Posted: Fri Jan 15, 2021 20:32 Post subject: possible DNS-rebind attack detected with WireGuard
Ok, Hopefully some expert tech know how to fix this problem, As I have search all over the forum and all of them say to use the no-resolv option and use google dns. but I want to use just my Vpn's Dns server.I have like 5 pages full of these possible DNS-rebind attack detected.I'm using a Netgear R7800 Router with Firmware: DD-WRT v3.0-r45454 std (01/15/21)
Also I just started using the WireGuard but it isn't any faster then Open Vpn for me, I'm still getting about 80 Mbps on the download.
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Sun Jan 17, 2021 10:08 Post subject:
A rebind attack could be due to "bad" configuration, i.e. if you are using another DNS server in your domain with a private IP address.
If that is the case, you can allow rebinding for certain domains with something like:
rebind-domain-ok=/mydomain/
Of course it can be real, coming from websites which want to steal your DNS and reroute it.
A rebind attack could be due to "bad" configuration, i.e. if you are using another DNS server in your domain with a private IP address.
If that is the case, you can allow rebinding for certain domains with something like:
rebind-domain-ok=/mydomain/
Of course it can be real, coming from websites which want to steal your DNS and reroute it.
WireGuard is about 3 times faster than OpenVPN, provided you get sufficient bandwidth from your ISP and VPN provider
Hey there Egc, I am trying out Windscribe VPN and they only have 2 dns servers to use. I went with them because they offered the WireGuard for users with a DD-WRT Router. I had Surfshark but they don't currently support it with routers just yet only there apps support it at this time, I'm thinking you are right though about the bandwidth from Windscribe, I have it working but just don't have the speed I was looking for. I get like 80 ish with WireGuard and less with OpenVpn . I disabled no DNS rebind and all the warnings about rebind attacks are not there anymore.
looks to me like a blackhole server that blocks tracking and adds
it will return something like 0.0.0.0 for the domains mentioned
do not see any normal domains there either
Edit: workaround disable "no DNS rebind" in service Tab
Hey There ho1Aetoo. yes you are right, I'm using Windscribe Vpn and they have this feature they call "ROBERT" (Blocks IPs and domains (ads) of your choice on all devices) I did disable "no DNS rebind" like you said for the workaround and it worked.
R.O.B.E.R.T. looks up the in-memory blocklist settings to see if there are rules for this domain. If there is a BLOCK rule, R.O.B.E.R.T. spoofs the response and returns 0.0.0.0
ho1Aetoo wrote:
looks to me like a blackhole server that blocks tracking and adds
it will return something like 0.0.0.0 for the domains mentioned
do not see any normal domains there either
Edit: workaround disable "no DNS rebind" in service Tab
kc8tkr wrote:
Hi blkt, Does this mean that its being worked on by Brainslayer to fix this issue ?
unfortunately no
so well the message is unproblematic
dnsmasq thinks the blocked domains are a dns rebind attack and blocks them again
but it does not change the functionality
it is only quite annoying because it spams the log full
either live with the log spam or disable "no DNS rebind".
there is no other solution at the moment
I caught this spam in the log long ago. I don't know if I did the right thing, I did it like this:
Added one more file to "Additional Dnsmasq Options":
Posted: Tue Dec 07, 2021 11:39 Post subject: possible rebind attack and wireguard
Hi @egc - I read this post with interest, as I have similar situation. I hope you can explain some detail.
Background:
I have 2 Wireguard VPN tunnels - and one accepts incoming traffic (port-forwarding). All that was working (eg the routes and the port-forwarding etc) for weeks/months without any intervention required. "No DNS Rebind" was set to "enable".
The "DNS rebind" setting causes many messages in syslog "possible DNS-rebind attack". Those messages are not a problem for me. I do not believe those sites are trying to do a rebind attack. Example sites are:
They seem trustworthy sites: Microsoft, google, github, mozilla, etc. Even trusted, I am still happy that dd-wrt blocks an attempted incoming connection. Everything else works on the LAN, so I did not think there was any problem.
Then this happened:
Wireguard tunnels had been up for many weeks. Webservers running on some of the forwarded ports. ALL WAS WORKING for weeks. And then this morning - the incoming connections to my servers - were all DOWN (i.e.non-responsive). Outgoing was still working. I raised a ticket with VPN provider who confirmed "port-forwarding" was still enabled from their side.
I tried everything to fix for a few hours. Nothing working.
AND THEN... in a moment of desperation... I changed the "No DNS Rebind" to "disable" ... and everything immediately connected again... what? how? ?!?!?!??!?!? WTF?? remember IT WAS working, with "enable", for many weeks !! So what the hell was happening here ???? I am trying to understand it (and also I do want "enable" for the protection), so then I changed it back to "enable" ...and .... connections STILL work with it back to enable....
So please - why is this so ?? With it set to "enable" is it just on a count-down (several weeks) to fail again ?? Or did something cause it ??
It makes no sense to me. Am I exposed with it set to "disable". Will the incoming ports stay up - for more than a few weeks - set to "disable". Why should that setting make any difference ?
Right now I have it set to "enable" and all is running
i am far from an expert, but my conclusion with messing around with my pi-hole lead me to conclude if the dns is not handled by the router (eg. from different ip to router) i always seem to get rebind attacks in syslog, so disbale No DNS Rebind in services job done. _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
I agree with you that make it "disable" stops the messages in the syslog. BUT I do not care about the (warning only) messages in syslog. I prefer to have the protection against any rebind attacks...
My concern is - WHY should that setting make in-coming traffic on a wireguard tunnel fail after a few weeks ?? Then toggle that setting and the incoming connections resume again... that is the head-spinning question for me 🤷🏻♂️
i cant see why this would affect your wireguard tunnel myself.
egc would be a better person to answer this, just bear in mind that wireguard tunnels takes a few minutes to come up after applying settings, another thing to check would be your log size depending on router maybe getting very big with the dns rebind messages?
With latest wireguard you can split dns to pull from tunnel, i am no expert so i am clutching at straws maybe good to grab logs if this happens again to see what the log says they may point you in the right direction. _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
