Some Fritz!Box modems might have been hijacked

TL;DR: Fritz!Box devices using custom DNS resolution services like Pihole or Adguard might have been compromised by DNS hijacking and using those Fritz!Box devices might be unsafe, especially for Windows users.

Update: I updated the article to downscale the severity of the situation. After posting the article on HN, I came to the conclusion based on comments from other HN commenters that the Fritz!Box will not externally resolve *.fritz.box domain names. This it not the case if you use your own DNS resolution service like Pihole or Adguard however, in which case your DNS resolution could still be hijacked.

Fritz!Box modems are popular modems by the German company AVM. They are tailored to the some-what more experienced users who want to have more control over their network settings and they can often be used to replace the modem from your cable/DSL/fiber ISP. The company has been around for a long time and Fritz!Box devices are generally considered to be reliable and well worth the price.

However, since the beginning of 2024 all of the Fritz!Box devices have been hijacked. In short, the DHCP server on these modems hands out leases with the DNS suffix fritz.box, which means that domains in DNS requests are appended with the suffix. Unfortunately, this setting cannot be modified. Normally this doesn't have to be a problem, but since the beginning of this year the fritz.box DNS suffix is an actual registered domain and the owner of this domain is not AVM or anyone affiliated to them.

This doesn't have to be a problem if you use your Fritz!Box for resolving DNS, which is standard behavior. The Fritz!Box is smart enough to know not to resolve *.fritz.box domains externally. But this isn't the case if you are using Pihole, Adguard or any other DNS resolver.

If you resolve DNS outside your Fritz!Box, DNS requests now get forwarded to an unknown entity, which is a case of DNS hijacking. Not every OS deals with DNS suffices in the same way, but at least Windows applies the suffix for all DNS requests which means every DNS request done by a Windows user will now effectively be hijacked.

The consequences of this are significant: these Fritz!Box users' internet behavior is now sent directly to an unknown party and are now prone to phishing attacks. As far as I know the latter hasn't happened yet, but it's bound to happen at some point if this is not resolved as soon as possible.

Besides the security issues, this also has a negative effect on performance when the registered IP address isn't responding to the DNS requests. I myself have experienced Chrome and Slack to be very slow in resolving network requests after starting up my Windows laptop.

AVM's response so far has been lacking except for a tweet that fritz.box domain is in the process of being sold. To me that is alarming in three ways:

1. "In the process of being sold" means it is not sold yet and there is no guarantee AVM will actually take ownership of the domain.
2. Even if the domain is acquired by AVM, this still means that every DNS request will now go over the internet directly to AVM. I never asked for this.
3. A performance penalty will remain. Your internet will sometimes appear to be really slow when the registered IP address for the DNS suffix domain is not actually responding with a DNS resolution.

The only proper way to resolve this matter in my opinion is to disable the DNS suffix by default. So far there is no indication that AVM is planning to enable this option in the near future.

If you want to do something today without waiting for AVM, the following remedies are available:

• Easiest solution: don't use your own DNS resolution service and keep DNS resolution on the Fritz!Box
• If you want to keep using Adguard, add the following upstream DNS rule: [/fritz.box/]192.168.0.1 in Settings > DNS settings.
• Use a custom DHCP server and don't set the DNS suffix to fritz.box

It is my understanding that using your own DNS resolution without specific measures for now is unsafe and dangerous to use. The lack of a proper response from AVM is even more alarming and I'm not sure they understand the gravity of the situation. I sincerely hope the matter gets resolved soon enough.

PS. I didn't discover this by myself. The article above is a summary of what other people have discovered, and some even warned for this years ago.