Is there an option in unbound to do this?
CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled
- Thread starter RMerlin
- Start date
Unbound - Howto Turn Off DNSSEC
If you find yourself having problems while DNSSEC is configured and you have carefully assessed that the problems have to do with the validation, and have assessed you are not under attack, you may want to follow one of the following steps to disable DNSSEC. Please be warned, do not …
shabbs
Very Senior Member
5.25.1 released a couple of days ago to address the "resource limit exceeded" messages...
Release Pi-hole FTL v5.25.1 · pi-hole/FTL
What's Changed Fix spurious "resource limit exceeded" messages (v5 backport) by @DL6ER in #1893 Full Changelog: v5.25...v5.25.1
github.com
sfx2000
Part of the Furniture
Should note that this is not just DNSMASQ, most of the other resolvers that support DNSSEC have the same issue...
Anyways, here's the relevant links to the disclosures/CVE's...
NVD - CVE-2023-50387
nvd.nist.gov
NVD - CVE-2023-50868
nvd.nist.gov
I did option 3 by commenting that line in the config file. Is that the right thing to do?Unbound - Howto Turn Off DNSSEC
If you find yourself having problems while DNSSEC is configured and you have carefully assessed that the problems have to do with the validation, and have assessed you are not under attack, you may want to follow one of the following steps to disable DNSSEC. Please be warned, do not …www.nlnetlabs.nl
#module-config: "respip validator iterator" # v1.08 add 'respip' for rpz feature @juched
5.25.1 released a couple of days ago to address the "resource limit exceeded" messages...
Release Pi-hole FTL v5.25.1 · pi-hole/FTL
What's Changed Fix spurious "resource limit exceeded" messages (v5 backport) by @DL6ER in #1893 Full Changelog: v5.25...v5.25.1
@RMerlin FYI?
shabbs
Very Senior Member
This is a pi-hole specific update... Eric's updated build has this this fix in it.
I'm even ahead of FTL...
History for release/src/router/dnsmasq - RMerl/asuswrt-merlin.ng
Third party firmware for Asus routers (newer codebase) - History for release/src/router/dnsmasq - RMerl/asuswrt-merlin.ng
github.com
sfx2000
Part of the Furniture
OpenWRT has merged in their fixes with an updated dnsmasq to v2.90 to Master - I suspect the next point release should include it.
Code:
commit 838a27f64f56e75aae98a3ab2556856224d48d8b
Author: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
Date: Sun Feb 18 13:12:10 2024 +0000
dnsmasq: version 2.90
Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387,
CVE-2023-50868) among many other goodies and fixes (notably, upstream
568fb024... fixes a UAF in cache_remove_uid that was routinely crashing
dnsmasq in my deployment).
Catch up our 200-ubus_dns.patch, too.
Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>sfx2000
Part of the Furniture
OpenWRT is important as both Mediatek and Qualcomm base their SDK's on OpenWRT.
The public Master has the fix checked in, and this, as I mentioned should be available on the Release Branch on their next release...
Remember that OpenWRT has to support a panoply of chipsets/SoC's and Architectures, so sometimes things might be delayed due to testing across those architectures...
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
| D | CVSS High 8.1 - CVE-2015-8960 with firmware 3004.388.8_2 | Asuswrt-Merlin | 6 | |
| N | Is this a concern for those of us using Merlin firmware? (CVE-2024-3080) | Asuswrt-Merlin | 29 | |
|
"State of the router 2023"? | Asuswrt-Merlin | 2 |
Similar threads
-
CVSS High 8.1 - CVE-2015-8960 with firmware 3004.388.8_2
- Started by datorexpert67
- Replies: 6
-
Is this a concern for those of us using Merlin firmware? (CVE-2024-3080)
- Started by n2ubp
- Replies: 29
-