbl29]

I have now updated the base image to 2024.03.02. You can pull the new version of tag dev-45 or use tag dev-45-2024-04-04

[rbnet]

Got an error with version dev-45-2024-04-04:

...
stdout 05/04/2024 08:54:10  [✗] DNS service is NOT running
stdout 05/04/2024 08:54:10
stderr 05/04/2024 08:54:10 fatal: unable to access 'https://github.com/pi-hole/pi-hole/': Could not resolve host: github.com
stderr 05/04/2024 08:54:10 fatal: unable to access 'https://github.com/pi-hole/web/': Could not resolve host: github.com
stderr 05/04/2024 08:54:10 ./run: line 41:   337 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
stdout 05/04/2024 08:54:10 Stopping pihole-FTL
stderr 05/04/2024 08:54:10 pihole-FTL: no process found
stdout 05/04/2024 08:54:10 Stopping lighttpd
stderr 05/04/2024 08:54:10 lighttpd: no process found
stderr 05/04/2024 08:54:11 ./run: line 41:   488 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
stdout 05/04/2024 08:54:11 Stopping pihole-FTL
...

No problems with the previous version dev-45-2024-02-28 or the latest 2024.03.02.

[aleksanderbl29]

I can't seem to reproduce the error.
Do you see any errors prior to the notification that the DNS service is not running?

[rbnet]

Sorry, I was a bit hurried earlier in posting the log. That is the complete log:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service cron: starting
s6-rc: info: service cron successfully started
s6-rc: info: service _uid-gid-changer: starting
  [i] Changing ID for user: www-data (33 => 999)
configuration error - unknown item 'NONEXISTENT' (notify administrator)
s6-rc: info: service _uid-gid-changer successfully started
s6-rc: info: service _startup: starting
  [i] Starting docker specific checks & setup for docker pihole/pihole
  [i] Setting capabilities on pihole-FTL where possible
  [!] WARNING: Unable to set capabilities for pihole-FTL.
              Please ensure that the container has the required capabilities.
s6-rc: info: service _startup successfully started
s6-rc: info: service pihole-FTL: starting
s6-rc: info: service pihole-FTL successfully started
s6-rc: info: service lighttpd: starting
s6-rc: info: service lighttpd successfully started
s6-rc: info: service _postFTL: starting
s6-rc: info: service _postFTL successfully started
s6-rc: info: service legacy-services: starting
  Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
services-up: info: copying legacy longrun unbound (no readiness notification)
s6-rc: info: service legacy-services successfully started
Starting unbound
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [✓] Preparing new gravity database
  [✓] Creating new gravity databases
  [i] Using libz compression

  [i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  [✗] Status: Connection Refused
  [✗] List download failed: using previously cached list
Stopping lighttpd
lighttpd: no process found
  [✓] Parsed 131355 exact domains and 0 ABP-style domains (ignored 1 non-domain entries)
      Sample of non-domain entries:
        - "0.0.0.0"

./run: line 41:   165 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
Stopping pihole-FTL

  [✗] Unable to update status of adlist with ID 1 in database /etc/pihole/gravity.db_temp
  
  [✓] Cleaning up stray matter
  [✗] DNS service is NOT running
./run: line 41:   287 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
Stopping pihole-FTL
pihole-FTL: no process found
Stopping lighttpd
lighttpd: no process found
./run: line 41:   342 Real-time signal 2      capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
Stopping pihole-FTL
pihole-FTL: no process found
Stopping lighttpd
lighttpd: no process found
...

Note that my configuration is quite customized, but aside from the workaround to avoid the "attempt to write a readonly database" error that affects every one of my pihole installations on Raspberry Pi 5 and the fact that I use Pi-Hole as a DHCP server for my LAN (so I'm forced to use dhcphelper as a dhcp relay), the rest is pretty standard. The strange thing is that it is only the latest dev-45 version that does not work and returns the error given above.

services:

  pihole:
    image: aleksanderbl/pihole-unbound:dev-45
    container_name: pihole
    hostname: pihole
    ipc: private
    cap_add:
        - NET_ADMIN
    depends_on:
      - dhcphelper
    entrypoint:
      - /bin/bash
      - -c
      - ./s6-init
    environment:
      - FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4}
      - TZ=${TZ:-UTC}
      - DNSSEC="false"
      - DNS1=127.0.0.1#5335
      - DNS2=127.0.0.1#5335
      - PATH=${PATH}
      - PHP_ERROR_LOG=${PHP_ERROR_LOG}
      - IPv6=${IPv6}
      - DNSMASQ_USER=${DNSMASQ_USER}
      - DNSMASQ_LISTENING=all
      - WEBPASSWORD_FILE=/run/secrets/pihole_webpw
      - WEBTHEME=${WEBTHEME}
      # Avoid error "attempt to write a readonly database"
      #- PIHOLE_UID=1000
      #- PIHOLE_GID=1000
      - WEB_UID=999
      #- WEB_GID=1000
    networks:
      pihole_network:
        ipv4_address: 172.31.0.10
    ports:
      - 53:53/tcp
      - 53:53/udp
      - ${PIHOLE_WEBPORT}:80/tcp
    dns: 127.0.0.1 # avoid "DNS resolution is currently unavailable" error
    volumes:
      - ./config/dns:/etc/dnsmasq.d
      - ./config:/etc/pihole
      - ./config/01-memory.ini:/etc/php/7.4/cgi/conf.d/01-memory.ini
    restart: always
    secrets:
      - pihole_webpw
    labels:
      - "diun.enable=true"

  dhcphelper:
    container_name: dhcphelper
    network_mode: "host"
    image: homeall/dhcphelper:latest
    environment:
      - IP=172.31.0.10
      - TZ=${TZ:-UTC}
    labels:
      - "diun.enable=true"
    cap_add:
      - NET_ADMIN
    restart: always

networks:
  pihole_network:
    name: pihole_network
    ipam:
      config:
        - subnet: 172.31.0.0/16

secrets:
  pihole_webpw:
    file: ${SECRETSDIR}/pihole_webpw.txt

[aleksanderbl29]

The strange thing is that it is only the latest dev-45 version that does not work and returns the error given above.

