Possible DNS-rebind attack detected:someone is trying to attack us?


Recently I am watching the system log regularly and found that there are always a few lines of something like

Possible DNS-rebind attack detected: se1prdapp01-canary.cloudapp.net

Other domain names are:

I looked around on-line to learn about DNS-rebind and sort of understood it, but I am not sure if I should do something about it: forum postings in this direction, I didn't understand much. Is someone trying to attack specifically us, or did someone unintentionally open a malicious webpage somewhere?

I have a lot of users who I don't know, they are on a subnet which has no access to luci. But I have a few users (I know them all) who are on the subnet that does have access to Luci (but they don't have the login data). One of them has win 7 and she leaves her laptop on and connected day and night, I wonder if something like that would cause an attack?

I would appreciate your inputs!

In this case, se1prdapp01-canary.cloudapp.net is providing a very invalid answer.

user@machine:~$ nslookup se1prdapp01-canary.cloudapp.net

Non-authoritative answer:
Name:   se1prdapp01-canary.cloudapp.net
Name:   se1prdapp01-canary.cloudapp.net
Address: ::

But a DNS rebind is simply when a public-facing DNS server provides a Private [or other invalid] IP as an answer.


At least some of those look perfectly legit to me. There are cases where an application does use these kinds of DNS-requests for its functionality, like e.g. Plex uses the domain plex.direct in a similar manner, ie. it's one of the mechanisms the apps use to establish communications in a semi-reliable manner. The keyword in that message you see in the log is right there: "possible" -- it might be an attack, but it also might not be.

All those domain names seem to be invalid, or at least my upstream DNS can't find any of them.

1 Like

Hello! Thanks a lot for your replies!

If someone is trying to do something legitimate, is it being blocked then?

There is an website that seems to be hijacked or so, I wonder if it's also DNS-rebinding.


This is supposed to be a page for children's songs, but it gets redirected to a page that looks like a phishing. But OpenWRT system log is not showing anything.

If you have DNS-rebind protection enabled, yes.

DNS rebind attack, at least when it comes to OpenWRT, is specifically about hijacking a DNS-request and returning a result within the private IP-address range or a loopback address. It's not a DNS rebind attack, if it points to a public IP-address; it's then just a regular DNS-hijack.

So, when you attempt to access that domain, does it point to an address within the public IP-address range or not? If yes, then it not a DNS rebind attack.

That said, at least for me that URL looked perfectly legit at a glance.

1 Like

Thank you for your explanation!

Now it's interesting, The page doesn't get redirected to the suspicious site anymore. I get a message:
Firefox detected a potential security threat and did not continue to fithimstill.xyz......

But I haven't updated firefox meanwhile. How come they now know that it's malicious?

Now, I opened chrome to see what happens: this page does arrive to the proper page for children's songs!!

Very strange!! My OpenWRT is set to use google and (I forgot how that's called) as DNS server, and my laptop is set to use whatever DNS server set at the router. Why chrome is returning the proper page and firefox doesn't do it?

As for DNS-rebind protection blocking a legitimate thing, I wonder if I should do something about it. Are there a lot of legitimate things that people normally expect to be able to do, that get blocked by DNS-rebind protection?

Chrome is probably using either your system DNS or Google DNS. Firefox may have an override and/or extensions that are causing the issues you are seeing. Update your Firefox install, check to see if you have any extensions and/or DNS/proxy overrides.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.