JJohnson1988
Regular Contributor
It does it for you. There is no option for it.Edit: I am blind, there is no DNSSEC option in nextdns?
If you look at your profile's Analytics tab, you can see "Percentage of queries validated with DNSSEC".
It does it for you. There is no option for it.Edit: I am blind, there is no DNSSEC option in nextdns?
ov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: 0mso8yci6lb.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: tsbnvxa07hq.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: 3z4tkxqwwyv.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: giaon9xcu7s.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: tfhe7y2hrom.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: z7usj7vnb7m.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: hclj1zv7m1.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: hzodbrst5c6.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: dljq2berdy.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: ynx93w8alir.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: 5yswj3p02j7.rtt-test.dnscheck.tools
These are exactly the kind of messages I want to see when rebind protection is enabled. This is a Good Thing™. If some malicious or misconfigured device is resolving external domains to private addresses I want to know about it so I can fix it. I don't want it to be silently dropped so that I'm none the wiser.Manage to try my spare AX86S with current 388 beta 4 and I do get these when Enable DNS Rebind protection set to enabled.
dnsmasq.conf
to suppress it for this specific test.Cool and good to know but this is also happening with rebind protection enabled in router, disabled in NextDNS webui with blocklist from their webuiThese are exactly the kind of messages I want to see when rebind protection is enabled. This is a Good Thing™. If some malicious or misconfigured device is resolving external domains to private addresses I want to know about it so I can fix it. I don't want it to be silently dropped so that I'm none the wiser.
In this case it happens to be a legitimate part the the dnscheck tool. As this is something I almost never run I can either ignore the fairly obvious messages in the log, or if it's something I run frequently I could add the following line todnsmasq.conf
to suppress it for this specific test.
View attachment 45863
Nov 30 22:35:15 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: sb.scorecardresearch.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.bing.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: cookie-cdn.cookiepro.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: sessions.bugsnag.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: securepubads.g.doubleclick.net
Ah, I see. I've never used NextDNS' blocking. I guess they're returning 0.0.0.0 for the blocked domains. It looks like you'll have to use NextDNS' rebind protection if you want to continue using their blocking.Cool and good to know but this is also happening with rebind protection enabled in router, disabled in NextDNS webui with blocklist from their webui
bogus-nxdomain=0.0.0.0
Thank you but I'll have to PM you about a mess upCoincidentally there was this bug report over on NextDNS the other day:
Redirecting blocked hosts to localhost by returning 0.0.0.0 instead of NXDOMAIN is not ideal
Hi. Since this doesn't seem to be a security issue*, even though both Firefox [1] and Chrome/Chromium [2] allow this to happen currently, with both NextDNS and Cloudflare's 1.1.1.help.nextdns.io
Maybe try the solution suggested there.
Code:bogus-nxdomain=0.0.0.0
For those who use NextDNS with their blocking list and enabling DNS rebind on router instead of Nextdns'sThank you but I'll have to PM you about a mess up
killall dnsmasq; dnsmasq --log-async --bogus-nxdomain=0.0.0.0
For those who use NextDNS with their blocking list and enabling DNS rebind on router instead of Nextdns's
Code:killall dnsmasq; dnsmasq --log-async --bogus-nxdomain=0.0.0.0
Thanks @ColinTaylor
Create a custom config fileHow to make that setting stick on reboots/updates?
/jffs/configs/dnsmasq.conf.add
with bogus-nxdomain=0.0.0.0
in it.Not sure about benefit, but I'd trust it to do locally more than NextDNS I think.How to make that setting stick on reboots/updates?
Also, is there any benefit of using DNS rebind on the router instead of NextDNS?
is this correct?Create a custom config file/jffs/configs/dnsmasq.conf.add
withbogus-nxdomain=0.0.0.0
in it.
chmod a+rx /jffs/configs/dnsmasq.conf.add
nano /jffs/configs/dnsmasq.conf.add
chmod
because it's not an executable script.How many should there be on the list then? Currently I have cloud fare ipv4 and ipv6 two of each is that right or should I only have one of each?If you're referring to the DNS-over-TLS mode, it round-robins the servers due to how Stubby is configured. So to answer the question, it rotates through the list.
There’s no “should” I don’t think.How many should there be on the list then? Currently I have cloud fare ipv4 and ipv6 two of each is that right or should I only have one of each?
Friend, I'm still learning to use merlin, little by little I'm starting to configure many things by myself. But where is this dnsmasq.conf file? I don't know where it is in the merlin files. Do I have to create one in /jffs/configs/dnsmasq.conf.add and add this line in it?These are exactly the kind of messages I want to see when rebind protection is enabled. This is a Good Thing™. If some malicious or misconfigured device is resolving external domains to private addresses I want to know about it so I can fix it. I don't want it to be silently dropped so that I'm none the wiser.
In this case it happens to be a legitimate part the the dnscheck tool. As this is something I almost never run I can either ignore the fairly obvious messages in the log, or if it's something I run frequently I could add the following line todnsmasq.conf
to suppress it for this specific test.
View attachment 45863
Yes. And enable "JFFS custom scripts and configs" in Administration - System.Do I have to create one in /jffs/configs/dnsmasq.conf.add and add this line in it?
service restart_dnsmasq
).Yes. And enable "JFFS custom scripts and configs" in Administration - System.
Custom config files
Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.nggithub.com
Once you've made changes to the config file either reboot the router or restart the DNS server (service restart_dnsmasq
).
Nov 30 22:35:15 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: sb.scorecardresearch.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.bing.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: cookie-cdn.cookiepro.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: sessions.bugsnag.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: securepubads.g.doubleclick.net
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!