Hide dnsmasq version

mountainguy · March 13, 2023, 8:04pm

Hello,
I would like hide dnsmasq version visible under the dig version.bind query. Is it possible? Thanks!

admin@SERVER:~$ dig @localhost version.bind txt chaos

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "dnsmasq-pi-hole-v2.89"

yubiuser · March 13, 2023, 8:09pm

Try adding a custom config file in /etc/dnsmasq.d/ with no-ident set.

https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

mountainguy · March 13, 2023, 8:49pm

That works. Thank you!

chrislph · March 14, 2023, 2:54am

Does this also turn off the custom domain version.FTL as another route to get this info?

$ dig @localhost txt chaos version.FTL
;; ANSWER SECTION:
version.FTL.		0	CH	TXT	"v5.21"

Cross-referencing from the FTL 5.21 announcement – "Update embedded dnsmasq to v2.89"

mountainguy · March 14, 2023, 7:51am

Hi,
No - see below. This is a good point, it should be also hidden. Any idea how to do it?

admin@SERVER:~$ dig @localhost txt chaos version.FTL

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> @localhost txt chaos version.FTL
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15124
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;version.FTL.                   CH      TXT

;; ANSWER SECTION:
version.FTL.            0       CH      TXT     "v5.21"

yubiuser · March 14, 2023, 9:45am

Pinging @DL6ER

DL6ER · March 15, 2023, 8:34pm

Pi-hole values privacy as high-value goal. We provided the patch implementing the new config option no-ident only recently to the dnsmasq project to allow removal/suppression of these strings (before this was only possible through recompilation from source).
However, the patch - submitted to dnsmasq also only affected said dnsmasq code and the extra version.ftl was forgotten to be added when importing out patch from the upstream project into ours.

github.com/pi-hole/FTL

Put version.ftl also behind new no-ident config option

pi-hole:development ← pi-hole:tweak/no-ident

opened 08:33PM - 15 Mar 23 UTC

DL6ER

+1 -3

**What does this PR aim to accomplish?:** See title and related Discource top…ic (link below). --- **By submitting this pull request, I confirm the following:** 1. I have read and understood the [contributors guide](https://docs.pi-hole.net/guides/github/contributing/), as well as this entire template. I understand which branch to base my commits and Pull Requests against. 2. I have commented my proposed changes within the code and I have tested my changes. 3. I am willing to help maintain this change if there are issues with it later. 4. It is compatible with the [EUPL 1.2 license](https://opensource.org/licenses/EUPL-1.1) 5. I have squashed any insignificant commits. ([`git rebase`](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)) 6. I have checked that another pull request for this purpose does not exist. 7. I have considered, and confirmed that this submission will be valuable to others. 8. I accept that this submission may not be used, and the pull request closed at the will of the maintainer. 9. I give this submission freely, and claim no ownership to its content. --- - [X] I have read the above and my PR is ready for review. *Check this box to confirm*

chrislph · March 15, 2023, 10:17pm

Nice one, thanks, appreciate the flexibility in adding that. It's a handy diagnostic though.

Interestingly I do get the version from version.ftl but I get nothing from version.bind, but I also don't appear to have no-ident set, so I'm not sure why it is suppressed here. For example authors.bind returns "Simon Kelley".

Not sure if it's worth raising as a new topic (can do if there's a rabbit hole to go down) but I am curious.

EDIT – turned out version.bind was blocked in an adlist. Not the default adlist but another one I had added. This means

blacklisting these special domains is another way to prevent them from revealing their info
be mindful of them being blocked by an adlist and mistakenly interpreting the result as DNS interception if using them to test for this