jry
October 22, 2017, 5:28am
1
We installed LEDE on router (with PPPoE ADSL modem) and found one problem. We are using http://nip.io/ for access to our web server virtualhosts.
Unfortunately with LEDE router we cannot resolve addresses on our local network:
$ ping 10.0.0.153.nip.io
ping: 10.0.0.153.nip.io: No address associated with hostname
It works fine for IP outside of our network:
$ ping 104.244.42.1.nip.io
PING 104.244.42.1.nip.io (104.244.42.1) 56(84) bytes of data.
64 bytes from 104.244.42.1: icmp_seq=1 ttl=53 time=39.0 ms
We tried to change local network to 192.168.1.x but without luck.
Do you have any idea how to solve this problem? Thanks.
hnyman
October 22, 2017, 5:40am
2
Sounds like DNS rebind protection in dnsmasq, the default DNS server in LEDE. It rejects private IP answers from upstream name servers.
I have not looked into LEDE uci options, but this is from dnsmasq help itself. Google for dnsmasq private ip
--stop-dns-rebind
Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.
--rebind-localhost-ok
Exempt 127.0.0.0/8 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable these services.
--rebind-domain-ok=[]|[[//[/]
Do not detect and block dns-rebind on queries to these domains. The argument may be either a single domain, or multiple domains surrounded by '/', like the --server syntax, eg. --rebind-domain-ok=/domain1/domain2/domain3/
You need to check Openwrt LEDE wikis for info on how that translates into our config file
slh
October 22, 2017, 5:47am
3
/etc/config/dhcp , as hnyman suggested, boguspriv, rebind_protection, rebind_localhost and (rather or) rebind_domain are relevant.
jry
October 22, 2017, 6:06am
4
Adding nip.io to the RFC1918 responses domain whitelist (/etc/config/dhcp - config dnsmasq - list rebind_domain 'nip.io ') solved our problem. Thank you for fast response!
1 Like