CVE-2020-36517: 
Homebrew vulnerability analysis and mitigation

An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration. The vulnerability was discovered in March 2022 and assigned CVE-2020-36517. The affected systems include Home Assistant Operating System and Home Assistant Supervised installations (NVD).

The vulnerability stems from the DNS plugin's hardcoded configuration that uses Cloudflare's DNS-over-TLS (DoT) servers (1.1.1.1 and 1.0.0.1) as both forwarding and fallback resolvers. This configuration means that DNS queries for internal network resources may be sent to Cloudflare's public DNS servers, potentially exposing information about the internal network structure. The vulnerability has a CVSS v3.1 Base Score of 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD).

The vulnerability allows DNS operators to gain knowledge about internal network resources that should typically remain private. When DNS queries for local hostnames are forwarded to Cloudflare's DNS servers, it can lead to information disclosure about the internal network structure and naming conventions (GitHub Issue).

Users can mitigate the issue by blocking access to Cloudflare's DNS servers (1.1.1.1 and 1.0.0.1) at the firewall level. However, this may cause the DNS resolver to flood the firewall logs with multiple connection attempts per second. The issue has been addressed in subsequent releases of Home Assistant (GitHub Issue).

The vulnerability sparked significant discussion in the Home Assistant community, with users expressing concerns about privacy implications and the design decision to hardcode external DNS resolvers. Several community members and security researchers advocated for making the DNS fallback behavior configurable or removing it entirely (GitHub Issue).