Posted: Fri Apr 22, 2022 15:35 Post subject: Possible DNS-rebind attack detected
My log is being flooded with the following line:
daemon.warn dnsmasq[10819]: possible DNS-rebind attack detected: dns.msftncsi.com
(always this address)
I have only noticed since upgrading to the recent firmware, but might have been there prior to this aswell (I just didnt notice/check).
I have tried to read up on it and initially thought perhaps it was my pi-hole that caused these rebind messages, but I have turned it off, and the entries are still finding their way in the log.
How can I:
1) correct the "issue"
2) atleast stop them from being logged as I am getting pages and pages with this stuff, making it harder to focus on whats actually going on.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Apr 22, 2022 17:47 Post subject:
Not knowing your specific setup and configurations, I can only guess there is a misconfiguration somewhere causing this. That host is specific to Windows' internal internet connectivity check; more stupid sh*t M$ added that is completely unnecessary. If you are using a Pi-Hole, then DD-WRT shouldn't be serving your DNS queries.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Fri Apr 29, 2022 17:09 Post subject:
dns.msftncsi.com is used by windows to determine if an internet connection exists and set the adapter status accordingly, pi-hole or not it will happen. However pi-hole may make situation worse, no idea, I have max 5 entries in the routers log without pi-hole.
You can script something to grep these lines on the /var/log/messages and run every x minutes via cron and delete all such entries, idk any other way to cleanup the logs otherwise.
