I don't believe there is any intent to do so. The post was for awareness of the issue.
Pointless for now, you might want to bookmark this for later...
dnsmasq2.80 will have protection for the wpad vulnerability
from the changelog:
Include in the example config file a formulation which
stops DHCP clients from claiming the DNS name "wpad".
This is a fix for the CERT Vulnerability VU#598349.
from the sample config file:
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
and
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
#dhcp-name-match=set:wpad-ignore,wpad
#dhcp-ignore-names=tag:wpad-ignore
Unfortunately, this will require pihole-FTL to adopt the changes from dnsmasq2.80, witch hasn't been released yet (test releases available).
1 Like
That works with Dnsmasq version 2.80test3, thanks for the hint!
Just added that string to /etc/dnsmasq.conf (that was OpenWRT, not Pi-hole).
After noticing wpad turn up near the top of my in my 'Permitted Domains" yesterday I followed the suggestion :
You can mitigate this vulnerability today by adding these two lines to your
/etc/hostsfile:
0.0.0.0 wpad wpad.example.com
:: wpad wpad.example.com
Now I have wpad.myLocal.isp.... at the top of my 'Blocked Domains' list, but it has gone from reporting something like 130 queries Permitted, to 3200 Blocked. AND the summary at the top now shows near 50% of my requests are blocked.
This seems like a loop got introduced into the system.
I nave commented out the additions to the /etc/hosts .file AND following advice below I have added a regex for ^wpad(\.|$) in the blacklist. I also noticed there was an explicit block for wpad.myLocal.IsP... in that list (I guess I clicked on the BlackList button in the query Log).
'
So my current config is now, standard /etc/hosts file and 2 entries in the blacklist. Shoud I remove the explicit link, and rely only on the regex?
This is Pi-hole Version v4.2.1 Web Interface Version v4.2 FTL Version v4.2.2
Thanks for any ideas/comments/help ; -)
Arg. right after I posted the above message, my Ordoid went off-line and I'll have to wait until tomorrow to connect with an HDMI to see what is happening. (The odroid does reply to ping, go figure!).
Do have an example of a permitted wpad?
I'm not absolutely sure what you mean by "permitted", but I had entries for both wpad and wpad.hsdl.il.comcast.net (or very similar) appear in the 'Permitted Domains' (I'm assuming that is what you mean).. When I could last see the pi-hole dashboard, all references to wpad had moved to the 'Blocked Domains'.
As far as the reg-ex, I'm terrible with networking issues, but pretty good with reg-exes. ; -)
I read the regex you recommend as requiring a trailing . (dot) char, where as my regex is meant to match either the plain string wpad OR wpad. (with the trailing dot).
As I have seen both plain wpad, and wpad.hsdl...., appear in the Permitted list, I think I need both versions. Are the rules for pi-hole's regexes different than standard linux regex?
Thanks for reading and commenting.
Pi-Hole uses POSIX ERE.
Is this fix no longer needed with the latest pihole version?
I have the below in /etc/hosts
# Cert vulnerability 598349
0.0.0.0 wpad
:: wpad
I see there is an entry in /etc/dnsmasq.d/01-pihole.conf
You do not need to have the entries in /etc/hosts anymore, as you have found they are part of the default configuration.
2 Likes