⚠️ Security Advisory
Date: March 6, 2026 | Severity: High
Affected: Pi-hole v5.18 and earlier | Fixed: v5.19+

🎯 The Vulnerability

DNS Cache Poisoning via Malicious Upstream Response

Attackers can inject false DNS records into Pi-hole's cache by exploiting how DNSMasq handles certain edge cases in upstream DNS responses.

Impact

  • ❌ Users redirected to phishing sites
  • ❌ Malware downloads from fake update servers
  • ❌ Credential harvesting
  • ❌ Man-in-the-middle attacks

🔍 Check If You're Affected

docker exec pihole pihole version

# Vulnerable: v5.18 or earlier
# Safe: v5.19 or later

✅ Patch Method (Docker)

# 1. Stop current container
docker stop pihole
docker rm pihole

# 2. Pull latest image
docker pull pihole/pihole:latest

# 3. Recreate with same config
docker run -d \
  --name pihole \
  -p 53:53/tcp -p 53:53/udp \
  -p 8082:80/tcp \
  -e TZ="Asia/Shanghai" \
  -e DNS1="114.114.114.114" \
  -e DNS2="223.5.5.5" \
  -v /home/henry/pihole/etc-pihole:/etc/pihole \
  --restart=unless-stopped \
  pihole/pihole:latest

🔧 Additional Hardening

1. Enable DNSSEC

docker exec -it pihole nano /etc/dnsmasq.d/02-dnssec.conf

# Add:
dnssec
dnssec-check-duplicates

2. Rate Limiting

# Add to DNSMasq config:
rate-limit=50/10s

3. Update Upstream DNS

DNS1: 1.1.1.1        # Cloudflare (DNSSEC)
DNS2: 9.9.9.9        # Quad9 (security-focused)
DNS3: 114.114.114.114  # Local fallback

📊 Verification

# Check version
docker exec pihole pihole version

# Test DNSSEC
dig @192.168.51.74 dnssec-failed.org +dnssec
# Should show "ad flag"

📈 Performance Impact

MetricBeforeAfter (DNSSEC)Change
Query Time~10ms~15ms+5ms
CPU Usage5%7%+2%

Impact: Minimal - acceptable for security.

🚨 If Compromised

  1. Flush DNS Cache: docker exec pihole pihole restartdns
  2. Review Logs: docker exec pihole tail -100 /var/log/pihole.log
  3. Reset Password: docker exec pihole pihole -a -p
  4. Notify Users if phishing suspected

🔗 Useful Links

← Back to Blog