"possible DNS-rebind attack detected" - hide for specific domain

Hello.
I have a device, which has blocked internet access but I allow DNS on it, and it keeps resolving i.int.dpool.sina.com.cn domain around 3-4 times per second. My log is therefore spammed with something like that:

Tue Feb  9 12:31:11 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:11 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:11 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:11 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:12 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:12 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:12 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:12 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:13 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:13 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:13 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:13 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Tue Feb  9 12:31:14 2021 daemon.warn dnsmasq[3045]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn

I tried to workaround it by editing /etc/dnsmasq.conf and adding manual resolve:
address=/i.int.dpool.sina.com.cn/8.8.8.8

This seems to be working as expected:

ping i.int.dpool.sina.com.cn
PING i.int.dpool.sina.com.cn (8.8.8.8) 56(84) bytes of data.

However while it does change the response returned from DNS - my log is still spammed by that warning message.

How do I disable this message for this specific domain? I want to keep this protection, but I want to be able to debug other issues I have with OpenWRT and this is kind of impossible with log full of spam.

1 Like

Disable rebind_protection or add the domain to rebind_domain in /etc/config/dhcp

See https://openwrt.org/docs/guide-user/base-system/dhcp

3 Likes

rebind_domain fixed the problem, thank you

It's weekend, so I thought I will debug that other issue I have and I've opened the logs and ... actually the problem with "possible rebind" is not fixed.

I guess my device disconnected and stopped the DNS queries when I applied the potential fix [?] Or it was working for a while and them magically stopped to work?

Now my logs are spammed as it were.

Anyway, my /etc/config/dhcp looked like that:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list rebind_domain '/i.int.dpool.sina.com.cn/'

Now I have updated it to include also:

        list rebind_domain 'i.int.dpool.sina.com.cn'

because I'm not actually sure which one is correct (the link you've sent @bmork suggest using slashes at the beginning and end, but I've discovered this domain whitelist is also available via luci gui, but there are no slashes in example, so I put another value there).

Still my log is full of spam. I tried rebooting the device, just to be sure every service is restarted but no luck.

I've also removed my workaround from /etc/dnsmasq.conf but with no effect as well.

In general - this looks like it should work. But it's not.

Any ideas?

You can try to simply block that domain with DNS filtering.

1 Like

Thanks for suggestion, it does not help.

Trying on my local machine:

ping i.int.dpool.sina.com.cn
ping: i.int.dpool.sina.com.cn: Name or service not known

So the blocking works, but the warning is still appended to the log.

Make sure to remove other settings for that domain and restart Dnsmasq.
Verify the logs are related to exactly the same domain.
Otherwise, consider to block the entire parent domain.


If the issue persists, post the output:

/etc/init.d/log restart; /etc/init.d/dnsmasq restart; uci show dhcp; \
grep -v -r -e ^# -e ^$ /etc/dnsmasq.* /var/etc/dnsmasq.*

As well as some fresh log messages collected after restarting the services.

1 Like

Make sure to remove other settings for that domain and restart Dnsmasq.
Verify the logs are related to exactly the same domain.

I did that. No luck.

Otherwise, consider to block the entire parent domain.

Will try later.

root@netgear:~# /etc/init.d/log restart; /etc/init.d/dnsmasq restart; uci show dhcp; \
nsmasq.*> grep -v -r -e ^# -e ^$ /etc/dnsmasq.* /var/etc/dnsmasq.*
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].server='/i.int.dpool.sina.com.cn/'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.guest=dhcp
dhcp.guest.start='100'
dhcp.guest.leasetime='12h'
dhcp.guest.limit='150'
dhcp.guest.interface='guest'
dhcp.iot=dhcp
dhcp.iot.start='100'
dhcp.iot.leasetime='12h'
dhcp.iot.limit='150'
dhcp.iot.interface='iot'
dhcp.@host[0]=host
dhcp.@host[0].mac='XX:XX:XX:XX:XX:XX'
dhcp.@host[0].name='dzek-pc'
dhcp.@host[0].dns='1'
dhcp.@host[0].ip='192.168.30.51'
dhcp.wirediot=dhcp
dhcp.wirediot.start='100'
dhcp.wirediot.leasetime='12h'
dhcp.wirediot.limit='150'
dhcp.wirediot.interface='wirediot'

/var/etc/dnsmasq.conf.cfg01411c:conf-file=/etc/dnsmasq.conf
/var/etc/dnsmasq.conf.cfg01411c:dhcp-authoritative
/var/etc/dnsmasq.conf.cfg01411c:domain-needed
/var/etc/dnsmasq.conf.cfg01411c:localise-queries
/var/etc/dnsmasq.conf.cfg01411c:read-ethers
/var/etc/dnsmasq.conf.cfg01411c:enable-ubus
/var/etc/dnsmasq.conf.cfg01411c:expand-hosts
/var/etc/dnsmasq.conf.cfg01411c:bind-dynamic
/var/etc/dnsmasq.conf.cfg01411c:local-service
/var/etc/dnsmasq.conf.cfg01411c:domain=lan
/var/etc/dnsmasq.conf.cfg01411c:server=/lan/
/var/etc/dnsmasq.conf.cfg01411c:server=/i.int.dpool.sina.com.cn/
/var/etc/dnsmasq.conf.cfg01411c:dhcp-leasefile=/tmp/dhcp.leases
/var/etc/dnsmasq.conf.cfg01411c:resolv-file=/tmp/resolv.conf.auto
/var/etc/dnsmasq.conf.cfg01411c:stop-dns-rebind
/var/etc/dnsmasq.conf.cfg01411c:rebind-localhost-ok
/var/etc/dnsmasq.conf.cfg01411c:dhcp-broadcast=tag:needs-broadcast
/var/etc/dnsmasq.conf.cfg01411c:addn-hosts=/tmp/hosts
/var/etc/dnsmasq.conf.cfg01411c:conf-dir=/tmp/dnsmasq.d
/var/etc/dnsmasq.conf.cfg01411c:user=dnsmasq
/var/etc/dnsmasq.conf.cfg01411c:group=dnsmasq
/var/etc/dnsmasq.conf.cfg01411c:dhcp-host=XX:XX:XX:XX:XX:XX,192.168.30.51,dzek-pc
/var/etc/dnsmasq.conf.cfg01411c:dhcp-ignore-names=tag:dhcp_bogus_hostname
/var/etc/dnsmasq.conf.cfg01411c:conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf
/var/etc/dnsmasq.conf.cfg01411c:bogus-priv
/var/etc/dnsmasq.conf.cfg01411c:conf-file=/usr/share/dnsmasq/rfc6761.conf
/var/etc/dnsmasq.conf.cfg01411c:dhcp-range=set:lan,192.168.30.100,192.168.30.249,255.255.255.0,12h
/var/etc/dnsmasq.conf.cfg01411c:no-dhcp-interface=pppoe-wan
/var/etc/dnsmasq.conf.cfg01411c:dhcp-range=set:guest,192.168.50.100,192.168.50.249,255.255.255.0,12h
/var/etc/dnsmasq.conf.cfg01411c:dhcp-range=set:iot,192.168.100.100,192.168.100.249,255.255.255.0,12h
/var/etc/dnsmasq.conf.cfg01411c:dhcp-range=set:wirediot,192.168.101.100,192.168.101.249,255.255.255.0,12h
root@netgear:~#

Notice: I have removed almost almost-all the static hosts config and masked MAC address. Everything else is untouched.

And the log:

