possible DNS-rebind attack detected with WireGuard

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
View previous topic :: View next topic  
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12887
Location: Netherlands
PostPosted: Tue Dec 07, 2021 13:26    Post subject: Reply with quote
This is indeed really odd.

As you did not change anything it must be caused by something on the provider's side e.g. switching servers, a temporarily glitch etc.

By disabling rebind-attack you also restarted WG and maybe that did the trick?

So just to check, I would enable "No DNS Rebind" and see if the connection is blocked again and if so what is the syslog reporting?

As far as I know enabling Rebind protection is an option in DNSMAsq so it is difficult to imagine that it blocks anything else than DNS resolution, but I am not a DNSMasq expert
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14221
Location: Texas, USA
PostPosted: Tue Dec 07, 2021 16:04    Post subject: Reply with quote
One of these was already mentioned, not sure if now both are required for some reason.

Code:
rebind-domain-ok=/your.domain.here/
rebind-localhost=ok

Without knowing all of your dnsmasq settings, though, we can only take shot in the dark guesses and grasp at straws. This is counter-intuitive.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Back to top View user's profile Send private message Visit poster's website
seanPH
DD-WRT Novice


Joined: 01 Jul 2021
Posts: 24
PostPosted: Wed Dec 08, 2021 4:37    Post subject: Reply with quote
@egc thank you for your reply.

Quote:
By disabling rebind-attack you also restarted WG and maybe that did the trick?


Yes, that was also my first thought... BUT, that explanation does not work, because, in trying to fix it for a few hours before changing the "DNS rebind" setting, I had already restarted the WG tunnel 2 or 3 times. And those restarts did not make it work.

Quote:
enable "No DNS Rebind" and see if the connection is blocked again


Yes - already did that. And it is running now with "enabled" and the incoming connections are all working (as they did for many weeks before yesterday's outage).

This was the sequence of events:

  1. I contacted the VPN support desk.
  2. There was a 15 minutes pause between their replies, and then they said "Just tested your dedicated IP x.x.x.x Port forwarding works. Please check it again. "
  3. I tested it and still not working
  4. Then - almost immediately - I changed the DNS rebind - which restarted the WG tunnel and it instantly started to work.
  5. I replied to VPN "seems working now here.... Did something change on your side ??"
  6. VPN support desk replied "No, I didn't change anything on server side."

The other possibility is that the VPN support were not honest about "no changes", and they did actually re-enable port-forwarding, which then just required a tunnel restart on my side (after they had re-enabled it).

Other than all this ... the only difference I see when "DNS rebind" is enabled is lots of yellow messages in he syslog. I like to believe that it is actually preventing something ? and dropping inbound connection attempts "ie suspected rebind attacks". But who knows if it is doing anything other than filling up the syslog. BTW - those extra messages in syslog is no problem.
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12887
Location: Netherlands
PostPosted: Wed Dec 08, 2021 8:43    Post subject: Reply with quote
Maybe the were updating some servers or had an other temporarily glitch?

At least it is working again Smile

I also have some rebind attacks in the log mainly from microsoft
It seems to happen at startup and seems some form of network checking.

I just ignore it for the moment.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs
PostPosted: Wed Dec 08, 2021 9:01    Post subject: Reply with quote
Forgive me, I did not read every word on all replies to the topic.

DD-WRT has built in blocklists for telemetry etc... and these should be excluded from the rebind attack protection IMO, since most of these notices are due to that afaik, if thats not tru feel free to correct me.

Disabling No DNS rebind as a workaround is a bad idea, so some things should be whitelisted, like the built in blocklists or any user added by manual configuration.

This is not wireguard related, I have the odd entry on my log like so and I dont use wireguard (yet).

Take care now, alrighty then! Very Happy
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Back to top View user's profile Send private message Visit poster's website
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2977
Location: Germany
PostPosted: Wed Dec 08, 2021 10:16    Post subject: Reply with quote
Yes, it has a telemetry function that is not activated and cannot be activated or deactivated in the menu.
This is a hidden feature ...
Back to top View user's profile Send private message
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum