What's new

[Beta] Asuswrt-Merlin 384.14 Beta is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Dirty upgrade from 3814.14_alpha2 to beta1 on RT-AX88U AIMesh'd with two RT-AC86's. All three units converted and running without issues. LED user interface and unit button on the AX88U, work the same. Really appreciate the great work here, Thanks @RMerlin.
 
Dirty from .13 to .14beta1. Disable LED works flawlessly on the 86U. I'm sure that this is not a bug, but the 88U mesh router LED's remain on. I did flash .14B1 on the 88U as well via the Webui.
 
I'm sure that this is not a bug, but the 88U mesh router LED's remain on.

LED disabling is an Asuswrt-Merlin feature, so it does not get synced with mesh nodes.
 
Did a dirty flash over 384.13 yesterday evening CET. This morning the DHCP was not working, the router indicated internet was down and the CPU usage was constantly high. Did a reboot and everything was working again. Now it's evening again and had the same issue. Reverted back to 384.13. Log did not indicate crashes while there was a high CPU usage. Router model is RT-AC86U.
I now did a factory reset and manually configured everything again. After something like 8 hours I run into the same issue again as quoted above. Reverted back to 384.13 again.
 
Getting similar issues. 86u flashed to 14 beta and after about 4 to 8 hours the internet drops and then restarts. No indications in the log files.
 
I've been running beta for a few days on my RT-AC86U without any issues. All working as intended.
 
Beta 1 has been running for a few days on my RT-AC86U with no issues detected. Simple config with basic NAT routing, some inbound port forwarding, both 2.4 and 5.0 Wireless enabled with multiple devices associated to each. Dynamic DNS client enabled.
 
Since my upgrade to the Beta, I'm seeing a bunch of these in my system log:

Nov 10 20:08:22 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:12:53 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:16:29 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:18:22 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:19:36 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:22:49 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:24:36 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 07:56:12 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 08:12:26 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 09:06:50 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 09:17:20 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 16:24:12 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 16:25:33 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 16:29:23 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 16:37:58 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 16:45:08 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 17:13:43 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 17:15:40 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 17:17:04 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com

Anything to be concerned about?
 
Looks like FedEx is after you. Do you own them any money? Better pay your bills, man. :)

Maybe he works for UPS and this is how they target the competition :)
 
possible DNS-rebind attack detected

Code:
rgnldo@root# unbound-host wwwdrt.gtest.fedex.com
wwwdrt.gtest.fedex.com has address 172.31.30.15
wwwdrt.gtest.fedex.com has address 146.18.140.17

rgnldo@root# unbound-host 172.31.30.15
Host 15.30.31.172.in-addr.arpa not found: 3(NXDOMAIN).

rgnldo@root# unbound-host 146.18.140.17
17.140.18.146.in-addr.arpa is an alias for 17.0-63.140.18.146.in-addr.arpa.
17.0-63.140.18.146.in-addr.arpa domain name pointer wwwdrt-a-vip2.idev.fedex.com.

Code:
rgnldo@root# dig wwwdrt.gtest.fedex.com +dnssec +multi @127.0.0.1 -p 53535

; <<>> DiG 9.14.4 <<>> wwwdrt.gtest.fedex.com +dnssec +multi @127.0.0.1 -p 53535
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48810
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;wwwdrt.gtest.fedex.com.        IN A

;; ANSWER SECTION:
wwwdrt.gtest.fedex.com. 2662 IN A 146.18.140.17

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1)
;; WHEN: Mon Nov 11 21:22:04 BRT 2019
;; MSG SIZE  rcvd: 67

No problem.

"DNS Rebinding lets you send commands to systems behind a victim’s firewall, as long as they’ve somehow come to a domain you own asking for a resource, and you’re able to run JavaScript in their browser.

Here’s how it works.

  1. If you can get someone to make a request to a domain that you own, you can give them a DNS response that maps host.domain to an IP address—say, 1.2.3.4.
  2. If you set the TTL of that response really low—like 10 seconds—you force the system to constantly check again to see what the IP is for host.domain.
  3. If you know (or think) the victim has a given type of system on their internal network—like a router, or an IoT device—that you could control if you were on the same network, you can use a piece of malicious JavaScript running on their browser (because they came to your site) to make requests to that system, e.g., https://host.domain/set-dns-server?server=6.7.8.9.
  4. When this command is first sent, it’ll be sent to IP 1.2.3.4, because that was the initial IP address that you sent the victim for host.domain.
  5. When the client next updates the DNS record (in 10 seconds, because that’s what you set the TTL to), you then respond back with 192.168.1.1, so the victim’s browser then sends https://host.domain/set-dns-server?server=6.7.8.9 to 192.168.1.1!
  6. If the router is vulnerable to what you send (perhaps using default credentials or no credentials at all), it will update the DNS server of that router to point to the bad guy, which is probably you again.
  7. Repeat as desired to find the right IP internally, and/or to send different kinds of commands to different devices internally."
 
Last edited:
Dirty upgraded an ac68 from 384.13. Enabled fq_codel with Adaptive QoS and trend micro stuff.
QoS working just fine [emoji106]


Sent from my Moto Z3 Play using Tapatalk
 
Last edited:
Did a dirty flash over 384.13 yesterday evening CET. This morning the DHCP was not working, the router indicated internet was down and the CPU usage was constantly high. Did a reboot and everything was working again. Now it's evening again and had the same issue. Reverted back to 384.13. Log did not indicate crashes while there was a high CPU usage. Router model is RT-AC86U.
I can confirm the issue.
It's looks like something with dnsmasq. At least on my AX88U.
After short period of time the dnsmasq use the whole 1 core of the router, and going to be fully irresponsible ...
I reverted it back to the alpha2 - and everything is working as usual ...
14beta1_dnsmasq.PNG


And the dnsmasq is changed between alpha2 and beta 1
 
I have no issues like this on my AX88U with Beta 1. CPU is quiet and traffic is going to port 853.
 
I have no issues like this on my AX88U with Beta 1. CPU is quiet and traffic is going to port 853.
I did't use the DoT
 
Since my upgrade to the Beta, I'm seeing a bunch of these in my system log:

Nov 10 20:08:22 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:12:53 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:16:29 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:18:22 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:19:36 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:22:49 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 10 20:24:36 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 07:56:12 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 08:12:26 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 09:06:50 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 09:17:20 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 16:24:12 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 16:25:33 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 16:29:23 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 16:37:58 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 16:45:08 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 17:13:43 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 17:15:40 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com
Nov 11 17:17:04 dnsmasq[322]: possible DNS-rebind attack detected: wwwdrt.gtest.fedex.com

Anything to be concerned about?

Do you or anyone in your house use some sort of FedEx App on your phones or tablets?
 
Do you or anyone in your house use some sort of FedEx App on your phones or tablets?

Good question and, yes, one of us has the iPhone Fedex app. But it's rarely used, so if it's communicating on its own accord, that really bugs me.
 
Do you or anyone in your house use some sort of FedEx App on your phones or tablets?

And now this in my System Log:

Nov 12 13:15:11 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:15:11 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:15:21 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:15:22 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:17:39 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:17:39 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:22:00 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:22:00 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:30:54 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:30:54 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 15:15:50 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 15:15:50 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 15:30:46 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 15:30:46 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 16:06:17 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 16:06:17 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com

Come on. Yes, there are devices that have the Amazon app on our network. But these rebind warnings never happened before this update. What's up?
 
And now this in my System Log:

Nov 12 13:15:11 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:15:11 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:15:21 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:15:22 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:17:39 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:17:39 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:22:00 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:22:00 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:30:54 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 13:30:54 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 15:15:50 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 15:15:50 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 15:30:46 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 15:30:46 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 16:06:17 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com
Nov 12 16:06:17 dnsmasq[322]: possible DNS-rebind attack detected: dp-gw-na.amazon.com

Come on. Yes, there are devices that have the Amazon app on our network. But these rebind warnings never happened before this update. What's up?

Wow both Amazon and FedEX out to get you, must have done something they really don't like :)
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top