Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS_REBIND

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 3 Posters 474 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wherewolf
      last edited by

      My Logs are being flooded with this:

      2024-10-28 08:30:18.000000-07:00 dnsmasq 76237 possible DNS-rebind attack detected: dns.msftncsi.com
      2024-10-28 08:29:20.000000-07:00 dnsmasq 76237 possible DNS-rebind attack detected: dns.msftncsi.com
      2024-10-28 08:28:43.000000-07:00 dnsmasq 76237 possible DNS-rebind attack detected: dns.msftncsi.com
      2024-10-28 08:28:04.000000-07:00 dnsmasq 76237 possible DNS-rebind attack detected: dns.msftncsi.com
      2024-10-28 08:27:43.000000-07:00 dnsmasq 76237 possible DNS-rebind attack detected: dns.msftncsi.com

      I'm assuming that's clients windows, xbox's etc phoning home for connectivity checks.
      This is a dual-stack network, using DNS forwarding for resolution and dns.msftncsi.com resolves fine on IPv4 - on IPv6 resolves to a private address (apparently on purpose), which is why I think I'm seeing the "potential" rebind attack.

      I looked in the docs to add an exception, but I'm not sure the docs are correct?

      ***To exclude a domain from DNS rebinding protection, use the DNS forwarder Advanced Settings box as follows:

      rebind-domain-ok=/example.com/
      rebind-domain-ok=/dnsbl.example/***

      Where exactly is the "Advanced Settings" on the DNS forwarder configuration page? Thanks for any insight

      kiokomanK johnpozJ 2 Replies Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8 @Wherewolf
        last edited by kiokoman

        @Wherewolf
        -> Custom Options
        rebind-domain-ok=dns.msftncsi.com/

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Wherewolf
          last edited by johnpoz

          @Wherewolf said in DNS_REBIND:

          IPv6 resolves to a private address (apparently on purpose),

          dns.msftncsi.com. 1818 IN AAAA fd3e:4f5a:5b81::100"

          what the hell would be the point of that???

          Quick google shows people complaining and asking MS to fix it from way back.. But quick seach was not able to find a reason behind MS would do such a stupid thing..

          Is you scroll down to bottom of page for dnsmasq you will see it.. You must be one of the few people left still using the actual forwarder.

          dnsmasq.jpg

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • W
            Wherewolf
            last edited by

            Thanks for the info - Apparently the docs need a little updating on this one. I'm not sure why we are still using the forwarders. This was setup long ago, and because it's 24x7 production for ~4k clients, we don't try to "fix" what isn't massively broken. :)
            I'll look at changing it to the DNS Resolver at some point in the next few months.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @Wherewolf
              last edited by

              @Wherewolf I personally not a fan of forwarding to start with, but yeah if its working, its working. And there are a few things you can do in dnsmasq that you can't in unbound in forwarder mode. Like query all the forwarders at once, and then there are other things you can do with unbound in forward mode that you can't in dnsmasq.

              but yeah you don't fix what isn't broke ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.