Why is a DHCP suffix enforced from v5.2 on?

General
1

I have always and still are using Pi-Hole as my DHCP server, but since upgrading to this version (5.3), the client names in the dashboards (web), Top Clients (total) and Top Clients (blocked) are now being tagged/displayed, with the Pi-Hole domain name at the end, how to turn this off and display names as per the local DNS record for each client, without the pihole domain name?

Even in the Query log, client names are now also being tagged/displayed, with the Pi-Hole domain name.

I cant find an option to disable this type of display/function. Can someone please direct me and or advise, how to disable/turn this off?

Is this really required with a single Domain name in the Pi-Hole settings for DHCP? Not for me.

If people want to tag clients with a domain name, then do that through the local DNS setup for a client. Don't assume everyone wants to see client names tagged that way for display. For me at least (maybe not all),, its just an eye sore and waste of space.

2

Pi-hole is constantly evolving and trying to make your network even safer. This does not stop at blocking DNS requests but includes security features for all other components as well.

This time, we ensure each DHCP host gets a DNS domain attached to it. This has two effects; firstly it causes the DHCP server to return the domain to any hosts which request it, and secondly it sets the domain which it is legal for DHCP-configured hosts to claim.

The intention is to constrain hostnames so that an untrusted host on the LAN cannot advertise its name via DHCP as e.g. microsoft.com and capture traffic not meant for it.

Why this is important

Checkout this NSA paper (WARNING: Link to defense.gov) describing that all Windows 7 (and lower) machines can easily be tricked in HTTPS and other cryptographic regimes like file signing and verification to trust a spoofed certificate with ultimate trust.

The feasibility of this attack has been demonstrated on the very same day of the vulnerability's disclosure (link) and is a severe threat to all Windows machines not being updated. And because Microsoft decided to not provide backports of the fix for personal Windows 7, Vista, XP, etc. versions and rather use this to promote you upgrading (= buying a new license), we decided to include an automatic protection for this.

Simply blocking a specific set of Microsoft update servers would not be sufficient as a malicious device could still register itself as your-bank.com (or similar) and use the unpatched Windows bug to play MITM and route the money you're sending somewhere else.

I'm not using a single Windows machine myself, so I'm surely not a "everyone uses Windows" guy, but still, I acknowledge that may do so and that may also don't know how to defend themselves - most often because they neither know how nor even that they have to.

In our new default configuration, hostnames with a domain part are allowed, provided the domain part matches the suffix. In addition, when a suffix is set then hostnames without a domain part have the suffix added as an optional domain part.

An alternative solution with the same effect would be to disallow then any DHCP hostname with a domain part (i.e., with a period). However, I think this would break a lot more existing network configurations as the current security measure does.

If you still think, even after reading my "Why this is important" chapter, that it should be possible to disable this extra protection, we can discuss this. My opinion is that it gives a lot of extra security "for free". The short .lan (or whatever) suffix doesn't hurt me, but tastes can surely differ and I don't want to enforce my view on others.

1 Like
6

As long as it's not .local

7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.