stop-dns-rebind

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page Previous  1, 2
View previous topic :: View next topic  
Author Message
epaulsen5
DD-WRT Novice


Joined: 25 Nov 2010
Posts: 3
PostPosted: Thu Nov 25, 2010 20:52    Post subject: Additional Information on stop-dns-rebind Reply with quote
I added the commands from above:

sed -i 's/stop-dns-rebind//g' /tmp/dnsmasq.conf
killall dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf

via the Administraton > Commands page and clicked Save Startup to add them as a startup item. That did it for me.
Back to top View user's profile Send private message
Sponsor
epaulsen5
DD-WRT Novice


Joined: 25 Nov 2010
Posts: 3
PostPosted: Thu Nov 25, 2010 20:55    Post subject: Flash Buffalo Reply with quote
I'm sorry. I wasn't very clear on that point. I was able to get it to revert using the Buffalo orignal firmware (1.72) found on this site. From there, I could do additional flashes, just not from DD-wrt. I always had to go back to the Buffalo firmware.
Back to top View user's profile Send private message
buddee
DD-WRT Guru


Joined: 06 Feb 2010
Posts: 7401
Location: Little Rock
PostPosted: Thu Nov 25, 2010 21:10    Post subject: Reply with quote
Latest build for your unit is in..

ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/11-21-10-r15778/buffalo_wzr-hp-g300nh
_________________
Wireless N Config | Linking Routers | DD-WRT Wiki | DD-WRT Builds | Peacock - Broadcom FAQ

Having problems with port forwarding? Check out Port Forward Troubleshooting for more info.
Back to top View user's profile Send private message Visit poster's website
star
DD-WRT Novice


Joined: 05 Mar 2007
Posts: 34
PostPosted: Thu Dec 02, 2010 1:34    Post subject: Reply with quote
After reading this thread and doing some research, I think the solution to disable the --stop-dns-rebind option is heavy-handed.

From the DNSMasq man pages:

Quote:
--stop-dns-rebind
Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.

--rebind-localhost-ok
Exempt 127.0.0.0/8 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable these services.

--rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
Do not detect and block dns-rebind on queries to these domains. The argument may be either a single domain, or multiple domains surrounded by '/', like the --server syntax, eg. --rebind-domain-ok=/domain1/domain2/domain3/

So the reason it is enabled by default in the first place is for security purposes. It appears that exceptions can be made very easily by adding "--rebind-localhost-ok" and "--rebind-domain-ok=<domain>" to the "Additional DNSMasq Options" box in the GUI, while maintaining recommended protection against the exploit described in the man page.

I'll try this myself in a little while.
Back to top View user's profile Send private message
bskchaos
DD-WRT User


Joined: 07 Feb 2009
Posts: 198
PostPosted: Sat Dec 04, 2010 2:29    Post subject: Reply with quote
It seems dd-wrt cannot use rebind-domain-ok.

If I add this line to Additional DNSMasq Options
Code:
rebind-domain-ok=/remotesite.lcl/

dnsmasq fails.

I'm stuck with the No DNS Rebind=Disable
Back to top View user's profile Send private message
dd818
DD-WRT Novice


Joined: 17 Aug 2010
Posts: 1
PostPosted: Sat Dec 04, 2010 16:06    Post subject: Reply with quote
bskchaos wrote:
It seems dd-wrt cannot use rebind-domain-ok.

If I add this line to Additional DNSMasq Options
Code:
rebind-domain-ok=/remotesite.lcl/

dnsmasq fails.

I'm stuck with the No DNS Rebind=Disable

rebind-domain-ok did work for me. Using a single domain name, I did not use the the slashes, although I don't think it should matter:
Code:
rebind-domain-ok=remotesite.lcl

I'm still not sure stop-dns-rebind is the best solution to DNS rebinding attacks, though.
Back to top View user's profile Send private message
thenextdon13
DD-WRT User


Joined: 04 Nov 2006
Posts: 89
Location: The Dalles, Oregon USA
PostPosted: Tue Feb 15, 2011 18:42    Post subject: Reply with quote
Does anyone know what version rebind-domain-ok is included in?

Just curious...
Back to top View user's profile Send private message AIM Address
phelenius
DD-WRT Novice


Joined: 17 Feb 2011
Posts: 1
PostPosted: Thu Feb 17, 2011 14:52    Post subject: Reply with quote
I am also experiencing this problem, I am running the latest build supported by my wrt54g v2 as listed in the Router Database 14896, and I cannot find a "No DNS Rebind" option.

