DNS Rebind Attack?

Since enabling DNSSEC and DoT with dnsmasq and stubby I am getting a lot of rebind attack warnings:

Thu Jun 20 12:18:23 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: pagead46.l.doubleclick.net
Thu Jun 20 12:18:39 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: adservice.google.co.uk
Thu Jun 20 12:18:39 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: clarium.global.ssl.fastly.net
Thu Jun 20 12:18:45 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: s0.2mdn.net
Thu Jun 20 12:18:45 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: googleads4.g.doubleclick.net
Thu Jun 20 12:18:48 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: sync.colossusssp.com
Thu Jun 20 12:18:48 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: ads.yahoo.com
Thu Jun 20 12:18:48 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: a.tribalfusion.com
Thu Jun 20 12:18:50 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: ps.eyeota.net
Thu Jun 20 12:19:41 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: stats.g.doubleclick.net
Thu Jun 20 12:23:19 2019 daemon.warn dnsmasq[31663]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Thu Jun 20 12:23:59 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: adservice.google.com
Thu Jun 20 12:41:30 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: app.link
Thu Jun 20 12:43:45 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: s0.2mdn.net
Thu Jun 20 12:43:46 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: googleads4.g.doubleclick.net
Thu Jun 20 12:43:47 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: sync.mathtag.com
Thu Jun 20 12:43:47 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: aax-eu.amazon-adsystem.com
Thu Jun 20 12:43:48 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: tps20515.doubleverify.com
Thu Jun 20 12:43:49 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: cm.adgrx.com
Thu Jun 20 12:46:30 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: stats.g.doubleclick.net
Thu Jun 20 12:46:37 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: simage2.pubmatic.com
Thu Jun 20 12:46:37 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: pixel.advertising.com
Thu Jun 20 12:48:04 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: googleads.g.doubleclick.net
Thu Jun 20 12:48:33 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: sa.bbc.co.uk
Thu Jun 20 12:50:32 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: iphonesubmissions.apple.com
Thu Jun 20 12:52:58 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: l3.aaxads.com
Thu Jun 20 12:56:50 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: api2.branch.io
Thu Jun 20 12:58:26 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: nexus.officeapps.live.com
Thu Jun 20 13:03:16 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: a.adtng.com
Thu Jun 20 13:10:40 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: prod-w.nexus.live.com.akadns.net
Thu Jun 20 13:10:45 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: onecollector.cloudapp.aria.akadns.net
Thu Jun 20 13:13:52 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: consent.google.com
Thu Jun 20 13:19:35 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: www.googleadservices.com
Thu Jun 20 13:30:45 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: pagead46.l.doubleclick.net
Thu Jun 20 13:30:54 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: pixel.quantserve.com
Thu Jun 20 13:30:56 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: usage.trackjs.com
Thu Jun 20 13:32:31 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: api2.branch.io

While these all appear to be web tracking utilities (and probably not a bad thing they are blocked) I don't understand why they are being blocked. A few other threads have suggested that AdBlock must be enabled, but AdBlock is very definitely disabled on my system.

Another thread suggested I should simply disable re-bind protection - but again didn't explain why.

Are these site actually doing something nefarious? Or are they false positives? If so, what 'rule' are they violating to get classed as rebind attacks?

I would enable logging, and see what answers is dnsmasq receiving.

What DNS servers are you using?

Do they perform blocking?

Did you install it?

You definitely should not disable rebinding, none of these hostnames should provide an RFC1918 IP as its reply for an A Record. That is the reason for rebind protection - when you expect such upstream DNS replies.

So, you need to understand why your configured upstream DNS servers are providing RFC1918 or localhost IPs as replies.

I'm using the DNS servers provided by @directnupe in this guide Stubby dns over tls using dnsmasq-full for dnssec & caching

AdBlock is installed (as it was in the OpenWRT release) but not enabled.

I don't understand why they would be - here is the verbose logging around some of these events:

Thu Jun 20 15:03:56 2019 daemon.info dnsmasq[10441]: 664 192.168.1.137/55549 query[A] dc.applicationinsights.microsoft.com from 192.168.1.137
Thu Jun 20 15:03:56 2019 daemon.info dnsmasq[10441]: 664 192.168.1.137/55549 forwarded dc.applicationinsights.microsoft.com to 127.0.0.1
Thu Jun 20 15:03:56 2019 daemon.info dnsmasq[10441]: 665 192.168.1.137/62736 query[AAAA] dc.applicationinsights.microsoft.com from 192.168.1.137
Thu Jun 20 15:03:56 2019 daemon.info dnsmasq[10441]: 665 192.168.1.137/62736 forwarded dc.applicationinsights.microsoft.com to 127.0.0.1
Thu Jun 20 15:03:56 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/55549 dnssec-query[DS] microsoft.com to 127.0.0.1
Thu Jun 20 15:03:56 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/55549 reply microsoft.com is no DS
Thu Jun 20 15:03:56 2019 daemon.info dnsmasq[10441]: 664 192.168.1.137/55549 validation result is INSECURE
Thu Jun 20 15:03:56 2019 daemon.warn dnsmasq[10441]: possible DNS-rebind attack detected: dc.applicationinsights.microsoft.com
Thu Jun 20 15:03:57 2019 daemon.info dnsmasq[10441]: 666 192.168.1.137/62736 query[AAAA] dc.applicationinsights.microsoft.com from 192.168.1.137
Thu Jun 20 15:03:57 2019 daemon.info dnsmasq[10441]: 666 192.168.1.137/62736 forwarded dc.applicationinsights.microsoft.com to 127.0.0.1
Thu Jun 20 15:03:57 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/62736 dnssec-query[DS] trafficmanager.net to 127.0.0.1
Thu Jun 20 15:03:57 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/62736 reply trafficmanager.net is no DS
Thu Jun 20 15:03:57 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/62736 dnssec-query[DS] cloudapp.net to 127.0.0.1
Thu Jun 20 15:03:57 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/62736 reply cloudapp.net is no DS
Thu Jun 20 15:03:57 2019 daemon.info dnsmasq[10441]: 666 192.168.1.137/62736 validation result is INSECURE
Thu Jun 20 15:03:57 2019 daemon.info dnsmasq[10441]: 666 192.168.1.137/62736 reply dc.applicationinsights.microsoft.com is <CNAME>

Thu Jun 20 15:03:01 2019 daemon.info dnsmasq[10441]: 236 192.168.1.137/65434 query[A] pagead2.googlesyndication.com from 192.168.1.137
Thu Jun 20 15:03:01 2019 daemon.info dnsmasq[10441]: 236 192.168.1.137/65434 forwarded pagead2.googlesyndication.com to 127.0.0.1
Thu Jun 20 15:03:01 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/60173 dnssec-query[DNSKEY] org to 127.0.0.1
Thu Jun 20 15:03:01 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/65434 dnssec-query[DS] googlesyndication.com to 127.0.0.1
Thu Jun 20 15:03:01 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/65434 reply googlesyndication.com is no DS
Thu Jun 20 15:03:01 2019 daemon.info dnsmasq[10441]: 236 192.168.1.137/65434 validation result is INSECURE
Thu Jun 20 15:03:01 2019 daemon.warn dnsmasq[10441]: possible DNS-rebind attack detected: pagead2.googlesyndication.com

Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4547 192.168.1.137/64803 query[A] nexus.officeapps.live.com from 192.168.1.137
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4547 192.168.1.137/64803 forwarded nexus.officeapps.live.com to 127.0.0.1
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4548 192.168.1.137/54751 query[AAAA] nexus.officeapps.live.com from 192.168.1.137
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4548 192.168.1.137/54751 forwarded nexus.officeapps.live.com to 127.0.0.1
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/54751 dnssec-query[DS] live.com to 127.0.0.1
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: * 192.168.1.137/54751 reply live.com is no DS
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4548 192.168.1.137/54751 validation result is INSECURE
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4548 192.168.1.137/54751 reply nexus.officeapps.live.com is <CNAME>
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4548 192.168.1.137/54751 reply prod-w.nexus.live.com.akadns.net is NODATA-IPv6
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4549 192.168.1.137/64803 query[A] prod-w.nexus.live.com.akadns.net from 192.168.1.137
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4549 192.168.1.137/64803 forwarded prod-w.nexus.live.com.akadns.net to 127.0.0.1
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4550 192.168.1.137/54751 query[AAAA] prod-w.nexus.live.com.akadns.net from 192.168.1.137
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4550 192.168.1.137/54751 cached prod-w.nexus.live.com.akadns.net is NODATA-IPv6
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4549 192.168.1.137/64803 validation result is INSECURE
Thu Jun 20 15:28:16 2019 daemon.info dnsmasq[10441]: 4549 192.168.1.137/64803 reply prod-w.nexus.live.com.akadns.net is 52.109.76.33
Thu Jun 20 15:28:17 2019 daemon.info dnsmasq[10441]: 4547 192.168.1.137/64803 validation result is INSECURE
Thu Jun 20 15:28:17 2019 daemon.warn dnsmasq[10441]: possible DNS-rebind attack detected: nexus.officeapps.live.com

• The posting is extremely long, can you just provide the DNS servers, please?
• OK...do these servers block things??? The words "secure" and "privacy" in some of their names lead me to believe so.
• So you're admitting that, you added DNS servers of unknown origin - to your config? THAT'S DANGEROUS

You seem to be using dnsmasq to query another DNS on the same router, and they do not play along very well... I would report this to the creator of that guide.

No, I know the origin of them... they came from the guide I linked.
Dangerous? I think you need to chill a little. DNS is all a trust game, unless you happen to run your own network of global high availability DNS servers, you are also blindly trusting someones DNS servers. Just because you typed the IP in yourself doesn't make them any more private/secure.

Do you have a list of personally researched DNS over TLS supporting servers with the exact criteria you use to decide whether to allow them into your resolver list? That guy does, and lists his sources, so I'm inclined to trust his judgement and recommendations.

If you have other recommendations on the subject, I'd gladly consider them.

Yeah, it's fairly common setup, using dnsmasq to resolve locally and forwarding WAN requests onto Stubby to upstream servers over TLS.

They do play along pretty well, I'm only getting a 'rebind-attack' warning one in about every 10,000 requests and they all seem to be for tracking/advertising type DNS names. It's possible one of the upstream servers is going some sort of tracking protection/filtering, but I still don't see how that would logically trigger rebind warnings in dnsmasq.

The resolvers of choice are not a secret. iirc you will need openssl > 1.02 to get everything in place.

Never trusted random DNS servers (not even my ISP's) - perhaps we differ on that.

Nope, only standard DNS servers using IPv4 and IPv6 - not these "DNS over TLS" ones...I do research mine; how many hops between then; etc. And I know if they block things or not.

This is also why I asked you, since yours don't respond to normal queries, I can't test if they're blocking.

Again, do you know if they block?

One common way to block is to give a rebind reply, such as localhost (127.0.0.1). This is why I'm asking you.

Fair enough. Sorry for getting defensive.

I've reviewed in detail the servers in the list. One, 'BlahDNS' was claiming to block 'analytics' services. I have removed this from the list and will see what happens.

Dear supersebbo,
Hello and I hope that you are well. Things change and are dynamic - such as in life - this especially applies to DNS PRIVACY TEST SERVERS. Here are the servers I run currently - I have found that less is more. See file here :

upstream_recursive_servers:
# IPV4 Servers
### DNS Privacy Test Servers ###
#The DNS Warden DNS TLS Primary Server
  - address_data: 116.203.70.156
    tls_auth_name: "dot1.dnswarden.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0=
## The Surfnet/Sinodun DNS TLS Server
  - address_data: 145.100.185.18
    tls_port: 853
    tls_auth_name: "dnsovertls3.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
#The BlahDNS German DNS TLS Server
  - address_data: 159.69.198.101
    tls_auth_name: "dot-de.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: GsfF6a28usi59J/pUUtqbyfmmyKE7+7OfzdLXzUt/Aw=
#The Primary appliedprivacy.net DNS TLS Server
  - address_data: 37.252.185.232
    tls_auth_name: "dot1.appliedprivacy.net"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: TvTo5uauOH66/Vnxl2QHwBhN9xdU0Zp1Jeqi+byC1p4=
#The Secure DNS Project by PumpleX DNS TLS Server
  - address_data: 51.38.83.141
    tls_auth_name: "dns.oszx.co"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: yevnTQfRqEOU1W8rUBABZRgToMgAwRn0eH7zJeBcq0s=
### Anycast DNS Privacy Public Resolvers ###
#Quad9 'secure' DNS TLS Secondary Server
  - address_data: 149.112.112.112
    tls_auth_name: "dns.quad9.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=

These servers all rate A+ on https://www.immuniweb.com/ssl/?id=Su8SeUQ4 - so check this out. I do not know if it will fix your problem because I run UNBOUND in conjunction with Stubby.
Peace

I use simple https-dns-proxy and see similar DNS-rebind attack warnings. I do use ad blocking DNS servers (AdGuard, LibreDNS), so is it normal to see those messages?

Yes it's normal because AdGuard DNS returns 0.0.0.0 for blocked domains which is detected by dnsmasq's rebinding protection.

$ dig +short @94.140.14.14 google-analytics.com
0.0.0.0

To avoid these warnings, you can do one of the following:

1. Disable rebinding protection in dnsmasq (not recommended)
2. Use unfiltered DNS servers
3. Use an alternative DNS proxy like dnscrypt-proxy which can implement the protection itself so you can safely disable it in dnsmasq.

Thanks, but I'm not really inclined to any of those options. I guess I can just ignore it, given it won't cause any other problems(??).

No problems other than filling the log with warnings.

True, this way I cannot see anything else in the log, which is not very good.

Perhaps there is a way how to specifically stop logging DNS-rebind attack detection?

The solution is here. But This blog is written in Korean.

This is not suitable for @bw4517 because it partially disables rebinding protection which he doesn’t want to do, and it requires the installation of a different DNS proxy which he also doesn’t want to do.

Yes, I don't want to disable DNS-rebind protection and I can't use something like dnscrypt-proxy because of space limitations on my router.