Unixorn - 90% Snark by weightApr 21, 2024

TL;DR: If you have a fritz!box, you're hacked.

https://crapts.org/2024/04/21/all-fritz-box-modems-have-been-hijacked/

Edit: @hedders posted a summary of exactly what makes you vulnerable at https://mas.to/@hedders/112310356855024818

#HomeLab #InfoSec #HomeNetworking @homelab @homelabs #fritzbox

Some Fritz!Box modems might have been hijacked

TL;DR: Fritz!Box devices using custom DNS resolution services like Pihole or Adguard might have been compromised by DNS hijacking and using those Fritz!Box devices might be unsafe, especially for Windows users. Update: I updated the article to downscale the severity of the situation. After posting the article on HN, I came to the conclusion based on comments from other HN commenters that the Fritz!Box will not externally resolve *.fritz.box domain names. This it not the case if you use your own

Show threadHeddersApr 21, 2024
@unixorn @homelab @homelabs Small clarification on this: you're vulnerable if 1) you are *not* using the Fritz box as your local DNS resolver and 2) you *are* using the Fritz box as your DHCP server, or your DHCP server hands out fritz.box as a domain suffix. If either of those things isn't true, then you're not vulnerable.
Show threadDominik D.Apr 22, 2024
@hedders @unixorn I have this setup and my devices aren't adding ".fritz.box" to the domains. As far as I understand DNS suffixes are just added if I do not fill in a complete domain.
This is something I could reproduce. If I type "http://test" in the browser, the domain request in Pi-hole is listed as "test.fritz.box". If the domain is complete "google.com" nothing is added.
I added a wildcard for "fritz.box" in my Pi-hole and everything is working normally.
Am I missing something?
Show threadHeddersApr 22, 2024
@ottker It's about domain suffixes as well as default search domains. Are you using the Fritz box or your pi-hole as a DHCP server?
Show threadDominik D.
@hedders The Fritz box
Apr 22, 2024 at 10:43amWeb
Show threadHeddersApr 22, 2024
@ottker Right. Do you have conditional forwarding on your pi-hole to send queries for foo.fritz.box to the Fritz box to resolve?
Show threadDominik D.Apr 22, 2024
@hedders Nope, just a wildcard block list entry for fritz.box (but recently added after reading the blog entry)
Show threadHeddersApr 22, 2024
@ottker Right. So what I would suggest to avoid the vulnerability without breaking local network name resolution is to create a conditional forwarding rule so that queries for anything.fritz.box get forwarded to your Fritz Box for resolution rather than your pi-hole trying to resolve them itself.
Show threadDominik D.Apr 22, 2024
@hedders Ok, thank you. 🙂