Fri Feb 12 21:35:20 2021 daemon.info dnsmasq[3126]: exiting on receipt of SIGTERM
Fri Feb 12 21:35:20 2021 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Fri Feb 12 21:35:20 2021 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: started, version 2.80 cachesize 150
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: DNS service limited to local subnets
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq-dhcp[3598]: DHCP, IP range 192.168.101.100 -- 192.168.101.249, lease time 12h
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq-dhcp[3598]: DHCP, IP range 192.168.100.100 -- 192.168.100.249, lease time 12h
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq-dhcp[3598]: DHCP, IP range 192.168.50.100 -- 192.168.50.249, lease time 12h
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq-dhcp[3598]: DHCP, IP range 192.168.30.100 -- 192.168.30.249, lease time 12h
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain test
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain onion
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain localhost
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain local
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain invalid
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain bind
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain i.int.dpool.sina.com.cn
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain lan
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: reading /tmp/resolv.conf.auto
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain test
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain onion
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain localhost
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain local
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain invalid
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain bind
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain i.int.dpool.sina.com.cn
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using local addresses only for domain lan
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using nameserver 1.1.1.1#53
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using nameserver 8.8.4.4#53
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: using nameserver 8.8.8.8#53
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: read /etc/hosts - 4 addresses
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: read /tmp/hosts/odhcpd - 1 addresses
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq[3598]: read /tmp/hosts/dhcp.cfg01411c - 32 addresses
Fri Feb 12 21:35:33 2021 daemon.info dnsmasq-dhcp[3598]: read /etc/ethers - 0 addresses
Fri Feb 12 21:36:38 2021 daemon.warn dnsmasq[3598]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 21:36:38 2021 daemon.warn dnsmasq[3598]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 21:36:39 2021 daemon.warn dnsmasq[3598]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 21:36:39 2021 daemon.warn dnsmasq[3598]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 21:36:39 2021 daemon.warn dnsmasq[3598]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 21:36:39 2021 daemon.warn dnsmasq[3598]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 21:36:40 2021 daemon.warn dnsmasq[3598]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 21:36:40 2021 daemon.warn dnsmasq[3598]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 21:36:41 2021 daemon.warn dnsmasq[3598]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 21:36:41 2021 daemon.warn dnsmasq[3598]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
1 Like

Bonus:
In the meantime I have disconnected device that were causing troubles. I tried pinging and digging the domain from my computer (including dig i.int.dpool.sina.com.cn @8.8.8.8 just to test it) and it was NOT causing the log entries.

I've connected the troublesome device and the logs appeared back. Like this device is doing SOMETHING that somehow bypasses everything and still actually resolves via local dns. But I cannot repeat this behavior from my PC.

1 Like

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#logging_dns_queries

1 Like

tcpdump, goes faster than i'd like to :wink: copied some lines, they seem to repeat

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
22:05:05.910267 ethertype IPv4, IP (tos 0x0, ttl 64, id 12916, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.57260 > 192.168.101.1.53: 13658+ AAAA? octopus.cloudseetech.com. (42)
22:05:05.910298 IP (tos 0x0, ttl 64, id 12916, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.57260 > 192.168.101.1.53: 13658+ AAAA? octopus.cloudseetech.com. (42)
22:05:05.910320 IP (tos 0x0, ttl 64, id 12916, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.57260 > 192.168.101.1.53: 13658+ AAAA? octopus.cloudseetech.com. (42)
22:05:05.926030 IP (tos 0x0, ttl 64, id 8274, offset 0, flags [DF], proto UDP (17), length 137)
    192.168.101.1.53 > 192.168.101.73.57260: 13658 0/1/0 (109)
22:05:05.926070 IP (tos 0x0, ttl 64, id 8274, offset 0, flags [DF], proto UDP (17), length 137)
    192.168.101.1.53 > 192.168.101.73.57260: 13658 0/1/0 (109)
22:05:05.926953 ethertype IPv4, IP (tos 0x0, ttl 64, id 12917, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.53898 > 192.168.101.1.53: 13659+ A? octopus.cloudseetech.com. (42)
22:05:05.926974 IP (tos 0x0, ttl 64, id 12917, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.53898 > 192.168.101.1.53: 13659+ A? octopus.cloudseetech.com. (42)
22:05:05.926990 IP (tos 0x0, ttl 64, id 12917, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.53898 > 192.168.101.1.53: 13659+ A? octopus.cloudseetech.com. (42)
22:05:05.941879 IP (tos 0x0, ttl 64, id 8275, offset 0, flags [DF], proto UDP (17), length 86)
    192.168.101.1.53 > 192.168.101.73.53898: 13659 1/0/0 octopus.cloudseetech.com. A 47.254.93.223 (58)
22:05:05.941917 IP (tos 0x0, ttl 64, id 8275, offset 0, flags [DF], proto UDP (17), length 86)
    192.168.101.1.53 > 192.168.101.73.53898: 13659 1/0/0 octopus.cloudseetech.com. A 47.254.93.223 (58)
22:05:06.049780 ethertype IPv4, IP (tos 0x0, ttl 64, id 12918, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.32849 > 192.168.101.1.53: 13660+ AAAA? octopus.cloudseetech.com. (42)
22:05:06.049803 IP (tos 0x0, ttl 64, id 12918, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.32849 > 192.168.101.1.53: 13660+ AAAA? octopus.cloudseetech.com. (42)
22:05:06.049817 IP (tos 0x0, ttl 64, id 12918, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.32849 > 192.168.101.1.53: 13660+ AAAA? octopus.cloudseetech.com. (42)
22:05:06.050754 IP (tos 0x0, ttl 64, id 8281, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.1.53 > 192.168.101.73.32849: 13660 0/0/0 (42)
22:05:06.050788 IP (tos 0x0, ttl 64, id 8281, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.1.53 > 192.168.101.73.32849: 13660 0/0/0 (42)
22:05:06.051742 ethertype IPv4, IP (tos 0x0, ttl 64, id 12919, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.49354 > 192.168.101.1.53: 13661+ A? octopus.cloudseetech.com. (42)
22:05:06.051755 IP (tos 0x0, ttl 64, id 12919, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.49354 > 192.168.101.1.53: 13661+ A? octopus.cloudseetech.com. (42)
22:05:06.051768 IP (tos 0x0, ttl 64, id 12919, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.101.73.49354 > 192.168.101.1.53: 13661+ A? octopus.cloudseetech.com. (42)
22:05:06.052103 IP (tos 0x0, ttl 64, id 8282, offset 0, flags [DF], proto UDP (17), length 86)
    192.168.101.1.53 > 192.168.101.73.49354: 13661 1/0/0 octopus.cloudseetech.com. A 47.254.93.223 (58)
22:05:06.052120 IP (tos 0x0, ttl 64, id 8282, offset 0, flags [DF], proto UDP (17), length 86)
    192.168.101.1.53 > 192.168.101.73.49354: 13661 1/0/0 octopus.cloudseetech.com. A 47.254.93.223 (58)
22:05:07.529522 ethertype IPv4, IP (tos 0x0, ttl 64, id 12958, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.49793 > 192.168.101.1.53: 13659+ A? int.dpool.sina.com.cn. (39)
22:05:07.529545 IP (tos 0x0, ttl 64, id 12958, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.49793 > 192.168.101.1.53: 13659+ A? int.dpool.sina.com.cn. (39)
22:05:07.529565 IP (tos 0x0, ttl 64, id 12958, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.49793 > 192.168.101.1.53: 13659+ A? int.dpool.sina.com.cn. (39)
22:05:07.544834 IP (tos 0x0, ttl 64, id 8360, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.49793: 13659 0/0/0 (39)
22:05:07.544874 IP (tos 0x0, ttl 64, id 8360, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.49793: 13659 0/0/0 (39)
22:05:07.546142 ethertype IPv4, IP (tos 0x0, ttl 64, id 12959, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.47548 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:07.546159 IP (tos 0x0, ttl 64, id 12959, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.47548 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:07.546173 IP (tos 0x0, ttl 64, id 12959, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.47548 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:07.560844 IP (tos 0x0, ttl 64, id 8361, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.47548: 178 0/0/0 (39)
22:05:07.560875 IP (tos 0x0, ttl 64, id 8361, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.47548: 178 0/0/0 (39)
