Under system log I keep seeing this:
daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
I don't understand what's that.
Also, I don't have WD NAS server...
Resolving that name must be returning a private IP. dnsmasq considers that a rebind attack.
Is it possible that someone remotely actively causing this? Or is it something in my configuration?
No, it means some DNS query within your network resulted in an RFC1918 IP address as the reply.
That's all, provided your firewall rules have not been altered to expose your dnsmasq to WAN.
Rebind protection is enabled by default. You could disable it (if you knew the domain, of course).
Likely you connected one and your Windows cached the connection and refreshes it every now and then.
Answer is in question - add a DNS zone forward to nowhere - /remotewd.com/ into Luci/Network/DNS/forwards....
Picture (you have to press plus button after entering domain)
1 Like
I had one in the past, long ago, but it is no longer in use; so you say that it can be caused by Windows settings? but when I set that NAS server back then I set it to the local address (192.168...) and not to the remotewd domain...
Not related. Try to locate place where you enter DNS forwarders. Kind of you are given breadcrumb trail already.
I get this when I put the Openwrt router behind my main router...
1 Like
I placed my Openwrt behind my ISP's router (which I am forced to have) both in bridge mode (the ISP's router set to bridge mode) and cascaded router, but I changed my openwrt's dns servers to quad9. could it be quad9?
If it's in bridge mode it shouldn't be a problem, but you can always disable rebind protection in Openwrt's DNS settings.
1 Like
No, both Quad9 and Cloudflare return the same private IP.
root@router:~# nslookup device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com. 9.9.9.9
Server: 9.9.9.9
Address: 9.9.9.9:53
Non-authoritative answer:
Non-authoritative answer:
Name: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
Address: 192.168.2.2
root@router:~# nslookup device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com. 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1:53
Non-authoritative answer:
Name: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
Address: 192.168.2.2
Non-authoritative answer:
If you cannot find any lingering WD software on your local machines, enable query logging in dnsmasq to see who is sending the query.
1 Like
I have removed the old network drives of WD from windows, hope it will solve it.
Thanks!
That wasn't the solution because I still get this message:
Sun Feb 1 07:19:58 2026 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
Sun Feb 1 07:19:58 2026 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
Sun Feb 1 07:20:41 2026 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
Sun Feb 1 07:20:41 2026 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
Sun Feb 1 07:20:46 2026 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
Sun Feb 1 07:20:46 2026 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
Sun Feb 1 07:20:58 2026 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
Sun Feb 1 07:20:58 2026 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: device-local-a067d6ba-7983-41a6-9ef4-db83035a8a70.remotewd.com
And no computer is connected to WD or have this entry, especially no PC that is currently running
You still have it in some windows.PC
Either
- disable rebind protection
or - block
remotewd.comdomain
or - ignpre it
1 Like
I guess I'll just ignore it as long as it is not dangerous / real attack... It's just that I found out that fortinet is blocking me for "intrusion attack" and I'm afraid that somehow I was exposed to the internet. Now I see that dnsmasq and I can't tell if fortinet was right and someone did used me to make such attack or that they're just blocking me for using user-agent spoofer and fingerprint blocker
To make those particular messages go away for that domain, you can "whitelist" it by allowing rebind responses. But if you don't want those queries, you can just block it.
# Allow the queries, but silence the rebind messages
uci add_list dhcp.@dnsmasq[0].rebind_domain='remotewd.com'
uci commit dhcp
service dnsmasq restart
# Block the queries
uci add_list dhcp.@dnsmasq[0].server='/remotewd.com/'
uci commit dhcp
service dnsmasq restart
2 Likes
Something is weird.
Now I got new entry:
possible DNS-rebind attack detected: pixel.advertising.com
I don't remember visiting this domain. I blocked its CIDR (141.193.213.0/24).
I don't understand how are all these attacks happen. what's causing them?
You are likely correct in assuming that you didn't navigate by manually typing it, but...
This would seem that it's possibly an image or graphic that was inserted into a website you visited.
Perhaps you could use Adblock. The domain fails to resolve with Adblock running on my OpenWrt router.
It was previously explained, there's also other threads on the forum you can review.
1 Like
Adblockers normally return local address so you dont reach the adversary server.
2 Likes