Version 4.2 contains a fix for CERT vulnerability VU#598349.
The file /etc/dnsmasq.d/01-pihole.conf should contain the following lines
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
I've just noticed in my installed v4.2.1 that the two settings disappeared, only the comment lines exist
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
Is it by design that disabling DHCP in Pi-hole will change the lines
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
in 01-pihole.conf to
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
?
(Pi-hole Version v4.3, Web Interface Version v4.3, FTL Version v4.3.1)
Thanks for your report. These lines are not needed any longer when disabling DHCP service, however, they could stay there without any harm and should be re-added when enabling the DHCP server. It is unlikely that there are many users lacking this line as it will always be re-added either by repairing (pihole -r) or updating (pihole -up) the Pi-hole. At least the latter is something users will typically be doing.
In the past weeks the two lines (dhcp-*) disappeared again (2 times) - see my initially reported issue. With enabled DHCP in Pi-hole the lines disappeared after fiddling around with the predefined resolvers and custom ones. I enabled/added some resolvers, disabled some, saved the changes and the lines in 01-pihole.conf have been removed.