DNS_REBIND
-
My Logs are being flooded with this:
2024-10-28 08:30:18.000000-07:00 dnsmasq 76237 possible DNS-rebind attack detected: dns.msftncsi.com
2024-10-28 08:29:20.000000-07:00 dnsmasq 76237 possible DNS-rebind attack detected: dns.msftncsi.com
2024-10-28 08:28:43.000000-07:00 dnsmasq 76237 possible DNS-rebind attack detected: dns.msftncsi.com
2024-10-28 08:28:04.000000-07:00 dnsmasq 76237 possible DNS-rebind attack detected: dns.msftncsi.com
2024-10-28 08:27:43.000000-07:00 dnsmasq 76237 possible DNS-rebind attack detected: dns.msftncsi.comI'm assuming that's clients windows, xbox's etc phoning home for connectivity checks.
This is a dual-stack network, using DNS forwarding for resolution and dns.msftncsi.com resolves fine on IPv4 - on IPv6 resolves to a private address (apparently on purpose), which is why I think I'm seeing the "potential" rebind attack.I looked in the docs to add an exception, but I'm not sure the docs are correct?
***To exclude a domain from DNS rebinding protection, use the DNS forwarder Advanced Settings box as follows:
rebind-domain-ok=/example.com/
rebind-domain-ok=/dnsbl.example/***Where exactly is the "Advanced Settings" on the DNS forwarder configuration page? Thanks for any insight
-
@Wherewolf
-> Custom Options
rebind-domain-ok=dns.msftncsi.com/ -
@Wherewolf said in DNS_REBIND:
IPv6 resolves to a private address (apparently on purpose),
dns.msftncsi.com. 1818 IN AAAA fd3e:4f5a:5b81::100"
what the hell would be the point of that???
Quick google shows people complaining and asking MS to fix it from way back.. But quick seach was not able to find a reason behind MS would do such a stupid thing..
Is you scroll down to bottom of page for dnsmasq you will see it.. You must be one of the few people left still using the actual forwarder.
-
Thanks for the info - Apparently the docs need a little updating on this one. I'm not sure why we are still using the forwarders. This was setup long ago, and because it's 24x7 production for ~4k clients, we don't try to "fix" what isn't massively broken. :)
I'll look at changing it to the DNS Resolver at some point in the next few months. -
@Wherewolf I personally not a fan of forwarding to start with, but yeah if its working, its working. And there are a few things you can do in dnsmasq that you can't in unbound in forwarder mode. Like query all the forwarders at once, and then there are other things you can do with unbound in forward mode that you can't in dnsmasq.
but yeah you don't fix what isn't broke ;)