22:05:07.562088 ethertype IPv4, IP (tos 0x0, ttl 64, id 12960, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.59365 > 192.168.101.1.53: 13660+ A? www.afdvr.com. (31)
22:05:07.562105 IP (tos 0x0, ttl 64, id 12960, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.59365 > 192.168.101.1.53: 13660+ A? www.afdvr.com. (31)
22:05:07.562119 IP (tos 0x0, ttl 64, id 12960, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.59365 > 192.168.101.1.53: 13660+ A? www.afdvr.com. (31)
22:05:07.577819 IP (tos 0x0, ttl 64, id 8362, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.101.1.53 > 192.168.101.73.59365: 13660 1/0/0 www.afdvr.com. A 64.22.110.186 (47)
22:05:07.577859 IP (tos 0x0, ttl 64, id 8362, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.101.1.53 > 192.168.101.73.59365: 13660 1/0/0 www.afdvr.com. A 64.22.110.186 (47)
22:05:08.089778 ethertype IPv4, IP (tos 0x0, ttl 64, id 12982, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.44617 > 192.168.101.1.53: 13661+ A? int.dpool.sina.com.cn. (39)
22:05:08.089803 IP (tos 0x0, ttl 64, id 12982, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.44617 > 192.168.101.1.53: 13661+ A? int.dpool.sina.com.cn. (39)
22:05:08.089822 IP (tos 0x0, ttl 64, id 12982, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.44617 > 192.168.101.1.53: 13661+ A? int.dpool.sina.com.cn. (39)
22:05:08.106283 IP (tos 0x0, ttl 64, id 8401, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.44617: 13661 0/0/0 (39)
22:05:08.106324 IP (tos 0x0, ttl 64, id 8401, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.44617: 13661 0/0/0 (39)
22:05:08.108144 ethertype IPv4, IP (tos 0x0, ttl 64, id 12983, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.56948 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:08.108162 IP (tos 0x0, ttl 64, id 12983, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.56948 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:08.108176 IP (tos 0x0, ttl 64, id 12983, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.56948 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:08.123635 IP (tos 0x0, ttl 64, id 8402, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.56948: 178 0/0/0 (39)
22:05:08.123671 IP (tos 0x0, ttl 64, id 8402, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.56948: 178 0/0/0 (39)
22:05:08.124867 ethertype IPv4, IP (tos 0x0, ttl 64, id 12985, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.49554 > 192.168.101.1.53: 13662+ A? www.afdvr.com. (31)
22:05:08.124883 IP (tos 0x0, ttl 64, id 12985, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.49554 > 192.168.101.1.53: 13662+ A? www.afdvr.com. (31)
22:05:08.124897 IP (tos 0x0, ttl 64, id 12985, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.49554 > 192.168.101.1.53: 13662+ A? www.afdvr.com. (31)
22:05:08.125721 IP (tos 0x0, ttl 64, id 8403, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.101.1.53 > 192.168.101.73.49554: 13662 1/0/0 www.afdvr.com. A 64.22.110.186 (47)
22:05:08.125755 IP (tos 0x0, ttl 64, id 8403, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.101.1.53 > 192.168.101.73.49554: 13662 1/0/0 www.afdvr.com. A 64.22.110.186 (47)
22:05:08.629903 ethertype IPv4, IP (tos 0x0, ttl 64, id 13035, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.53534 > 192.168.101.1.53: 13663+ A? int.dpool.sina.com.cn. (39)
22:05:08.629928 IP (tos 0x0, ttl 64, id 13035, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.53534 > 192.168.101.1.53: 13663+ A? int.dpool.sina.com.cn. (39)
22:05:08.629948 IP (tos 0x0, ttl 64, id 13035, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.53534 > 192.168.101.1.53: 13663+ A? int.dpool.sina.com.cn. (39)
22:05:08.645610 IP (tos 0x0, ttl 64, id 8436, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.53534: 13663 0/0/0 (39)
22:05:08.645654 IP (tos 0x0, ttl 64, id 8436, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.53534: 13663 0/0/0 (39)
22:05:08.646745 ethertype IPv4, IP (tos 0x0, ttl 64, id 13036, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.44367 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:08.646771 IP (tos 0x0, ttl 64, id 13036, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.44367 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:08.646791 IP (tos 0x0, ttl 64, id 13036, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.44367 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:08.662668 IP (tos 0x0, ttl 64, id 8437, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.44367: 178 0/0/0 (39)
22:05:08.662706 IP (tos 0x0, ttl 64, id 8437, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.44367: 178 0/0/0 (39)
22:05:08.665750 ethertype IPv4, IP (tos 0x0, ttl 64, id 13038, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.56649 > 192.168.101.1.53: 13664+ A? www.afdvr.com. (31)
22:05:08.665769 IP (tos 0x0, ttl 64, id 13038, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.56649 > 192.168.101.1.53: 13664+ A? www.afdvr.com. (31)
22:05:08.665783 IP (tos 0x0, ttl 64, id 13038, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.56649 > 192.168.101.1.53: 13664+ A? www.afdvr.com. (31)
22:05:08.666668 IP (tos 0x0, ttl 64, id 8438, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.101.1.53 > 192.168.101.73.56649: 13664 1/0/0 www.afdvr.com. A 64.22.110.186 (47)
22:05:08.666707 IP (tos 0x0, ttl 64, id 8438, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.101.1.53 > 192.168.101.73.56649: 13664 1/0/0 www.afdvr.com. A 64.22.110.186 (47)
22:05:09.169805 ethertype IPv4, IP (tos 0x0, ttl 64, id 13049, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.59677 > 192.168.101.1.53: 13665+ A? int.dpool.sina.com.cn. (39)
22:05:09.169827 IP (tos 0x0, ttl 64, id 13049, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.59677 > 192.168.101.1.53: 13665+ A? int.dpool.sina.com.cn. (39)
22:05:09.169846 IP (tos 0x0, ttl 64, id 13049, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.59677 > 192.168.101.1.53: 13665+ A? int.dpool.sina.com.cn. (39)
22:05:09.185928 IP (tos 0x0, ttl 64, id 8447, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.59677: 13665 0/0/0 (39)
22:05:09.185969 IP (tos 0x0, ttl 64, id 8447, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.59677: 13665 0/0/0 (39)
22:05:09.187587 ethertype IPv4, IP (tos 0x0, ttl 64, id 13050, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.58779 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:09.187611 IP (tos 0x0, ttl 64, id 13050, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.58779 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:09.187631 IP (tos 0x0, ttl 64, id 13050, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.58779 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:09.203395 IP (tos 0x0, ttl 64, id 8449, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.58779: 178 0/0/0 (39)
22:05:09.203435 IP (tos 0x0, ttl 64, id 8449, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.58779: 178 0/0/0 (39)
22:05:09.204975 ethertype IPv4, IP (tos 0x0, ttl 64, id 13052, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.47879 > 192.168.101.1.53: 13666+ A? www.afdvr.com. (31)
22:05:09.204998 IP (tos 0x0, ttl 64, id 13052, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.47879 > 192.168.101.1.53: 13666+ A? www.afdvr.com. (31)
22:05:09.205017 IP (tos 0x0, ttl 64, id 13052, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.47879 > 192.168.101.1.53: 13666+ A? www.afdvr.com. (31)
22:05:09.205928 IP (tos 0x0, ttl 64, id 8450, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.101.1.53 > 192.168.101.73.47879: 13666 1/0/0 www.afdvr.com. A 64.22.110.186 (47)
22:05:09.205967 IP (tos 0x0, ttl 64, id 8450, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.101.1.53 > 192.168.101.73.47879: 13666 1/0/0 www.afdvr.com. A 64.22.110.186 (47)
22:05:09.719433 ethertype IPv4, IP (tos 0x0, ttl 64, id 13102, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.54457 > 192.168.101.1.53: 13667+ A? int.dpool.sina.com.cn. (39)
22:05:09.719454 IP (tos 0x0, ttl 64, id 13102, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.54457 > 192.168.101.1.53: 13667+ A? int.dpool.sina.com.cn. (39)
22:05:09.719471 IP (tos 0x0, ttl 64, id 13102, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.54457 > 192.168.101.1.53: 13667+ A? int.dpool.sina.com.cn. (39)
22:05:09.735448 IP (tos 0x0, ttl 64, id 8474, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.54457: 13667 0/0/0 (39)
22:05:09.735489 IP (tos 0x0, ttl 64, id 8474, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.54457: 13667 0/0/0 (39)
22:05:09.736913 ethertype IPv4, IP (tos 0x0, ttl 64, id 13103, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.49378 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:09.736932 IP (tos 0x0, ttl 64, id 13103, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.49378 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:09.736946 IP (tos 0x0, ttl 64, id 13103, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.73.49378 > 192.168.101.1.53: 178+ A? int.dpool.sina.com.cn. (39)
22:05:09.751823 IP (tos 0x0, ttl 64, id 8475, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.49378: 178 0/0/0 (39)
22:05:09.751859 IP (tos 0x0, ttl 64, id 8475, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.101.1.53 > 192.168.101.73.49378: 178 0/0/0 (39)
22:05:09.752852 ethertype IPv4, IP (tos 0x0, ttl 64, id 13104, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.38355 > 192.168.101.1.53: 13668+ A? www.afdvr.com. (31)
22:05:09.752870 IP (tos 0x0, ttl 64, id 13104, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.38355 > 192.168.101.1.53: 13668+ A? www.afdvr.com. (31)
22:05:09.752882 IP (tos 0x0, ttl 64, id 13104, offset 0, flags [DF], proto UDP (17), length 59)
    192.168.101.73.38355 > 192.168.101.1.53: 13668+ A? www.afdvr.com. (31)
22:05:09.753768 IP (tos 0x0, ttl 64, id 8476, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.101.1.53 > 192.168.101.73.38355: 13668 1/0/0 www.afdvr.com. A 64.22.110.186 (47)
22:05:09.753804 IP (tos 0x0, ttl 64, id 8476, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.101.1.53 > 192.168.101.73.38355: 13668 1/0/0 www.afdvr.com. A 64.22.110.186 (47)
22:05:10.259099 ethertype IPv4, IP (tos 0x0, ttl 64, id 13106, offset 0, flags [DF], proto UDP (17), length 67)
1 Like

