Dns rebind attack - Encrypted DNS?
-
Getting dns rebind attack every 5 seconds from trr.dns.nextdns.io that resolves to 0.0.0.0 & ::. Is this due to encrypted dns being used? What is a remedy besides ignoring an 18k log each day?
-
With no better solution, I blocked the hostname with Dns Forwarder, Custom Options. See who squawks.
-
What is doing the query for that?
-
@johnpoz I wish I knew. Don't seee the .io on the Lan. Given the url I suspect it may be encrypted DNS. I'm not that adept at DNS. On the Wan wireshark reports;
Request
415 5.604824 61.117.205.82 61.117.192.1 51579 53 DNS 78 Standard query 0x5264 A trr.dns.nextdns.io
Reply
417 5.625006 61.117.192.1 61.117.205.82 53 51579 DNS 236 Standard query response 0x5264 A trr.dns.nextdns.io A 0.0.0.0 NS dawn.ns.cloudflare.com NS lee.ns.cloudflare.com A 173.245.59.129 AAAA 2606:4700:58::adf5:3b81 A 173.245.58.106 AAAA 2606:4700:50::adf5:3a6a -
@markn6262 said in Dns rebind attack - Encrypted DNS?:
61.117.205.82
That is your pfsense wan IP? ??
DNS server be it your running unbound, dnsmasq, bind - doesn't go ask for something... Unless a client asked it to...
Set unbound to log queries.. Or sniff on your lan side network(s)..
You can set unbound to log queries with.
server: log-queries: yesIn the custom options box..
How do you have dns setup on pfsense? Encrypted dns would not be to port 53.. Which is where that query was sent to 61.117.192.1
-
@markn6262 said in Dns rebind attack - Encrypted DNS?:
trr.dns.nextdns.io
ReplyI have the same issue in my logs. In my research, I determined that NextDNS is a DoH (DNS over HTTPS) service, used by the latest browsers from Firefox and Google for "privacy" in DNS requests. The "trr" stands for Trusted Recursive Resolver.
-
Ok - still means something has to query for that.. pfsense isn't on its own going to try and resolve that.. So you got something banging away trying to look that up..
And to be honest - from how they want you to set it up.. Makes no sense that anything would be looking for that fqdn..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz I don't know about the OP's situation, but I have ~20 people here and almost everyone in my office uses either Chrome or Firefox (I believe one person uses Edge - not the Chromium version). Some of them are streaming internet radio all day, too.
-
@roncbk said in Dns rebind attack - Encrypted DNS?:
Trusted Recursive Resolver
Thanks for the lead. I read Mozilla FF does now have a non-default implementation of DoH. Should PfSense be blocking DoH as a PfSense rebind attack? Curious if there are plans to address it.
-
@johnpoz Got some 500 clients on our PfSense Lan. Not far fetched someone has enabled DoH in FF. I don't use FF so not sure how often it queries Cloudflair.
-
No idea why it would try and query that fqdn.. It doesn't resolve.. not even from the authoritative NS..
Doh the bane of any admins job.. Privacy and security my ass - circumvention of local restrictions is more like it.
-
@johnpoz Always something indeed. I guess the client won't get to use it until it's sorted. Seems to me this is on Cloudflair to resolve. Thanks for the feedback guys.
-
If me I would block of that nonsense... There are lists of the IPs used by the doh providers, and setup your dns to resolve all the different fqdn they use to something specific.. And then log all clients trying to look that shit up - then go smack the user upside the head..
Or just block their IPs from using anything on the internet ;) Or shape it down to like .1mbps - oh your internet is slow, let me look into that ;)
