What's new

Multiple DNS Servers - How does the router decide which one to use?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Oh well, only 10% for now.

Anyway, I guess my plan is a good one then?
DNSSEC only enabled on NextDNS
Rebind protection only enabled on Router
 
The % rate is going to be low because most domains don't support DNSSEC. Maybe it will improve over time, but yeah. Expect it to be low for now.

Yeah that should be fine. Maybe the errors only show up on a more verbose logging level, but I definitely saw a bunch of entries in the log after about a day, complaining about rebinding.
 
Manage to try my spare AX86S with current 388 beta 4 and I do get these when Enable DNS Rebind protection set to enabled. Having the Rebind Protection off on NextDNS webui doesnt change things

Code:
ov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: 0mso8yci6lb.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: tsbnvxa07hq.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: 3z4tkxqwwyv.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: giaon9xcu7s.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: tfhe7y2hrom.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: z7usj7vnb7m.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: hclj1zv7m1.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: hzodbrst5c6.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: dljq2berdy.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: ynx93w8alir.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: 5yswj3p02j7.rtt-test.dnscheck.tools

Probably selecting blocklist file locally rather than NextDNS lists on their webui will make rebind protection on router better?
 
Manage to try my spare AX86S with current 388 beta 4 and I do get these when Enable DNS Rebind protection set to enabled.
These are exactly the kind of messages I want to see when rebind protection is enabled. This is a Good Thing™. If some malicious or misconfigured device is resolving external domains to private addresses I want to know about it so I can fix it. I don't want it to be silently dropped so that I'm none the wiser.

In this case it happens to be a legitimate part the the dnscheck tool. As this is something I almost never run I can either ignore the fairly obvious messages in the log, or if it's something I run frequently I could add the following line to dnsmasq.conf to suppress it for this specific test.

Untitled.png
 
These are exactly the kind of messages I want to see when rebind protection is enabled. This is a Good Thing™. If some malicious or misconfigured device is resolving external domains to private addresses I want to know about it so I can fix it. I don't want it to be silently dropped so that I'm none the wiser.

In this case it happens to be a legitimate part the the dnscheck tool. As this is something I almost never run I can either ignore the fairly obvious messages in the log, or if it's something I run frequently I could add the following line to dnsmasq.conf to suppress it for this specific test.

View attachment 45863
Cool and good to know but this is also happening with rebind protection enabled in router, disabled in NextDNS webui with blocklist from their webui

Code:
Nov 30 22:35:15 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: sb.scorecardresearch.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.bing.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: cookie-cdn.cookiepro.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: sessions.bugsnag.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: securepubads.g.doubleclick.net

This is why I am kind of interested with locally config blocklist and do all the dns stuff locally, and minimal config too
 
Cool and good to know but this is also happening with rebind protection enabled in router, disabled in NextDNS webui with blocklist from their webui
Ah, I see. I've never used NextDNS' blocking. I guess they're returning 0.0.0.0 for the blocked domains. It looks like you'll have to use NextDNS' rebind protection if you want to continue using their blocking.

I block stuff locally using my own script which is similar to Diversion Lite.
 
Coincidentally there was this bug report over on NextDNS the other day:

Maybe try the solution suggested there.
Code:
bogus-nxdomain=0.0.0.0
Thank you but I'll have to PM you about a mess up :oops:
 
Thank you but I'll have to PM you about a mess up :oops:
For those who use NextDNS with their blocking list and enabling DNS rebind on router instead of Nextdns's

Code:
killall dnsmasq; dnsmasq --log-async --bogus-nxdomain=0.0.0.0

Thanks @ColinTaylor
 
For those who use NextDNS with their blocking list and enabling DNS rebind on router instead of Nextdns's

Code:
killall dnsmasq; dnsmasq --log-async --bogus-nxdomain=0.0.0.0

Thanks @ColinTaylor

How to make that setting stick on reboots/updates?
Also, is there any benefit of using DNS rebind on the router instead of NextDNS?
 
How to make that setting stick on reboots/updates?
Also, is there any benefit of using DNS rebind on the router instead of NextDNS?
Not sure about benefit, but I'd trust it to do locally more than NextDNS I think.

I am very new here and still learning. I have two AX86. AX86U which installed add-ons from amtm that is super easy to use and AX86S I am trying to configure minimally. The --bogus-nxdomain=0.0.0.0 would need to put in services-start or postconf scripts, which I am still figuring out :confused:
 
Create a custom config file /jffs/configs/dnsmasq.conf.add with bogus-nxdomain=0.0.0.0 in it.
is this correct?

Code:
chmod a+rx /jffs/configs/dnsmasq.conf.add

Code:
nano /jffs/configs/dnsmasq.conf.add

And edit inside nano
 
If you're referring to the DNS-over-TLS mode, it round-robins the servers due to how Stubby is configured. So to answer the question, it rotates through the list.
How many should there be on the list then? Currently I have cloud fare ipv4 and ipv6 two of each is that right or should I only have one of each?
 
How many should there be on the list then? Currently I have cloud fare ipv4 and ipv6 two of each is that right or should I only have one of each?
There’s no “should” I don’t think.
Ive read somewhere that it’s good to have both IPv4 & IPv6 servers selected, in case of outages.
I use two of each personally, but that’s just my preference.
 
These are exactly the kind of messages I want to see when rebind protection is enabled. This is a Good Thing™. If some malicious or misconfigured device is resolving external domains to private addresses I want to know about it so I can fix it. I don't want it to be silently dropped so that I'm none the wiser.

In this case it happens to be a legitimate part the the dnscheck tool. As this is something I almost never run I can either ignore the fairly obvious messages in the log, or if it's something I run frequently I could add the following line to dnsmasq.conf to suppress it for this specific test.

View attachment 45863
Friend, I'm still learning to use merlin, little by little I'm starting to configure many things by myself. But where is this dnsmasq.conf file? I don't know where it is in the merlin files. Do I have to create one in /jffs/configs/dnsmasq.conf.add and add this line in it?
 
Do I have to create one in /jffs/configs/dnsmasq.conf.add and add this line in it?
Yes. And enable "JFFS custom scripts and configs" in Administration - System.


Once you've made changes to the config file either reboot the router or restart the DNS server (service restart_dnsmasq).
 
Yes. And enable "JFFS custom scripts and configs" in Administration - System.


Once you've made changes to the config file either reboot the router or restart the DNS server (service restart_dnsmasq).

I did that, I think it's ok. Something I'm noticing is that after I added the line bogus-nxdomain=0.0.0.0 in dnsmasq.conf.add, no more logs of this type appear here:

Code:
Nov 30 22:35:15 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: sb.scorecardresearch.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.bing.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: cookie-cdn.cookiepro.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: sessions.bugsnag.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: securepubads.g.doubleclick.net

The DNS Rebind protection option is enabled on merlin, dnssec is not. It's working correctly? After you add the bogus-nxdomain option in dnsmasq.conf.add do the logs stop appearing? Do I need to enable the dnssec option in merlin or not?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top