Headline
CVE-2020-36517: DNS server settings ignored for resolving lan hosts. · Issue #6 · home-assistant/plugin-dns
An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration.
HassOS release with the issue:
Frontend -> Configuration -> Info
arch x86_64 chassis vm dev false docker true docker_version 19.03.11 hassio true host_os HassOS 4.13 installation_type Home Assistant OS os_name Linux os_version 5.4.63 python_version 3.8.5 supervisor 247 timezone Europe/Brussels version 0.115.6 virtualenv false
Or use this command: hass --version
➜ ~ hass --version zsh: command not found: hass
Journal logs:
Oct 09 08:11:07 homeassistant 85843c26f66f[386]: [INFO] 127.0.0.1:35481 - 43627 "A IN influx.local. udp 30 false 512" NXDOMAIN qr,rd,ra 105 0.090119317s
Oct 09 08:11:07 homeassistant 85843c26f66f[386]: [INFO] 172.30.32.1:48509 - 43627 "A IN influx.local. udp 30 false 512" NXDOMAIN qr,rd,ra 105 0.091012247s
Oct 09 08:11:08 homeassistant 85843c26f66f[386]: [INFO] 127.0.0.1:36749 - 57069 "A IN syncthingx.local. udp 34 false 512" NXDOMAIN qr,rd,ra 109 0.024540873s
Oct 09 08:11:08 homeassistant 85843c26f66f[386]: [INFO] 172.30.32.1:38087 - 57069 "A IN syncthingx.local. udp 34 false 512" NXDOMAIN qr,rd,ra 109 0.025081218s
Oct 09 08:11:08 homeassistant 85843c26f66f[386]: [INFO] 127.0.0.1:35481 - 57327 "AAAA IN syncthingx.local. udp 34 false 512" NXDOMAIN qr,rd,ra 109 0.096807474s
Oct 09 08:11:08 homeassistant 85843c26f66f[386]: [INFO] 172.30.32.1:38087 - 57327 "AAAA IN syncthingx.local. udp 34 false 512" NXDOMAIN qr,rd,ra 109 0.097437652s
Description of problem:
TLDR : After some time (X hours) , HA stops using the user-defined DNS server, thus no longer being able to resolve hosts on the LAN.
HA is configured to use a local DNS server :
➜ ~ ha dns info
host: 172.30.32.3
locals:
- dns://192.168.11.2
servers:
- dns://192.168.11.2
version: "9"
version_latest: "9"
➜ ~
Trying to resolve a local host fails :
➜ ~ nslookup influx.local
Server: 172.30.32.3
Address: 172.30.32.3#53
** server can't find influx.local: NXDOMAIN
On the DNS server side, the logs show no request arriving for that lookup.
Forcing the lookup to use the specific DNS server works :
➜ ~ nslookup influx.local 192.168.11.2
Server: 192.168.11.2
Address: 192.168.11.2#53
Name: influx.local
Address: 192.168.11.134
And in this case, the DNS logging indeed confirms name resolution :
Oct 9 08:21:20 dnsmasq[344]: query[A] influx.local from 192.168.11.5
Oct 9 08:21:20 dnsmasq[344]: query[AAAA] influx.local from 192.168.11.5
Doing the same on the HassOS host works without ant kind of issue :
# nslookup influx.local
Server: 192.168.11.2
Address: 192.168.11.2:53
Name: influx.local
Address: 192.168.11.134
Non-authoritative answer:
#
Additional info :
- Doing a
ha dns restart
solves the issue, for a while (X hours), but it always returns to being broken. - I migrated to HassOS a month or 2 ago, previously been running Hassio for a few years.
- In a Hassio setup, this issue never happened.
- HassOS based setup has had this from my first install.
- Pleading for help on Discord yielded very little response, no useful response at all.
- Others are having the same issue, and are also being ignored : https://community.home-assistant.io/t/local-dns/178108