Why one OpenWrt router attacks another OpenWrt router (DNS-rebind attack)

i have two routers both the same models and both have OpenWrt on it
for some reason my head router (my.my ) ataking other (avg.my) router
the qwestion is why

It's merely because the DNS response is a Private IP. This is because your downstream router is in Private IP space and likely seeking local records.

Here's how to fix:

1 Like

wait you sugestion is simly disable rebind protection?
but it sounds like disable iportant protection
maybe some firewall setting would do the trik?
or disabling rebind protection also disables any answers from avg.my?

  • avg.my looks up A Record for my.my
  • my.my replies with an RFC 1918 IP as response
  • avg.my recognizes this as rebind attack

Solution: disable rebind protection on avg.my - I hope that is clear.

Yep, disable on the avg.my device.

1 Like

thanks for that clarification now i understand why

1 Like

I assume:

  • Your client wants to talk to my.my (e.g. open my.my in your browser)
  • Your client is physically (e.g. Wi-Fi) connected to avg.my
  • So avg.my asks my.my about the IP address of my.my
  • my.my responds with its internal IP address
  • avg.my receives an internal IP address on its WAN interface
  • This situation is usually not meant to happen.

Is there a reason for your network topology to have two routers actually run as routers? Of course there is, but people using OpenWRT in that setting on purpose usually don't ask that type of questions. So in case you just want to expand your Wi-Fi coverage, the "dumb AP" configuration would be better than hierarchical routing.

If you need to stick to this topology:
Add the DNS record for my.my pointing to its internal IP address on your avg.my device.
This way, avg.my, when asked for the IP address of my.my, will not ask my.my and receive an internal response but just take the internal IP address from its static configuration.

Im not sure if rebind protection works differently on different top level domains, but ".my" is Malaysia. So there's a chance switching from "my" to "local" als personal network name will prevent those messages as well. That's, after all, the very purpose of the rebind thingy. Just image your ISP answers questios for google.my with 192.168.254.100. Unless you happen to use 192.168.254.0/24 as your personal IP range, your router will (and should) pass traffic for 192.168.254.100 to your ISP. And suddenly your ISP gets to sniff every request you want to ask google.

3 Likes

User coud have other hostnames with RFC1918 records configured in my.my (e.g. hosts on my.my's LAN) - but yes, adding an A Record to avg.my would work too.

1 Like

it is actually like this


and the head router just temperaly there , then on avg.my there will be PPPoE internet
So it there wont be problem when internet is UP there wont be any local adresses comes from WAN anymore so i can enable that option i guess.
And yes i should change my home domane name thatnk for that too

Are you discussing the OpenWrt DNS Rebind protection configuration, or something else?

In OpenWrt - it merely prevents A Records containing non Global IPs as responses to clients.

Yes, I'm not sure about the actual implementation. I simply don't know if "my.local" will run into the very same rebind protection messages as "my.my" does. Just because ".my" is every Malaysian domain, but ".local" is meant to be my personal network. There's a semantic connection between RFC1918 IP ranges and RFC6762 top level domains. So there's a (small, admittedly) chance that rebind protection purposefully omits " .local" domains.

personal IP range you mean local IP (br-lan)?
what if ISP uses external IP adres range ? ISP also can sniff requests ?

I think he's saying if your domain is *.my - that any invalid request (not sure how that would occur) goes to the ISPs DNS server?

Even if it were true, I'm not sure about these IP comments the poster made.

I was actually gonna ask for clarification again on what they're talking about - and if this is regarding this setting:

screen111

He seems to be discussing something unrelated to OpenWrt's rebind setting - perhaps the [not so good] choice of .my as your network's domain name.

The question I tried to ask:
Could your "avg.my" device be replaced with a simple switch?

If that's the case, you could just use it as such. In terms of IPs and routing, avg.my could be configured similar to the "dumb AP" role your "avngcli.my" has. This would eliminate the rebind protection messages as well because my.my could respond DNS requests directly to your clients.

If you feel confident with changing IP ranges and disabling DHCP, you might give it a try. If you don't: Don't, since that's not "a must" at all.

Or just re-enable Rebind Protection once Zebra removes my.my?

I guess you are discussing something else.

1 Like

Ah, thank you for quoting this. I completely missed that line. I shomehow was under the impression those routers were there to stay.

I guess I stop explaining here. My entire idea of RFC 1918 internal IP ranges and RFC 6762 special use domains could be implemntd in an accomodating way within the rebind protection feature (which is entirely speculativ on my side) completely leads to nowhere after realizing the first router is meant to be put out of service soon.

2 Likes

Gotcha, cool!

I understand the discussion better now. :+1:

1 Like