DNS rebind attack?



  • I see this in my log file on the latest pfSense snapshot:

    Dec  4 10:27:41 fw dnsmasq[63284]: possible DNS-rebind attack detected: smtp.rogerswirelessdata.com
    
    

    When I try to resolve that particular host from the LAN, I get:

    waldo@waldopc:~$ dig smtp.rogerswirelessdata.com
    
    ; <<>> DiG 9.7.0-P1 <<>> smtp.rogerswirelessdata.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50686
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;smtp.rogerswirelessdata.com.	IN	A
    
    ;; Query time: 9 msec
    ;; SERVER: 192.168.0.10#53(192.168.0.10)
    ;; WHEN: Sat Dec  4 10:45:36 2010
    ;; MSG SIZE  rcvd: 45
    
    

    I have DNS Forwarder turned on with its default settings.

    If I query the ISP DNS server directly, I get:

    waldo@waldopc:~$ dig @64.59.150.132 smtp.rogerswirelessdata.com
    
    ; <<>> DiG 9.7.0-P1 <<>> @64.59.150.132 smtp.rogerswirelessdata.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38810
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;smtp.rogerswirelessdata.com.	IN	A
    
    ;; ANSWER SECTION:
    smtp.rogerswirelessdata.com. 10800 IN	A	172.25.0.115
    
    ;; Query time: 16 msec
    ;; SERVER: 64.59.150.132#53(64.59.150.132)
    ;; WHEN: Sat Dec  4 10:46:23 2010
    ;; MSG SIZE  rcvd: 61
    
    

    dnsmasq is using this DNS server:

    Dec  4 10:27:28 fw dnsmasq[63284]: reading /etc/resolv.conf
    Dec  4 10:27:28 fw dnsmasq[63284]: using nameserver 64.59.150.132#53
    Dec  4 10:27:28 fw dnsmasq[63284]: using nameserver 64.59.144.17#53
    Dec  4 10:27:28 fw dnsmasq[63284]: using nameserver 64.59.144.16#53
    Dec  4 10:27:28 fw dnsmasq[63284]: read /etc/hosts - 2 addresses
    
    

    Why would I not be able to access this specific site? Other sites seem to work fine.  I have no other equipment - pfsense sitting behind my cable modem, and an unmanaged switch on the LAN.  I cleared all local DNS caches.



  • Because Internet hostnames shouldn't resolve to private IPs. That's a strong indicator of someone trying to do bad things to you. If Rogers insists on using private IPs inside their network, you'll have to disable the DNS rebinding protection under System>Advanced.



  • Thanks.  I completely missed that 172.25.x.x is a private subnet - so used to 192.168.0.0/16 and 10.0.0.0/8.


Log in to reply