AP+STA page guides to disable DNS rebind protection

Late · January 5, 2021, 1:03am

I configured AP+STA for me thanks to this Wiki page https://openwrt.org/docs/guide-user/network/wifi/ap_sta. I actually did it through the web and at the end I kept DNS rebind protection enabled as I couldn't figure out why it should be disabled. Is it really necessary to disable the protection for some reason?

I'm not an expert on the subject but based on the knowledge I have I didn't understand why the protection would be harmful in this situation.

vgaetera · January 5, 2021, 8:08am

Not really, it appears to be unrelated.
I've updated the page.

vernonjvs · January 6, 2021, 9:28pm

Disabling re-bind protection is required if you want to be able to do DNS lookups for devices on the LAN that your OpenWrt router is connected,

Also, please explain how all the changes you have made to this Wiki constitute an improvement.

dibdot · January 6, 2021, 9:44pm

It's relevant whenever you'll try to connect to captive portals ... travelmate automates this process, it adds the respective captive portal domain to the rebind protection whitelist.

vgaetera · January 6, 2021, 11:35pm

This sounds like a huge security implication that should not be performed by default.
It can be mentioned in the extras if a specific use case depends on it.

This can help achieve a reproducible result and minimize error rate by the following means:

Utilize the standard UCI API and perform the modification incrementally and preferably automated.
Use the appropriate code syntax highlighter and consistent naming for the respective config sections.

Looks like a good idea to limit potential risks.

vernonjvs · January 7, 2021, 3:35am

You have taken a configuration that works for everyone and changed it to a configuration that only works for some without any caveats or explanation.

That's fine if you want to add a uci command line method to the wiki. However removing configurations that work for everyone and removing other methods of doing things that are not to your liking does not improve the wiki - it vandalizes it.

vgaetera · January 7, 2021, 9:22am

It appears that the requirement of disabling rebind protection depends on a specific use case.
However, neither the use case was properly explained, nor its importance for the goal of the article.
At the same time, the the modification involves security implications.
Thus, it's not clear why all users need to take unnecessary security risk.

system · February 9, 2021, 11:35pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.