Using PiHole on a Raspberry Pi, powered by Raspian, I got to clear only one vulnerability spotted by my security scanner.
This vulnerability was about mDNS / ZeroConf, here the details:
Description
The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running.
This plugin attempts to discover mDNS used by hosts that are not on the network segment on which Nessus resides.
Risk Information
Risk Factor: MediumCVSS Base Score: 5.0CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution
One of them is to filter incoming traffic to UDP port 5353, if desired. As I don’t need that feature, I decided to disable it for good.
Edit avahi-daemon.conf file:
vi /etc/avahi/avahi-daemon.confFind and replace yes by no on the following lines:
[...]
use-ipv4=no
use-ipv6=no
[...]Then, reboot your Pi and launch a remediation scan to confirm the workaround.