Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS rebind attack?

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    3 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pwnell
      last edited by

      I see this in my log file on the latest pfSense snapshot:

      Dec  4 10:27:41 fw dnsmasq[63284]: possible DNS-rebind attack detected: smtp.rogerswirelessdata.com
      
      

      When I try to resolve that particular host from the LAN, I get:

      waldo@waldopc:~$ dig smtp.rogerswirelessdata.com
      
      ; <<>> DiG 9.7.0-P1 <<>> smtp.rogerswirelessdata.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50686
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
      
      ;; QUESTION SECTION:
      ;smtp.rogerswirelessdata.com.	IN	A
      
      ;; Query time: 9 msec
      ;; SERVER: 192.168.0.10#53(192.168.0.10)
      ;; WHEN: Sat Dec  4 10:45:36 2010
      ;; MSG SIZE  rcvd: 45
      
      

      I have DNS Forwarder turned on with its default settings.

      If I query the ISP DNS server directly, I get:

      waldo@waldopc:~$ dig @64.59.150.132 smtp.rogerswirelessdata.com
      
      ; <<>> DiG 9.7.0-P1 <<>> @64.59.150.132 smtp.rogerswirelessdata.com
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38810
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
      
      ;; QUESTION SECTION:
      ;smtp.rogerswirelessdata.com.	IN	A
      
      ;; ANSWER SECTION:
      smtp.rogerswirelessdata.com. 10800 IN	A	172.25.0.115
      
      ;; Query time: 16 msec
      ;; SERVER: 64.59.150.132#53(64.59.150.132)
      ;; WHEN: Sat Dec  4 10:46:23 2010
      ;; MSG SIZE  rcvd: 61
      
      

      dnsmasq is using this DNS server:

      Dec  4 10:27:28 fw dnsmasq[63284]: reading /etc/resolv.conf
      Dec  4 10:27:28 fw dnsmasq[63284]: using nameserver 64.59.150.132#53
      Dec  4 10:27:28 fw dnsmasq[63284]: using nameserver 64.59.144.17#53
      Dec  4 10:27:28 fw dnsmasq[63284]: using nameserver 64.59.144.16#53
      Dec  4 10:27:28 fw dnsmasq[63284]: read /etc/hosts - 2 addresses
      
      

      Why would I not be able to access this specific site? Other sites seem to work fine.  I have no other equipment - pfsense sitting behind my cable modem, and an unmanaged switch on the LAN.  I cleared all local DNS caches.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Because Internet hostnames shouldn't resolve to private IPs. That's a strong indicator of someone trying to do bad things to you. If Rogers insists on using private IPs inside their network, you'll have to disable the DNS rebinding protection under System>Advanced.

        1 Reply Last reply Reply Quote 0
        • P
          pwnell
          last edited by

          Thanks.  I completely missed that 172.25.x.x is a private subnet - so used to 192.168.0.0/16 and 10.0.0.0/8.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.