What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Control D DNS and possible DNS-rebind attacks

bbunge

bbunge

Part of the Furniture
I have recently noticed another pre loaded DNS service on the Asus firmware. Control D seems to be a "real deal" and has a fancy web site. They have many "free" configuration options.
However, when I select any of the pre loaded DNS options or manually add one of their other services I immediately begin seeing "possible DNS-rebind attack detected:" in the router system log. Going back to Quad9 or Cloudflare and the suspected attacks stop. These "attacks" also happen with DNSSEC or DoT enabled ( I do not use DNSSEC and DoT at the same time).
Is this just me or is there a real problem with Control D DNS?
 
Most likely your router settings, disable rebind protection. It will generate this log message when upstream service filters something.
 
Tech9 said:
Most likely your router settings, disable rebind protection. It will generate this log message when upstream service filters something.
Click to expand...
Makes a lot of sense to disable a protection feature that is giving a warning...

Router settings?

Can you explain why this happens on Control D but not on Quad9, CleanBrowsing, Cloudflare, AdGuard, Google and even my ISP default of Level 3? Also happens on Merlin and Asus firmware...
 
If the filtering server upstream is returning 0.0.0.0 you get the possible rebind attack detected message. I've seen it with Cloudflare and AdGuard, Google and perhaps the ISP have no filtering, don't know about Quad9 and CleanBrowsing. It's a false alarm.
 
I just started using Control D, and also I see the google of 'possible rebind attacks' msgs. (Quad 9 was giving me too many failures, so I'm trying other services.)

Something from 2022 says that Control D free doesn't support rebind attacks ...

Interesting info from Ctrl D, saying to turn off all the options (in the context of a paid account, I believe)
docs.controld.com

ASUS Router Guide

📘 DNS Daemon: This router is supported by the ctrld Command Line Daemon . This is the best and simplest way to onboard. ASUS Routers If you have an ASUS router, you will most likely be using one of two different firmware versions: The factory default ASUS router firmware which currently only...
docs.controld.com docs.controld.com
 
Last edited:
Justinh said:
I just started using Control D, and also I see the google of 'possible rebind attacks' msgs. (Quad 9 was giving me too many failures, so I'm trying other services.)

Something from 2022 says that Control D free doesn't support rebind attacks ...

Interesting info from Ctrl D, saying to turn off all the options (in the context of a paid account, I believe)
docs.controld.com

ASUS Router Guide

📘 DNS Daemon: This router is supported by the ctrld Command Line Daemon . This is the best and simplest way to onboard. ASUS Routers If you have an ASUS router, you will most likely be using one of two different firmware versions: The factory default ASUS router firmware which currently only...
docs.controld.com docs.controld.com
Click to expand...
That Asus router guide has some age to it. Lots has changed with the Asus firmware since that was written. Control D is supposed to have an add-on for Merlin firmware but I suspect it is not current.
As for Quad9, I used to have issues with it when my ISP routed the Anycast address for Quad9 to servers over a thousand miles away. Now it is less than 100 miles. Control D has servers in the same area as Quad9 and Cloudflare and connections to all three are great!
 
It shows the configuration you need:

1745190121147.png
 
Steps setting it up look right to me, but I personally don't like layered filtering approach because identifying false positives becomes harder. I would prefer local filtering with unfiltered reliable and local to my location DNS service upstream. This way I know where the issue is if something doesn't work. Simplicity and reliability is the real deal for me.
 
I've been using Control D almost since they started up a few years ago. They are very customer friendly and offer a ton of great customizable services, some for free. I believe one of the main guys there has posted on here before to help solve issues cropping up between Asus routers and Control D. I don't remember exactly what it was, but they were very helpful in solving an issue I had with DoT and my Asus router in the early days. Highly recommend.
 
Hmmm, I am not seeing any rebind attack warnings in syslog, even with such warnings enabled on the router

Control_D.png
 
dave14305 said:
Depends on the Block Response configured in the Control-D portal.
docs.controld.com

Blocked Query Response (Custom Block Pages)

Customize how Control D responds to blocked queries.
docs.controld.com docs.controld.com
Click to expand...
I am not a paying customer with an account. I am using one of the free standard profiles which are not configurable. It appears the default blocked query response is NXDOMAIN from /opt/var/log/dnsmasq.log. However, the Control D documentation says that the default response is 0.0.0.0, so I cannot explain. Diversion is configured with NXDOMAIN, so maybe I will see NXDOMAIN when Diversion blocks and 0.0.0.0 when Control D blocks.
 
Last edited:
@EmeraldDeer, according to these instructions from Control-D, the DoT servers for their free service are 76.76.2.11 and 76.76.10.11, unlike what is seen in your previous screenshot. Although I suspect that's not the case, I wonder if that may have any impact to the DNS-rebind attack messages.

Code: 
3. Under the DNS-over-TLS server list, enter your DoT resolver under the “TLS Hostname” section and point the resolver to 76.76.2.22 and 76.76.10.22 if you’re a paid customer and to 76.76.2.11 and 76.76.10.11 if you are using a free resolver.
 
bluzfanmr1 said:
I've been using Control D almost since they started up a few years ago. They are very customer friendly and offer a ton of great customizable services, some for free. I believe one of the main guys there has posted on here before to help solve issues cropping up between Asus routers and Control D. I don't remember exactly what it was, but they were very helpful in solving an issue I had with DoT and my Asus router in the early days. Highly recommend.
Click to expand...
Maybe back then. Now support seems to be Ai-driven as the first layer, no way to get direct contact to a human or ticket system. :(
 
FernandoF said:
@EmeraldDeer, according to these instructions from Control-D, the DoT servers for their free service are 76.76.2.11 and 76.76.10.11, unlike what is seen in your previous screenshot. Although I suspect that's not the case, I wonder if that may have any impact to the DNS-rebind attack messages.

Code: 
3. Under the DNS-over-TLS server list, enter your DoT resolver under the “TLS Hostname” section and point the resolver to 76.76.2.22 and 76.76.10.22 if you’re a paid customer and to 76.76.2.11 and 76.76.10.11 if you are using a free resolver.
Click to expand...
No difference seen here when using the ‘11’ servers, rather than the ‘2’ servers with DoT.

I find any dns using the DoT/dnsmasq of the router to have very high latency. A new page load can take up to 10+ seconds easily. (Cloudflare, Controld, Quad9 all alike in this regard).

Stock or Merlin firmware, no different in this regard.

A stubby issue possibly?

Meanwhile, using an Apple dns profile to use the same servers is blazing fast. (Mostly Apple clients here.)
Added bonus, my ad/malware blocking with a profile is portable, goes with me wherever I go, handy on phone!

I would much prefer to use the router’s facility, but this is where I’m at.
 
Last edited:
Treadler said:
A new page load can take up to 10+ seconds easily.
Click to expand...

There is an exact match thread here:

www.snbforums.com

DNS-over-TLS very slow (up to 10 seconds/query) via stubby, fast if queried directly on RT-AC86U

Hey, I recently ran into some trouble with domains not resolving when using DoT on my RT-AC86U. I figured out that this is due to a timeout because the the resolution takes to long. I verified this by trying to query stubby directly on the router: # time nslookup snbforums.com 127.0.1.1...
www.snbforums.com www.snbforums.com

...and back then you had a fix for this issue.
 
Tech9 said:
There is an exact match thread here:

www.snbforums.com

DNS-over-TLS very slow (up to 10 seconds/query) via stubby, fast if queried directly on RT-AC86U

Hey, I recently ran into some trouble with domains not resolving when using DoT on my RT-AC86U. I figured out that this is due to a timeout because the the resolution takes to long. I verified this by trying to query stubby directly on the router: # time nslookup snbforums.com 127.0.1.1...
www.snbforums.com www.snbforums.com

...and back then you had a fix for this issue.
Click to expand...
Good catch! I’ve had a sleep or two since then……
Plus, I don’t think I knew about dns profiles then?

Pixelserv of course is no longer with us. Using a single server with DoT is an improvement, but still way sub par compared with a dns profile.

IMHO, it’s not a server problem, or a Merlin problem, because I have the problem regardless of server, or firmware.

Stubby is the only one left?
 
You must log in or register to reply here.

Similar threads

H
DNS-rebind attack detected: farm.plista.com. etc...??
Replies
3
Views
2K
Treadler
Treadler
E
Rt-ac68u with Reolink doorbell rebind attack.
Replies
17
Views
1K
eastavin
E
Mokers
Strange DNS Issue w/ RT6600ax
Replies
9
Views
556
Digilog
D
TanyaC
Possible DNS-Rebind attack detected and unresponsive router plus one more
Replies
3
Views
2K
TanyaC
TanyaC
H
Solved DNS Rebind Attack Message For Only Two Domains
Replies
4
Views
2K
Viktor Jaep
Viktor Jaep
Similar threads
Thread starter Title Forum Replies Date
D AP Isolation granular control ASUS Wi-Fi 3
J AdGuard DNS is now pre-installed in all ASUS Wi-Fi 7 routers ASUS Wi-Fi 5
V AI mesh and Pihole DNS spam: what I found out and where I’m stuck ASUS Wi-Fi 17
S How to route VPN clients through VPN local DNS address ASUS Wi-Fi 2
128bit education: DNS-WAN vs DNS-LAN ASUS Wi-Fi 2
M Best DNS Proxy ? ASUS Wi-Fi 0
V Solved how to troubleshoot: For certain DNS servers, DNS not resolving on clients, but do resolve on router ASUS Wi-Fi 3
V Issue with DNS or something else? ASUS Wi-Fi 21

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 925 (members: 17, guests: 908)
Back
Top