Some Fritz!Box modems might have been hijacked

Issue Overview

  • Fritz!Box routers use fritz.box as a local domain and DHCP search suffix.
  • .box recently became a public TLD, and fritz.box was registered externally by a third party.
  • This creates a name-collision: some DNS lookups intended for the local router can leak to the public DNS and hit attacker‑controlled infrastructure.
  • The external domain has reportedly been suspended under URS, but it is still not owned by the router vendor, so risk is seen as unresolved by some.

DNS Behavior and Affected Systems

  • On many systems, the search suffix is only applied to single-label names (e.g., googlegoogle.fritz.box), not to FQDNs with dots (google.com).
  • Multiple comments report that Windows nslookup does append fritz.box even to multi-label names (google.com.fritz.box), but others cannot reproduce this with normal resolution paths (ping, browser).
  • Explanation offered: Windows’ DNS client honors a registry flag that disables suffix-append for multi-label names, while nslookup uses its own behavior. Impact on real apps is therefore unclear and disputed.

Severity and “Hijack” vs. Misconfig Debate

  • One camp: if DNS queries can be sent to an unknown external party and behavior cannot be configured away in the UI, this constitutes a hijack in practice.
  • Another camp: with the built-in Fritz!Box resolver and default behavior on most OSes, only some edge cases are affected; calling it “all modems hijacked” is labeled FUD.
  • Several note that name-collision problems with non-reserved internal domains have been known for years.

Workarounds and Mitigations

  • Use local DNS/DHCP (Pi-hole, AdGuard Home, Unbound) and ensure *.fritz.box never leaves the LAN (conditional forwarding, blocking the external IPs).
  • On Linux/systemd-networkd: disable DNS from DHCP and configure safe resolvers manually.
  • On Synology and some other clients: disable “apply domain from DHCP” to avoid appending fritz.box.
  • Some mention editing Fritz!Box config via third-party tools to change the internal domain, though this reportedly does not change the DHCP suffix in all cases.
  • Ultimate fix suggested: vendor firmware update making the suffix configurable and defaulting to reserved domains like home.arpa.

Router Choice, Open Source, and gTLD Critique

  • Strong interest in open-source router firmware (OpenWrt, OPNsense, custom Linux/BSD) for quicker mitigation and transparency, but lack of open modem/combined devices is noted.
  • Broader criticism of ICANN’s expansion of gTLDs (.box, .zip, .dev, etc.) for enabling confusion and phishing, and failure to fully account for name collisions.