Possible DNS-rebind attack?

otnert · September 22, 2018, 12:02am

Should I be concerned?

I've been using OpenWrt since March this year and never seen this appear in the logs before:

daemon.warn dnsmasq[27408]: possible DNS-rebind attack detected: ucs02.engageya.com

Just running a simple home network, no new devices added.

phuque991 · September 22, 2018, 12:46am

It is likely a website (or app, whatever) has a link to that domain and your router resolved its IP address and found it to be in the private range:

# dig +short @8.8.8.8 ucs02.engageya.com
172.16.99.99

otnert · September 22, 2018, 2:15am

Thanks for replying...
So a private address, I don't need to be concerned then?

I've tried to find out the IP address for ucs02.engageya.com but not getting anything:

root@c2600-OpenWrt:~# ping ucs02.engageya.com
ping: bad address 'ucs02.engageya.com'
root@c2600-OpenWrt:~# traceroute ucs02.engageya.com
traceroute: bad address 'ucs02.engageya.com'

and

> ucs02.engageya.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for ucs02.engageya.
com

Just strange it's appearing out of nowhere!

phuque991 · September 22, 2018, 1:40am

You can search on Google to understand what "DNS-rebind attack" means; and that's why DNSmasq is blocking it for good reasons. But the option can also be turned off.

It's a private IP so you can't ping it unless you have a private IP machine within your network using that address. Lastly, it is strange that you can't resolve that hostname. It shows up on the other public DNS servers:

$ dig +short @1.1.1.1 ucs02.engageya.com
172.16.99.99
$ dig +short @9.9.9.9 ucs02.engageya.com
172.16.99.99

otnert · September 22, 2018, 2:43am

That's the behavior when I'm using the 18.06.1 OpenWrt router connected via PrivateInternetAccess VPN.

However I've managed to resolve ucs02.engageya.com while pinging, when I bypass my OpenWrt VPN, also on another router (not associated or connected to the OpenWrt router).

vgaetera · September 22, 2018, 2:33am

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

--stop-dns-rebind
Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.

otnert · September 22, 2018, 2:46am

Have I cause for concern?

Isn't this the same when Rebind protection is checked?

%40rebind

vgaetera · September 22, 2018, 10:35pm

I mean there's nothing strange it drops reply for external domain with private IP.
This behavior is exactly in accordance with the manual.
You can disable it, if you need to resolve that domain.

Bartvz · September 22, 2018, 9:45am

Or you can whitelist the required domain and keep the protection on!

lleachii · September 22, 2018, 10:35pm

This is because the OpenWrt router has DNS rebind protection on by default. The router was actuallly keeping you safe.

otnert · September 22, 2018, 10:35pm

Thanks to all for your advice.

It seems whatever was causing the logs to appear has ceased.

Much to my amazement it's good to know OpenWrt has this protection in place !

system · October 2, 2018, 10:38pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.