Possible DNS-rebind attack?

Should I be concerned?

I've been using OpenWrt since March this year and never seen this appear in the logs before:

daemon.warn dnsmasq[27408]: possible DNS-rebind attack detected: ucs02.engageya.com

Just running a simple home network, no new devices added.

It is likely a website (or app, whatever) has a link to that domain and your router resolved its IP address and found it to be in the private range:

# dig +short @ ucs02.engageya.com
1 Like

Thanks for replying...
So a private address, I don't need to be concerned then?

I've tried to find out the IP address for ucs02.engageya.com but not getting anything:

root@c2600-OpenWrt:~# ping ucs02.engageya.com
ping: bad address 'ucs02.engageya.com'
root@c2600-OpenWrt:~# traceroute ucs02.engageya.com
traceroute: bad address 'ucs02.engageya.com'


> ucs02.engageya.com
Server:  google-public-dns-a.google.com

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for ucs02.engageya.

Just strange it's appearing out of nowhere!

You can search on Google to understand what "DNS-rebind attack" means; and that's why DNSmasq is blocking it for good reasons. But the option can also be turned off.

It's a private IP so you can't ping it unless you have a private IP machine within your network using that address. Lastly, it is strange that you can't resolve that hostname. It shows up on the other public DNS servers:

$ dig +short @ ucs02.engageya.com
$ dig +short @ ucs02.engageya.com

That's the behavior when I'm using the 18.06.1 OpenWrt router connected via PrivateInternetAccess VPN.

However I've managed to resolve ucs02.engageya.com while pinging, when I bypass my OpenWrt VPN, also on another router (not associated or connected to the OpenWrt router).


Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.

Have I cause for concern?

Isn't this the same when Rebind protection is checked?


I mean there's nothing strange it drops reply for external domain with private IP.
This behavior is exactly in accordance with the manual.
You can disable it, if you need to resolve that domain.

Or you can whitelist the required domain and keep the protection on!

This is because the OpenWrt router has DNS rebind protection on by default. The router was actuallly keeping you safe.

Thanks to all for your advice.

It seems whatever was causing the logs to appear has ceased.

Much to my amazement it's good to know OpenWrt has this protection in place :wink: !

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.