Is there some other place I'm suppose to look for newer builds?
Back to top View user's profile Send private message
thenextdon13
DD-WRT User


Joined: 04 Nov 2006
Posts: 89
Location: The Dalles, Oregon USA
PostPosted: Sat Feb 26, 2011 22:57    Post subject: Reply with quote
Sorry,i can't help here. Poked around some looking for a 'vint' version that was newer and didn't see any.

What i've done (since i have jffs) is disable dnsmasq in the gui and use a startup script to start it with config file in jffs.

hth
Back to top View user's profile Send private message AIM Address
buddee
DD-WRT Guru


Joined: 06 Feb 2010
Posts: 7401
Location: Little Rock
PostPosted: Sun Feb 27, 2011 11:18    Post subject: Reply with quote
If you are using the older builds that don't have it as an on or off options, you can sign up with opendns and they have an option to filter dns-rebind requests.
_________________
Wireless N Config | Linking Routers | DD-WRT Wiki | DD-WRT Builds | Peacock - Broadcom FAQ

Having problems with port forwarding? Check out Port Forward Troubleshooting for more info.
Back to top View user's profile Send private message Visit poster's website
criminala
DD-WRT Novice


Joined: 22 Jun 2008
Posts: 35
PostPosted: Wed Jun 08, 2011 8:46    Post subject: Reply with quote
after flashing my router to the latest recommended firmware i was facing the same issues .

following commands fixed it , thanks .

"sed -i 's/stop-dns-rebind//g' /tmp/dnsmasq.conf
killall dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf
"
Back to top View user's profile Send private message
kvi
DD-WRT Novice


Joined: 04 May 2010
Posts: 28
PostPosted: Wed Oct 26, 2011 9:06    Post subject: Reply with quote
Sorry for digging up an old thread, but I am experiencing same difficulties as you are. I need dnsmasq to forward xxx.subdomain.example.com type requests to another DNS-server. Those hosts have privnet IP-addresses, so just adding line:

Code:
server=/subdomain.example.com/10.0.0.1


won't do the trick. I've tried to add also line:

Code:
rebind-domain-ok=/subdomain.example.com/


and the same line without those slashes, but dnsmasq will not start if that line is added. I've also tried to start dnsmasq from commandline with command:

Code:
dnsmasq --rebind-domain-ok=/subdomain.example.com/ --config-file=/tmp/dnsmasq.conf


but it failed to start. I also tried that

Quote:
"sed -i 's/stop-dns-rebind//g' /tmp/dnsmasq.conf
killall dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf
"


thing, but it failed to start if the "stop-dns-rebind" line was missing from the conf-file. I am going insane with this one. Can somebody tell me what should I try next?
Back to top View user's profile Send private message
kvi
DD-WRT Novice


Joined: 04 May 2010
Posts: 28
PostPosted: Wed Oct 26, 2011 16:38    Post subject: Reply with quote
Okay, flashed to TomatoUSB with VPN and got things working 100% and I am now happy. Here is my dnsmasq.conf that seems to be working:

Quote:
root@hostname:/tmp/home/root# more /etc/dnsmasq.conf
pid-file=/var/run/dnsmasq.pid
interface=br0
domain=subdomain.domain.tld
resolv-file=/etc/resolv.dnsmasq
addn-hosts=/etc/hosts.dnsmasq
expand-hosts
min-port=4096
stop-dns-rebind
rebind-localhost-ok
dhcp-range=10.0.1.15,10.0.1.29,255.255.255.224,1440m
dhcp-option=3,10.0.1.1
dhcp-lease-max=255
dhcp-authoritative
server=/subdomain.domain.tld/172.17.0.161
rebind-domain-ok=/subdomain.domain.tld/
Back to top View user's profile Send private message
MrFidget
DD-WRT User


Joined: 15 Jul 2010
Posts: 378
PostPosted: Tue Nov 01, 2011 11:14    Post subject: Reply with quote
FYI: I have been using v15962 on WNR3500Ls and E3000. This release has the stop-dns-rebind option in the gui.

Makes life much easier. v15962 is stable enough for me to use in prodcuction.

Hope this helps

Cheers
Chris
Back to top View user's profile Send private message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6435
Location: UK, London, just across the river..
PostPosted: Sun Dec 13, 2015 19:24    Post subject: Reply with quote
recently this poped out Smile

http://ternarybit.org/harden-dd-wrt-against-dns-rebind-attacks/

anyone who tried this as a solution Smile

iptables -I INPUT -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get wan_ipaddr` -j DROP

it seems to work i haven't tried external access yet but locally it works
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum