Dns rebind attacks?

daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com

Internet just dropped out for some reason (hoping to diagnose..) in the log I can see this around the time of the disconnect, anything to be worried about?

1 Like

That is a Microsoft official internet connectivity test domain and it is supposed to resolve to a public IP address. When dnsmasq alerts about a rebind attack attempt, that means that instead of returning a public internet IP, your upstream DNS server replied with a private IP address in the 10.x.x.x, 172.16.x.x, 192.168.x.x or 127.x.x.x range. It could be an indication that your upstream provider (usually your ISP) is hijacking DNS requests for filtering or advertising purposes.

Or maybe there’s just a planned or unplanned downtime and your ISP provided modem is answering requests with a wildcard response directing to the IP of a status page or similar.

7 Likes

The IPv6 AAAA response is a ULA address (fd3e:4f5a:5b81::1) which dnsmasq will flag as a rebind attack.

4 Likes

Yep, I started seeing this after switching to a new ISP. Although I never saw this while I was still with my previous ISP, that was because my previous ISP didn't support IPv6 at all (and I also had just about everything IPv6-related disabled under OpenWrt back then).

After looking through the man page for dnsmasq, I found out it's possible to whitelist domains from these rebind checks. So I added rebind-domain-ok=dns.msftncsi.com to my /etc/dnsmasq.conf, then restarted the dnsmasq service, and now things are looking better on my end.

Without that option set in dnsmasq's config, the log spam will only become very annoying with dozens (or perhaps, hundreds) of Windows clients on the same network, as that Microsoft domain is part of how Windows checks for Internet connectivity.

4 Likes