Increasing number of "Possible DNS Rebind Attacks Detec

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 142

PostPosted: Thu Jan 05, 2023 6:49    Post subject: Increasing number of "Possible DNS Rebind Attacks Detec Reply with quote
Code:
Dec 29 21:22:22 DD-WRT daemon.warn dnsmasq[9123]: possible DNS-rebind attack detected: addresseepaper.com


I'm seeing an increasing number of messages like this in my Syslog. It looks like it's a browser-based exploit, suggesting a security failure on the browser end?

Glad it was caught but worried about what might not be caught.[/code]

_________________
Google is Spyware
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Thu Jan 05, 2023 14:55    Post subject: Reply with quote
on my R7000 and R7800 i have lots of those...i guess it's something related with Dnsmasq option strict order or if your network has 2 DNS resolvers like chained routers ahead/behind ...
I also tend to believe that those are related to iPhones(smart devices) DNS requests that try to use their baked DNS and you have forced DNS instead... Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Thu Jan 05, 2023 15:00    Post subject: Reply with quote
https://www.malwarebytes.com/blog/detections/addresseepaper-com
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Thu Jan 05, 2023 15:11    Post subject: Reply with quote
and always the interesting bit to me was the actual clear meaning of this message:

possible DNS-rebind attack detected: addresseepaper.com

so, the action was...drop/reject
or it was ok and this is just an announce...that it happened Rolling Eyes

checking logs and firewall output nothing like...on those...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Thu Jan 05, 2023 17:39    Post subject: Reply with quote
The message appears when dns queries return private / non-public ip addresses.

e.g. if you run a network blocker on DNS level...
i have also seen VPN providers with ad blockers doing the same...
i have also seen IOT providers / camera manufacturers using such a technique for their products...
i have also seen microsoft servers that return private addresses

a lot of it is false positive, that's why in my Pi-Hole sticky it says to disable "stop dns rebind" on the router and enable it directly on the Pi-Hole otherwise you will have 1mio log entries

there are also dubious sites that return private addresses from time to time....
As said the message in the log are harmless...
and even if private addresses are returned it does not mean that you have such a private address in the LAN so the attack could target.

also, the DNS response is filtered when the message appears


for example >>

https://deu.windscribe.com/features/robert

windscribe R.O.B.E.R.T. looks up the in-memory blocklist settings to see if there are rules for this domain. If there is a BLOCK rule, R.O.B.E.R.T. spoofs the response and returns 0.0.0.0
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Thu Jan 05, 2023 18:23    Post subject: Reply with quote
    dig addresseepaper.com @8.8.8.8

    ; <<>> DiG 9.16.1-Ubuntu <<>> addresseepaper.com @8.8.8.8
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60319
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;addresseepaper.com. IN A

    ;; ANSWER SECTION:
    addresseepaper.com. 4094 IN A 127.0.0.1

    ;; Query time: 15 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.Cool
    ;; WHEN: Thu Jan 05 19:21:50 CET 2023
    ;; MSG SIZE rcvd: 63


Google returns 127.0.0.1, which is the localhost
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Fri Jan 06, 2023 9:17    Post subject: Reply with quote
ho1Aetoo wrote:
The message appears when dns queries return private / non-public ip addresses.

e.g. if you run a network blocker on DNS level...
i have also seen VPN providers with ad blockers doing the same...
i have also seen IOT providers / camera manufacturers using such a technique for their products...
i have also seen microsoft servers that return private addresses

a lot of it is false positive.....


yep correct..
-yes i do run an ad-blocker, as well i can see those names are even blocked on quad9 list too..
-im also using a VPN Razz
-i have in Dnsmasq dns-loop-detect, also using a DNS stub resolver, one more reason i guess...
-"i have also seen microsoft servers that return private addresses " ... Apple, and some others too
-im not bothered just, announcing that those are notable too..i haven't changed my DNS ever since and back in the days those ware not notable, unless... Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 142

PostPosted: Mon Jan 23, 2023 4:52    Post subject: Reply with quote
ho1Aetoo wrote:
The message appears when dns queries return private / non-public ip addresses.


This makes sense.

_________________
Google is Spyware
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum