loads of syslog warnings possible DNS-rebind attack ...

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
ArjenR49
DD-WRT User


Joined: 05 Oct 2008
Posts: 418
Location: Helsinki, Finland

PostPosted: Wed Jun 24, 2020 7:12    Post subject: loads of syslog warnings possible DNS-rebind attack ... Reply with quote
Recent builds/settings/network architecture produce loads of
'possible DNS-rebind attacks detected' warnings
like the following:

Jun 24 09:27:42 R7800 daemon.warn dnsmasq[2711]: possible DNS-rebind attack detected: secure-drm.imrworldwide.com
Jun 24 09:27:42 R7800 daemon.warn dnsmasq[2711]: possible DNS-rebind attack detected: notify.bugsnag.com
Jun 24 09:27:42 R7800 daemon.warn dnsmasq[2711]: possible DNS-rebind attack detected: ssl-google-analytics.l.google.com
Jun 24 09:27:42 R7800 daemon.warn dnsmasq[2711]: possible DNS-rebind attack detected: app-measurement.com
...
Jun 24 09:32:12 R7800 daemon.warn dnsmasq[2711]: possible DNS-rebind attack detected: ocsp.int-x3.letsencrypt.org
Jun 24 09:32:12 R7800 daemon.warn dnsmasq[2711]: possible DNS-rebind attack detected: ocsp.int-x3.letsencrypt.org
and tens more like the one immediately above.

On the R7800 router only DNSMasq and No DNS rebind are enabled. In additional options the actual DNS server is listed in the server option.

The separate DNS server is a Raspberry Pi4B running PiHole and PiVPN/Wireguard and Unbound, which works fine, AFAIK.
IPv6 and DNSSEC passes tests 100%.

What could be the reason of these warnings and can I get rid of them?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7576
Location: Netherlands

PostPosted: Wed Jun 24, 2020 8:16    Post subject: Reply with quote
A rebind attack is when there is a rogue DNS server on your LAN and there is, it is your Pi-Hole Very Happy

So you have to let DDWRT know it is OK, in additional DNSMasq options add something like:

rebind-domain-ok=/yourdomain.name/

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4298
Location: UK, London, just across the river..

PostPosted: Wed Jun 24, 2020 8:37    Post subject: Reply with quote
2 options...
1. messy/bad DNS settings
2. you have another DNS on the system and you use forced DNS settings on any of them...

very often, pll put their, router IP in DNS settings...
or misuse 'local DNS' option on 'basic setup page' as it should remain 0.0.0.0...

to diagnose this issue we need much more details about it...


p.s. love those buggers Rolling Eyes

"ssl-google-analytics.l.google.com"

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 46446 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 46446 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 46640 BS AP,NAT,AD/Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 46681 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 46681 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
ArjenR49
DD-WRT User


Joined: 05 Oct 2008
Posts: 418
Location: Helsinki, Finland

PostPosted: Wed Jun 24, 2020 9:32    Post subject: Reply with quote
egc wrote:
A rebind attack is when there is a rogue DNS server on your LAN and there is, it is your Pi-Hole Very Happy

So you have to let DDWRT know it is OK, in additional DNSMasq options add something like:

rebind-domain-ok=/yourdomain.name/


Can't boot the router until the end of telecommuting today by my better half, but saved that option with the appropriate local domain name. We'll have to wait how it works out.

Local DNS field has been quad zero since adopting the PiHole DNS server.

Thanks for the info. Every other day my LAN converges more and more towards perfect settings Wink
ArjenR49
DD-WRT User


Joined: 05 Oct 2008
Posts: 418
Location: Helsinki, Finland

PostPosted: Wed Jun 24, 2020 9:54    Post subject: Reply with quote
Since I still use DNSMasq on the router for DHCP, I have not dared disabling DNSMasq on the router and possibly end up being locked out hard.

EDIT: Perhaps my memory fails me ... there's no option to choose between DNSMasq for DHCP and some other built-in DHCP, which I thought there was in DD-WRT.
There's just an option to use DNSMasq for DNS in the setup page (enabled) ... should I switch it off since I have the PiHole?

DHCP Type DHCP Server

DHCP Server Enabled

Start IP Address 192.168.5.10

Maximum DHCP Users 20

Client Lease Expiration 1440 min

Static DNS 1
...
Static DNS 2
...
Static DNS 3
...
WINS
...
all quad zero

Use DNSMasq for DNS
DHCP-Authoritative
Recursive DNS Resolving (Unbound)
all enabled ....

The PiHole server can do DHCP as well, but that would likely be a totally new game ... or would it be an easy switchover?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 8630
Location: Texas, USA

PostPosted: Wed Jun 24, 2020 10:25    Post subject: Reply with quote
There is no alternative dhcp server in DD-WRT anymore since udhcpd functionality was removed for 04-10-2019-r39469 release.

https://svn.dd-wrt.com/changeset/39356
https://svn.dd-wrt.com/changeset/39355
https://svn.dd-wrt.com/changeset/39354
https://svn.dd-wrt.com/changeset/39353
https://svn.dd-wrt.com/changeset/39352
https://svn.dd-wrt.com/changeset/39351
https://svn.dd-wrt.com/changeset/39350

I am not sure about switching off the use dnsmasq for dns option, you have to point your LAN to your Pi-hole somehow, if I am not mistaken?

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
ArjenR49
DD-WRT User


Joined: 05 Oct 2008
Posts: 418
Location: Helsinki, Finland

PostPosted: Wed Jun 24, 2020 10:34    Post subject: Reply with quote
kernel-panic69 wrote:
There is no alternative dhcp server in DD-WRT anymore since udhcpd functionality was removed for 04-10-2019-r39469 release.

https://svn.dd-wrt.com/changeset/39356
https://svn.dd-wrt.com/changeset/39355
https://svn.dd-wrt.com/changeset/39354
https://svn.dd-wrt.com/changeset/39353
https://svn.dd-wrt.com/changeset/39352
https://svn.dd-wrt.com/changeset/39351
https://svn.dd-wrt.com/changeset/39350

I am not sure about switching off the use dnsmasq for dns option, you have to point your LAN to your Pi-hole somehow, if I am not mistaken?


This is where the LAN is pointed to the PiHole:

conf-file=/jffs/dnsmasq.custom

no-resolv

# Other extra options
#expand-hosts
#domain-needed
#bogus-priv

log-async=5

# Prevent DNS rebind attack warnings
rebind-domain-ok=/arnet/

# PiHole DNS server
server=192.168.5.60
dhcp-option=6,192.168.5.60

The rebind-domain-ok option is only saved, not active until after work hours Sad

If I feel up to it, I could try disabling DNSMasq for DNS and possibly get myself in trouble ...
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 8630
Location: Texas, USA

PostPosted: Wed Jun 24, 2020 10:56    Post subject: Reply with quote
Somehow, I have a feeling you are overly complicating your configuration by using the dnsmasq.custom file on jffs. Just an observation. Unless you are running a 65535-node LAN with all static leases, I don't think there is any need to put your dnsmasq configs anywhere but the usual places. ShockedWink
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
ArjenR49
DD-WRT User


Joined: 05 Oct 2008
Posts: 418
Location: Helsinki, Finland

PostPosted: Wed Jun 24, 2020 11:30    Post subject: Reply with quote
kernel-panic69 wrote:
Somehow, I have a feeling you are overly complicating your configuration by using the dnsmasq.custom file on jffs. Just an observation. Unless you are running a 65535-node LAN with all static leases, I don't think there is any need to put your dnsmasq configs anywhere but the usual places. ShockedWink


I have had Entware on the same memory stick for a long time in its own Optware partition, although I forgot what it is for Wink (Probably NANO, per opkg upgrade output)
Nevertheless, the stick is there anyway, and I can edit the table in e.g. Pluma via SMB. It's nice and easy that way.

IMO, the other sensible place to put a list of static IP's is Additional DNSMasq options. I find the GUI table too quirky for my liking.
An advantage of the GUI table is that you can have DD-WRT append the local domain name in its client table, but I forego on that.
When static leases are defined in any other way, expand-hosts doesn't do anything.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4298
Location: UK, London, just across the river..

PostPosted: Wed Jun 24, 2020 12:28    Post subject: Reply with quote
it seems you are not doing it right...
ask ggl
https://duckduckgo.com/?t=ffab&q=pi-hole+DNS+on+ddwrt+router&ia=web

many threads, even on ddwrt forum about it... im not, going into a details, you will find your way im sure...

you have to add those lines to permit DNS to come from
another (LAN) router...kind of...

iptables -I INPUT -i br0 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -p udp --dport 53 -j ACCEPT

for DHCP
iptables -I INPUT -i br0 -p udp --dport 67 -j ACCEPT

you can specify source and destination if you want to be more specific...

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 46446 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 46446 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 46640 BS AP,NAT,AD/Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 46681 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 46681 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
ArjenR49
DD-WRT User


Joined: 05 Oct 2008
Posts: 418
Location: Helsinki, Finland

PostPosted: Wed Jun 24, 2020 20:22    Post subject: Reply with quote
Alozaros wrote:
it seems you are not doing it right...
ask ggl
https://duckduckgo.com/?t=ffab&q=pi-hole+DNS+on+ddwrt+router&ia=web

many threads, even on ddwrt forum about it... im not, going into a details, you will find your way im sure...

you have to add those lines to permit DNS to come from
another (LAN) router...kind of...

iptables -I INPUT -i br0 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -p udp --dport 53 -j ACCEPT


I wish I could take credit for the rules below, but I actually have them in my firewall script for bridges br1 and br2 which I have set up for two virtual WAP's.

# Delete duplicate rules caused by the Firewall script
# executing more than once during router startup.
iptables -D FORWARD -i br2 -d 192.168.5.60 -p tcp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i br2 -d 192.168.5.60 -p udp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i br1 -d 192.168.5.60 -p tcp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i br1 -d 192.168.5.60 -p udp --dport 53 -j ACCEPT >/dev/null 2>&1
# Allow DNS requests from guest subnets to DNS server on private subnet
iptables -I FORWARD -i br2 -d 192.168.5.60 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br2 -d 192.168.5.60 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.5.60 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.5.60 -p udp --dport 53 -j ACCEPT


I have gotten rid of the endless DNS rebind attack warnings in the syslog concerning all sorts of domains which PiHole is actually blocking, by disabling the option No DNS rebind in the GUI.
My reasoning is that they may be just false alarms as it is PiHole that should deal with rebind attacks and DNSMasq in the router apart from doing DHCP, has only a rudimentary role.

Note that except for the firewall rules this is based on hunches, not on expertise.

Next I'll try and see what happens after adding what you suggested:

iptables -I INPUT -i br0 -s 192.168.5.60 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -s 192.168.5.60 -p udp --dport 53 -j ACCEPT


Back to sifting the stuff that google turned up on this subject.
ArjenR49
DD-WRT User


Joined: 05 Oct 2008
Posts: 418
Location: Helsinki, Finland

PostPosted: Wed Jun 24, 2020 20:41    Post subject: Reply with quote
ArjenR49 wrote:
Alozaros wrote:
it seems you are not doing it right...
ask ggl
https://duckduckgo.com/?t=ffab&q=pi-hole+DNS+on+ddwrt+router&ia=web

many threads, even on ddwrt forum about it... im not, going into a details, you will find your way im sure...

you have to add those lines to permit DNS to come from
another (LAN) router...kind of...

iptables -I INPUT -i br0 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -p udp --dport 53 -j ACCEPT


iptables -I INPUT -i br0 -s 192.168.5.60 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -s 192.168.5.60 -p udp --dport 53 -j ACCEPT


Those don't make the rebind attack warnings go away like disabling the No DNS rebind option in the GUI does ...

Back to what others have written on the subject.
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 433

PostPosted: Sun Jun 28, 2020 21:01    Post subject: Reply with quote
I just noticed these dns rebind attack messages in my syslog (messages) also. I don't routinely check my logs so I don't know how long this has been going on. I'm not sure what to do about it. I don't have any dns servers running on my network and the wikis for dns don't seem to be current. I'm using dnscrypt-proxy2 from Entware but I'm not sure of it's interaction with dnsmasq, etc. I have "no dns rebind" enabled so I'm assuming that these are attempted attacks and are being stopped. Here's an example from my log:

Jun 28 14:47:04 r7800master daemon.warn dnsmasq[1275]: possible DNS-rebind attack detected: mobile.pipe.aria.microsoft.com
Jun 28 14:47:26 r7800master daemon.warn dnsmasq[1275]: possible DNS-rebind attack detected: 90bfe346d566aa5b7b20eb26a8e26dc0.fp.measure.office.com
Jun 28 14:48:10 r7800master daemon.warn dnsmasq[1275]: possible DNS-rebind attack detected: cooper.logs.roku.com
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7576
Location: Netherlands

PostPosted: Mon Jun 29, 2020 5:59    Post subject: Reply with quote
@johnnynobody please do not hijack a thread, start your own.
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum