Possible DNS Rebind attack R7000

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
kendalja
DD-WRT Novice


Joined: 07 Feb 2014
Posts: 45
PostPosted: Wed Jan 31, 2018 23:51    Post subject: Possible DNS Rebind attack R7000 Reply with quote
My syslog on my R7000 is plagued with the following messages:

Jan 31 17:36:08 173.239.240.56 dnsmasq: possible DNS-rebind attack detected: st5-www.test.wabaw.net

Should I be concerned? I have no clue what this is.
Back to top View user's profile Send private message
Sponsor
kendalja
DD-WRT Novice


Joined: 07 Feb 2014
Posts: 45
PostPosted: Thu Feb 01, 2018 0:58    Post subject: Reply with quote
Only option I see in services tab is "No DNS Rebind" and its enabled under DNSMasq section.
Back to top View user's profile Send private message
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6290
Location: Texas
PostPosted: Thu Feb 01, 2018 3:54    Post subject: Re: Possible DNS Rebind attack R7000 Reply with quote
kendalja wrote:

Jan 31 17:36:08 173.239.240.56 dnsmasq: possible DNS-rebind attack detected: st5-www.test.wabaw.net

NetRange: 173.239.240.0 - 173.239.247.255 CIDR: 173.239.240.0/21 NetName: LOGICWEB NetHandle: NET-173-239-240-0-1 Parent: LOGICWEB (NET-173-239-192-0-1) NetType: Reassigned OriginAS: AS10464 Customer: North American Cable Television and Internet, LLC (C06277098) RegDate: 2016-12-14 Updated: 2016-12-14 Ref: https://whois.arin.net/rest/net/NET-173-239-240-0-1 CustName: North American Cable Television and Internet, LLC Address: 2885 Sanford Ave. SW Address: Suite 20138 City: Grandville StateProv: MI PostalCode: 49418 Country: US RegDate: 2016-12-14 Updated: 2016-12-14 Ref: https://whois.arin.net/rest/customer/C06277098
Back to top View user's profile Send private message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6437
Location: UK, London, just across the river..
PostPosted: Thu Feb 01, 2018 6:43    Post subject: Reply with quote
to be more precise it does happen if you have another router chained to your router...
you can take some measures like few iptables lines to block certain ip's and few lines in additional DNSmasq to block certain domains

according to this address 173.239.240.56 it seems like your internet provider or someone in its range...
in general NO DNS rebind does work well to prevent this
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
kendalja
DD-WRT Novice


Joined: 07 Feb 2014
Posts: 45
PostPosted: Thu Feb 08, 2018 17:55    Post subject: Reply with quote
Would I be able to hide these by doing the following in Services->Services->DNSMasq->Additional DNSMasq Options:

address=/st5-www.test.wabaw.net/127.0.0.1
address=/searchlive.vo.msecnd.net/127.0.0.1

These are the only two showing up in logs.
_________________
The opposite of networking is NOT working.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum