Posted: Thu Jan 05, 2023 6:49 Post subject: Increasing number of "Possible DNS Rebind Attacks Detec
Code:
Dec 29 21:22:22 DD-WRT daemon.warn dnsmasq[9123]: possible DNS-rebind attack detected: addresseepaper.com
I'm seeing an increasing number of messages like this in my Syslog. It looks like it's a browser-based exploit, suggesting a security failure on the browser end?
Glad it was caught but worried about what might not be caught.[/code] _________________ Google is Spyware
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Thu Jan 05, 2023 14:55 Post subject:
on my R7000 and R7800 i have lots of those...i guess it's something related with Dnsmasq option strict order or if your network has 2 DNS resolvers like chained routers ahead/behind ...
I also tend to believe that those are related to iPhones(smart devices) DNS requests that try to use their baked DNS and you have forced DNS instead... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
The message appears when dns queries return private / non-public ip addresses.
e.g. if you run a network blocker on DNS level...
i have also seen VPN providers with ad blockers doing the same...
i have also seen IOT providers / camera manufacturers using such a technique for their products...
i have also seen microsoft servers that return private addresses
a lot of it is false positive, that's why in my Pi-Hole sticky it says to disable "stop dns rebind" on the router and enable it directly on the Pi-Hole otherwise you will have 1mio log entries
there are also dubious sites that return private addresses from time to time....
As said the message in the log are harmless...
and even if private addresses are returned it does not mean that you have such a private address in the LAN so the attack could target.
also, the DNS response is filtered when the message appears
windscribe R.O.B.E.R.T. looks up the in-memory blocklist settings to see if there are rules for this domain. If there is a BLOCK rule, R.O.B.E.R.T. spoofs the response and returns 0.0.0.0
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Fri Jan 06, 2023 9:17 Post subject:
ho1Aetoo wrote:
The message appears when dns queries return private / non-public ip addresses.
e.g. if you run a network blocker on DNS level...
i have also seen VPN providers with ad blockers doing the same...
i have also seen IOT providers / camera manufacturers using such a technique for their products...
i have also seen microsoft servers that return private addresses
a lot of it is false positive.....
yep correct..
-yes i do run an ad-blocker, as well i can see those names are even blocked on quad9 list too..
-im also using a VPN
-i have in Dnsmasq dns-loop-detect, also using a DNS stub resolver, one more reason i guess...
-"i have also seen microsoft servers that return private addresses " ... Apple, and some others too
-im not bothered just, announcing that those are notable too..i haven't changed my DNS ever since and back in the days those ware not notable, unless... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913