Domain whitelist for Rebind Protection not working

Hey guys, Im trying to exclude my DuckDNS domain from rebind protection but despite me adding it to the whitelist, it still keeps throwing me RFC1918 errors when I try to access my server through my duckdns domain when im connected to my wifi network. My Openwrt version is OpenWrt 19.07.7 r11306-c4a6851c72 and the router I have is an Archer A7 V5. My setup basically involves Nginx setup on a machine on the network that redirections any traffic coming from my duckdns domain to my server so my server isn't directly being exposed to the internet.

uci add_list dhcp.@dnsmasq[0].rebind_domain="example.org"
uci commit dhcp
/etc/init.d/dnsmasq restart

https://openwrt.org/docs/guide-user/base-system/dhcp#all_options

Not working, I had it already added into the exceptions in Luci.

Also tried running duckdns in another docker on the machine that's running my server, but that too is also having the same RFC1918 issue, even with DNS rebinding off I still get the issue. Im not really sure what it could be at this point <_>

And when I restarted dnsmasq, I get this in the terminal

udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing

I did 'router_ip' but I just get this "Resource not available' error

What is your runtime network config/status on the client?

Im not sure how would I check, all I know is I can access stuff like my Plex server directly from within the server from plex.direct but can't access my duckdns sever

Check on OpenWrt:

nslookup your.domain 8.8.8.8
nslookup your.domain localhost

It can't find my domain when I run the command with both localhost and 8.8.8.8, it just says this *** Can't find domain: No answer

Sounds like a problem with your DDNS configuration.

How do I fix it? I followed the steps on DuckDNS's install page for OpenWRT and I can access the server when im not on the local network; im not sure what could be wrong

I can't figure out why it's not working, do you have any idea on what I can do?

It's weird that Google DNS cannot resolve your domain.
Perhaps you should try other public resolvers:
https://en.wikipedia.org/wiki/Public_recursive_name_server

It doesn't work with any of the other DNS resolves either when the nslookup command. I have no idea why it's not working as I did have it working a couple of months ago (but I don't remember how exactly I had it setup, but it's a pretty similar setup on the router as I do now)

Perhaps you should start posting configs and maybe someone will notice the problem.

Had to repost to remove sensitive data from one of the lines

DuckDNS

config service 'DuckDNS'
        option enabled '1'
        option domain 'vpnexample.duckdns.org'
        option username 'vpnexample'
        option password 'XXXXXXXXXXX'
        option ip_source 'network'
        option ip_network 'wan'
        option force_interval '72'
        option force_unit 'hours'
        option check_interval '10'
        option check_unit 'minutes'
        option update_url 'http://www.duckdns.org/update?domains=[USERNAME]&token=[PASSWORD]&ip=[IP]'
        option lookup_host 'vpnexample.duckdns.org'

config service 'DuckDNS_NC'
        option enabled '1'
        option domain 'ncexample.duckdns.org'
        option username 'ncexample'
        option password 'xxxxxxxx'
        option ip_source 'network'
        option ip_network 'wan'
        option force_interval '72'
        option force_unit 'hours'
        option check_interval '10'
        option check_unit 'minutes'
        option update_url 'http://www.duckdns.org/update?domains=[USERNAME]&token=[PASSWORD]&ip=[IP]'
        option lookup_host 'ncexample.duckdns.org'

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option src_port '5353'
        list proto 'udp'
        option name 'Allow mDNS'
        list src_ip '224.0.0.251'
        option target 'ACCEPT'
        option dest_port '5353'
        option src '*'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option output 'ACCEPT'
        option input 'ACCEPT'
        option network 'iot'
        option forward 'REJECT'
        option name 'IOTZone'

config forwarding
        option src 'lan'
        option dest 'IOTZone'

config forwarding
        option dest 'wan'
        option src 'IOTZone'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'
        option network 'guest'
        option name 'GuestZone'

config forwarding
        option dest 'wan'
        option src 'GuestZone'

config rule
        option name 'Guest DHCP and DNS'
        option target 'ACCEPT'
        option dest_port '53 67-68'
        option src 'GuestZone'

config rule
        option name 'IOT DHCP and DNS'
        option dest_port '53 67-68'
        option target 'ACCEPT'
        option src 'IOTZone'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'wan'

config zone
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option name 'VPNZone'
        option output 'ACCEPT'
        option network 'tun0'

config forwarding
        option src 'VPNZone'
        option dest 'IOTZone'

config forwarding
        option dest 'wan'
        option src 'VPNZone'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config redirect
        option dest_port '32400'
        option src 'wan'
        option name 'Plex'
        option src_dport '48562'
        option target 'DNAT'
        option dest_ip '192.168.4.120'
        option dest 'IOTZone'

config redirect
        option src 'wan'
        option name 'Nginx Http'
        option target 'DNAT'
        option dest_ip '192.168.4.120'
        option dest 'IOTZone'
        list proto 'all'

config redirect
        option src 'wan'
        option name 'Nginx Https'
        option target 'DNAT'
        option dest_ip '192.168.4.120'
        option dest 'IOTZone'
        list proto 'all'

DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option confdir '/tmp/dnsmasq.d'
        option logqueries '1'
        option domain 'lan'
        option local '/lan/'
        list rebind_domain 'plex.direct'
        list rebind_domain 'example.org'
        option rebind_protection '1'
        option rebind_localhost '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'iot'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'iot'

config dhcp 'guest'
        option start '100'
        option limit '150'
        option interface 'guest'
        option leasetime '1h'

config host
        option mac 'DC:A6:32:99:DE:DA'
        option dns '1'
        option name 'omvpi'
        option ip '192.168.4.120'

config domain
        option name 'ncexample.duckdns.org'
        option ip '192.168.4.120'

Network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcf:4989:b220::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '98:da:c4:7c:0d:24'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config interface 'guest'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.23.36.0'

config interface 'iot'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.4.1'

config interface 'tun0'
        option proto 'none'
        option ifname 'tun0'
        option auto '0'

config switch_vlan
        option device 'switch0'
        option vlan '3'

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option wpa_disable_eapol_key_retries '1'
        option key 'XXXXX'
        option ssid 'XXXXX'
        option encryption 'psk-mixed'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option wpa_disable_eapol_key_retries '1'
        option key 'XXXXX'
        option ssid 'XXXXX'
        option encryption 'psk-mixed'

config wifi-iface 'wifinet3'
        option wpa_disable_eapol_key_retries '1'
        option ssid 'XXXXXGUEST'
        option encryption 'psk-mixed'
        option device 'radio1'
        option mode 'ap'
        option isolate '1'
        option key 'XXXXX'
        option network 'guest'

config wifi-iface 'wifinet4'
        option ssid 'XXXXXIOT'
        option encryption 'psk-mixed'
        option device 'radio1'
        option mode 'ap'
        option wpa_disable_eapol_key_retries '1'
        option key 'XXXXX'
        option network 'iot'
1 Like

@vgaetera Alright... I have no idea why, but it suddenly started working again. I went and completely factory reseted the router, and just loaded up the firewalls and ddns first and it started working! Thanks for helping!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.