5. DNS rebind attack?

DNS rebind attack?

  • P

    I see this in my log file on the latest pfSense snapshot:

    Dec  4 10:27:41 fw dnsmasq[63284]: possible DNS-rebind attack detected: smtp.rogerswirelessdata.com

    When I try to resolve that particular host from the LAN, I get:

    waldo@waldopc:~$ dig smtp.rogerswirelessdata.com

; <<>> DiG 9.7.0-P1 <<>> smtp.rogerswirelessdata.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50686
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smtp.rogerswirelessdata.com.	IN	A

;; Query time: 9 msec
;; SERVER: 192.168.0.10#53(192.168.0.10)
;; WHEN: Sat Dec  4 10:45:36 2010
;; MSG SIZE  rcvd: 45

    I have DNS Forwarder turned on with its default settings.

    If I query the ISP DNS server directly, I get:

    waldo@waldopc:~$ dig @64.59.150.132 smtp.rogerswirelessdata.com

; <<>> DiG 9.7.0-P1 <<>> @64.59.150.132 smtp.rogerswirelessdata.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38810
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smtp.rogerswirelessdata.com.	IN	A

;; ANSWER SECTION:
smtp.rogerswirelessdata.com. 10800 IN	A	172.25.0.115

;; Query time: 16 msec
;; SERVER: 64.59.150.132#53(64.59.150.132)
;; WHEN: Sat Dec  4 10:46:23 2010
;; MSG SIZE  rcvd: 61

    dnsmasq is using this DNS server:

    Dec  4 10:27:28 fw dnsmasq[63284]: reading /etc/resolv.conf
Dec  4 10:27:28 fw dnsmasq[63284]: using nameserver 64.59.150.132#53
Dec  4 10:27:28 fw dnsmasq[63284]: using nameserver 64.59.144.17#53
Dec  4 10:27:28 fw dnsmasq[63284]: using nameserver 64.59.144.16#53
Dec  4 10:27:28 fw dnsmasq[63284]: read /etc/hosts - 2 addresses

    Why would I not be able to access this specific site? Other sites seem to work fine.  I have no other equipment - pfsense sitting behind my cable modem, and an unmanaged switch on the LAN.  I cleared all local DNS caches.

    0
  • C

    Because Internet hostnames shouldn't resolve to private IPs. That's a strong indicator of someone trying to do bad things to you. If Rogers insists on using private IPs inside their network, you'll have to disable the DNS rebinding protection under System>Advanced.

    0
  • P

    Thanks.  I completely missed that 172.25.x.x is a private subnet - so used to 192.168.0.0/16 and 10.0.0.0/8.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy