This is the "stop DNS rebind" option in the dnsmasq options.
This blocks DNS responses in which private or strange IP addresses are returned.
For example, strange IP addresses are returned when you use DNS servers with blackhole filters.
Then for blocked DNS requests e.g. 0.0.0.0 is returned as IP address and then dnsmasq shows you such log entries
Android devices and some apps tend to bind a DNS address to the device IP, which results in this. iPhones and iPads also have similar issues, as do other IoT devices. It's negligible and normal for this to appear in syslog. There are workarounds, but it's usually unnecessary unless functionality of something breaks. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Android devices and some apps tend to bind a DNS address to the device IP, which results in this. iPhones and iPads also have similar issues, as do other IoT devices. It's negligible and normal for this to appear in syslog. There are workarounds, but it's usually unnecessary unless functionality of something breaks.
but it is a lot...
Code:
Mar 14 19:52:39 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:39 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:39 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: assets.mintegral.com
Mar 14 19:52:40 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:40 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:40 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:40 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:42 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: assets.mintegral.com
Mar 14 19:52:42 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: api16-access-sg.pangle.io
Mar 14 19:52:43 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:43 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:43 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:43 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: csi.gstatic.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: tpc.googlesyndication.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: tpc.googlesyndication.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: tpc.googlesyndication.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: tpc.googlesyndication.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:52:44 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:52:45 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:52:45 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:52:45 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: googleads4.g.doubleclick.net
Mar 14 19:52:46 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:52:46 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:52:48 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: d.applvn.com
Mar 14 19:52:55 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: ade.googlesyndication.com
Mar 14 19:52:55 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: ade.googlesyndication.com
Mar 14 19:53:04 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: ade.googlesyndication.com
Mar 14 19:53:04 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: ade.googlesyndication.com
Mar 14 19:53:34 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: ade.googlesyndication.com
Mar 14 19:53:34 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: ade.googlesyndication.com
Mar 14 19:53:42 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: api16-access-sg.pangle.io
Mar 14 19:53:55 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: api16-access-sg.pangle.io
Mar 14 19:53:56 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: tpc.googlesyndication.com
Mar 14 19:53:56 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:53:56 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:53:56 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: tpc.googlesyndication.com
Mar 14 19:53:56 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: tpc.googlesyndication.com
Mar 14 19:53:56 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: tpc.googlesyndication.com
Mar 14 19:53:56 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: www.googletagservices.com
Mar 14 19:53:56 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: www.googletagservices.com
Mar 14 19:53:56 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Mar 14 19:53:56 DD-WRT daemon.warn dnsmasq[1799]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
It looks like you are visiting websites which do the rebind attack.
Your dns settings have some conflicting settings.
e.g. all-servers vs strict-order and using dns via WG is not compatible with dnscrypt.
Maybe read up on the subject e.g. the VPN and DNS guide see the WG documentation which is a sticky in the Advanced Networking forum.
For secure DNS using smartDNS is often the easier/better choice
ok I will try smartdns, but I don't feel confident with dd wrt , the log is not clean at all
Code:
Mar 15 11:06:43 DD-WRT authpriv.info dropbear[2754]: Exit before auth from <218.92.0.92:54158>: No matching algo hostkey
Mar 15 11:06:47 DD-WRT authpriv.info dropbear[2763]: Child connection from 162.142.125.225:47124
Mar 15 11:07:02 DD-WRT authpriv.info dropbear[2763]: Exit before auth from <162.142.125.225:47124>: Exited normally
Mar 15 11:07:38 DD-WRT authpriv.info dropbear[2775]: Child connection from 218.92.0.92:46148
Mar 15 11:07:48 DD-WRT authpriv.info dropbear[2775]: Exit before auth from <218.92.0.92:46148>: No matching algo hostkey
Mar 15 11:08:40 DD-WRT authpriv.info dropbear[2797]: Child connection from 218.92.0.92:28925
Mar 15 11:08:43 DD-WRT authpriv.info dropbear[2797]: Exit before auth from <218.92.0.92:28925>: No matching algo hostkey
Mar 15 11:09:38 DD-WRT authpriv.info dropbear[2875]: Child connection from 218.92.0.92:25891
Mar 15 11:09:39 DD-WRT authpriv.info dropbear[2875]: Exit before auth from <218.92.0.92:25891>: No matching algo hostkey
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Mar 15, 2024 18:39 Post subject:
The log you showing says that someone on WAN side is trying your SSh (dropbear) and very likely
you misconfiguration it, as you left remote SSh enabled (may be you wanted this as you are using it..).....good bit is they didn't establish connection...as key didn't match..and this is the expected behavior...
To me its normal as do have those reports on my WAN ssh and i don't bother...but, it seams you need a lots of things to learn...and forum has it all, tons of knowledge, details, scenarios and ect.
Nobody will be able to pour all the knowledge with funnel in a one go, learning takes time, patience, reading and understanding the matter...
Before applying any settings, check what those are doing and spend some time for research...don't rush take your time...
DDWRT log has lot of diagnostic data and some normal and expected lines that may feel, that something is broken...me myself i do research too especially, when something new to me comes out...so, don't get scared of the log...more likely learn how to set up your device, as it should...
Good Luck ! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
The log you showing says that someone on WAN side is trying your SSh (dropbear) and very likely
you misconfiguration it, as you left remote SSh enabled (may be you wanted this as you are using it..).....good bit is they didn't establish connection...as key didn't match..and this is the expected behavior...
To me its normal as do have those reports on my WAN ssh and i don't bother...but, it seams you need a lots of things to learn...and forum has it all, tons of knowledge, details, scenarios and ect.
Nobody will be able to pour all the knowledge with funnel in a one go, learning takes time, patience, reading and understanding the matter...
Before applying any settings, check what those are doing and spend some time for research...don't rush take your time...
DDWRT log has lot of diagnostic data and some normal and expected lines that may feel, that something is broken...me myself i do research too especially, when something new to me comes out...so, don't get scared of the log...more likely learn how to set up your device, as it should...
Joined: 08 May 2018 Posts: 14249 Location: Texas, USA
Posted: Fri Mar 15, 2024 23:50 Post subject:
"Limit **** access" on the firewall page opens up the ports. Of course it's going to show attempts to connect. That's how it works. Also, if you have ssh remote access enabled, there will be connection attempts shown, that's how it works. At least you are using key access and no matching keys are being used. And that is my cue to post and vacate. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net