I looked around on-line to learn about DNS-rebind and sort of understood it, but I am not sure if I should do something about it: forum postings in this direction, I didn't understand much. Is someone trying to attack specifically us, or did someone unintentionally open a malicious webpage somewhere?
I have a lot of users who I don't know, they are on a subnet which has no access to luci. But I have a few users (I know them all) who are on the subnet that does have access to Luci (but they don't have the login data). One of them has win 7 and she leaves her laptop on and connected day and night, I wonder if something like that would cause an attack?
At least some of those look perfectly legit to me. There are cases where an application does use these kinds of DNS-requests for its functionality, like e.g. Plex uses the domain plex.direct in a similar manner, ie. it's one of the mechanisms the apps use to establish communications in a semi-reliable manner. The keyword in that message you see in the log is right there: "possible" -- it might be an attack, but it also might not be.
This is supposed to be a page for children's songs, but it gets redirected to a page that looks like a phishing. But OpenWRT system log is not showing anything.
DNS rebind attack, at least when it comes to OpenWRT, is specifically about hijacking a DNS-request and returning a result within the private IP-address range or a loopback address. It's not a DNS rebind attack, if it points to a public IP-address; it's then just a regular DNS-hijack.
So, when you attempt to access that domain, does it point to an address within the public IP-address range or not? If yes, then it not a DNS rebind attack.
That said, at least for me that URL looked perfectly legit at a glance.
Now it's interesting, The page doesn't get redirected to the suspicious site anymore. I get a message:
Firefox detected a potential security threat and did not continue to fithimstill.xyz......
But I haven't updated firefox meanwhile. How come they now know that it's malicious?
Now, I opened chrome to see what happens: this page does arrive to the proper page for children's songs!!
Very strange!! My OpenWRT is set to use google and 208.67.222.123 (I forgot how that's called) as DNS server, and my laptop is set to use whatever DNS server set at the router. Why chrome is returning the proper page and firefox doesn't do it?
As for DNS-rebind protection blocking a legitimate thing, I wonder if I should do something about it. Are there a lot of legitimate things that people normally expect to be able to do, that get blocked by DNS-rebind protection?
Chrome is probably using either your system DNS or Google DNS. Firefox may have an override and/or extensions that are causing the issues you are seeing. Update your Firefox install, check to see if you have any extensions and/or DNS/proxy overrides.