Block this entire domain as it uses CNAME to redirect to its subdomain.

1 Like

queries log:

Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 105 192.168.101.73/39538 query[A] int.dpool.sina.com.cn from 192.168.101.73
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 105 192.168.101.73/39538 forwarded int.dpool.sina.com.cn to 1.1.1.1
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 105 192.168.101.73/39538 reply int.dpool.sina.com.cn is <CNAME>
Fri Feb 12 22:09:03 2021 daemon.warn dnsmasq[4037]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 106 192.168.101.73/55636 query[A] int.dpool.sina.com.cn from 192.168.101.73
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 106 192.168.101.73/55636 forwarded int.dpool.sina.com.cn to 1.1.1.1
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 106 192.168.101.73/55636 reply int.dpool.sina.com.cn is <CNAME>
Fri Feb 12 22:09:03 2021 daemon.warn dnsmasq[4037]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 107 192.168.101.73/45650 query[A] www.afdvr.com from 192.168.101.73
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 107 192.168.101.73/45650 cached www.afdvr.com is 64.22.110.186
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 108 192.168.101.73/57504 query[A] int.dpool.sina.com.cn from 192.168.101.73
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 108 192.168.101.73/57504 forwarded int.dpool.sina.com.cn to 1.1.1.1
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 108 192.168.101.73/57504 reply int.dpool.sina.com.cn is <CNAME>
Fri Feb 12 22:09:03 2021 daemon.warn dnsmasq[4037]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 109 192.168.101.73/41527 query[A] int.dpool.sina.com.cn from 192.168.101.73
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 109 192.168.101.73/41527 forwarded int.dpool.sina.com.cn to 1.1.1.1
Fri Feb 12 22:09:03 2021 daemon.info dnsmasq[4037]: 109 192.168.101.73/41527 reply int.dpool.sina.com.cn is <CNAME>
Fri Feb 12 22:09:03 2021 daemon.warn dnsmasq[4037]: possible DNS-rebind attack detected: i.int.dpool.sina.com.cn

Block this entire domain.

will do

1 Like

Why I haven't thought of that before? Damn. Looks like it works now! I hope it won't happen again and I will be finally able to use the log to debug other stuff!

Thank you very much!

1 Like

You need to add just the domain name sina.com.cn for it to work in whitelist domains.

1 Like

Some of the covered domains may provide valid working services.
So, be careful while extending the blocking scope.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.