I have tried multiple times with different images and can't get this error to show. Can you try building the image locally from the dockerfile?
I have also rebuilt the image available at dev-45 (can also be found as dev-45-2024-04-06). Please try again with this one

[rbnet]

I think that the problem does not depend on your Unbound implementation, but on something introduced in Sid that clashes with my configuration. I ran a few tests:

Host: Raspberry Pi 5 (arm64) with Raspberry OS Lite (Bookworm).

• the latest dev-45 doesn't work, but since it has changed practically nothing I expected that
• building using repositories from Debian Sid (unbound 1.19.2), same error
• building using Debian testing/Trixie (unbound 1.19.1), works without any problem

No errors are reported during the build other than the ones below, which are present in all versions (eg. from image based on Debian Sid):

...
#7 30.79 Setting up unbound (1.19.2-1) ...
#7 30.86 configuration error - unknown item 'NONEXISTENT' (notify administrator)
#7 30.88 configuration error - unknown item 'NONEXISTENT' (notify administrator)
#7 31.16 invoke-rc.d: could not determine current runlevel
#7 31.17 invoke-rc.d: policy-rc.d denied execution of start.
#7 31.17 Processing triggers for libc-bin (2.37-15.1) ...
#7 DONE 31.4s

Then I realized that with the Debian Sid-based image, I had this warning when starting the container:

...
[i] Starting docker specific checks & setup for docker pihole/pihole
[i] Setting capabilities on pihole-FTL where possible
[!] WARNING: Unable to set capabilities for pihole-FTL.
             Please ensure that the container has the required capabilities.
...

while normally it should appear similar to the following:

...
[i] Starting docker specific checks & setup for docker pihole/pihole
[i] Setting capabilities on pihole-FTL where possible
[i] Applying the following caps to pihole-FTL:
      * CAP_CHOWN
      * CAP_NET_BIND_SERVICE
      * CAP_NET_RAW
      * CAP_NET_ADMIN
...

A little search led me to pi-hole/docker-pi-hole#963 and a number of similar comments in the Pi-Hole GitHub repo. I wasn't able to solve it 100%, but I made some progress by playing with the DNSMASQ_USER, PIHOLE_UID/GID and WEB_UID/GID envs values. Waiting to find a final fix I am using the local build with Debian testing.

[aleksanderbl29]

Looks like you're on the right track. Now that unbound 1.19.1 is in the trixie distribution i will let the image use that instead. I figure that it would be marginally more stable than the absolute cutting edge. The new image will be published tonight

[github-actions]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[aqtoo]

Is there any update to updating to the latest version of unbound? I just tried dev-67 yet it seems to still be on unbuond 1.17.1

[aleksanderbl29]

Hi @aqtoo
Please try dev-45. I haven't cleaned up the dev-releases in a while. I will do that :)

[aqtoo]

Thanks for replying, I'll try when home, is dev-45 running the latest pihole 2024.07.0? or is it running 2024.06.0 due to being last committed 5 months ago?

Lemme know if you can! I'm just double checking.

[aleksanderbl29]

I have just updated the image to use 2024.07.0. The new image should be published as dev-45 later today.

Thanks for noticing

[aqtoo]

No problem, thanks for updating!

[aqtoo]

@aleksanderbl29 any update on the new dev-45 build? or will it take longer than today?

[aleksanderbl29]

@aleksanderbl29 any update on the new dev-45 build? or will it take longer than today?

Oh sorry. Looks like the build with the updated image failed. I will take a look at it tomorrow before lunch.

[aqtoo]

Much thanks, just thought I'd let you know.

[aleksanderbl29]

Quick update.
I get an error that unbound cannot be installed. I can't seem to figure out how to fix it. It's probably something simple I am missing. Thus no new image today :)

Here is the errors if anyone has any ideas.

5.630 Preparing to unpack .../base-files_13.5_arm64.deb ...
5.643
5.643
5.643 ******************************************************************************
5.643 *
5.643 * The base-files package cannot be installed because
5.643 * /bin is a directory, but should be a symbolic link.
5.643 *
5.643 * Please install the usrmerge package to convert this system to merged-/usr.
5.643 *
5.643 * For more information please read https://wiki.debian.org/UsrMerge.
5.643 *
5.643 ******************************************************************************
5.643
5.643
5.643 dpkg: error processing archive /var/cache/apt/archives/base-files_13.5_arm64.deb (--unpack):
5.643  new base-files package pre-installation script subprocess returned error exit status 1
5.659 Errors were encountered while processing:
5.659  /var/cache/apt/archives/base-files_13.5_arm64.deb
5.674 E: Sub-process /usr/bin/dpkg returned an error code (1)

------
Dockerfile:11
--------------------
  10 |     # RUN apt-get upgrade -y
  11 | >>> RUN apt-get -t trixie install -y unbound -V
  13 |
  14 |     COPY lighttpd-external.conf /etc/lighttpd/external.conf
--------------------
ERROR: failed to solve: process "/bin/bash -c apt-get install -y unbound -V" did not complete successfully: exit code: 100