Pi-hole is constantly evolving and trying to make your network even safer. This does not stop at blocking DNS requests but includes security features for all other components as well.
This time, we ensure each DHCP host gets a DNS domain attached to it. This has two effects; firstly it causes the DHCP server to return the domain to any hosts which request it, and secondly it sets the domain which it is legal for DHCP-configured hosts to claim.
The intention is to constrain hostnames so that an untrusted host on the LAN cannot advertise its name via DHCP as e.g. microsoft.com
and capture traffic not meant for it.
Why this is important
Checkout this NSA paper (WARNING: Link to defense.gov
) describing that all Windows 7 (and lower) machines can easily be tricked in HTTPS and other cryptographic regimes like file signing and verification to trust a spoofed certificate with ultimate trust.
The feasibility of this attack has been demonstrated on the very same day of the vulnerability's disclosure (link) and is a severe threat to all Windows machines not being updated. And because Microsoft decided to not provide backports of the fix for personal Windows 7, Vista, XP, etc. versions and rather use this to promote you upgrading (= buying a new license), we decided to include an automatic protection for this.
Simply blocking a specific set of Microsoft update servers would not be sufficient as a malicious device could still register itself as your-bank.com
(or similar) and use the unpatched Windows bug to play MITM and route the money you're sending somewhere else.
I'm not using a single Windows machine myself, so I'm surely not a "everyone uses Windows" guy, but still, I acknowledge that may do so and that may also don't know how to defend themselves - most often because they neither know how nor even that they have to.
In our new default configuration, hostnames with a domain part are allowed, provided the domain part matches the suffix. In addition, when a suffix is set then hostnames without a domain part have the suffix added as an optional domain part.
An alternative solution with the same effect would be to disallow then any DHCP hostname with a domain part (i.e., with a period). However, I think this would break a lot more existing network configurations as the current security measure does.
If you still think, even after reading my "Why this is important" chapter, that it should be possible to disable this extra protection, we can discuss this. My opinion is that it gives a lot of extra security "for free". The short .lan
(or whatever) suffix doesn't hurt me, but tastes can surely differ and I don't want to enforce my view on others.