NXDOMAIN DNS Results Flagged As "Possible DNS-rebind attack detected" In Log

HarryMuscle · Jan 11, 2023

I'm using ControlD DNS servers to block ads and I have Enable DNS Rebind Protection set to Yes on the WAN page, however, whenever a blocked domain gets queried (which ControlD returns NXDOMAIN for) I get the following message in my logs:

DATE dnsmasq[1729]: possible DNS-rebind attack detected: domain.com

Is there a way to quiet these incorrect log messages? Or better yet fix the problem, since a NXDOMAIN DNS result isn't a rebind attack?

Thanks,
Harry

dave14305 · Jan 11, 2023

Or it returns 0.0.0.0 which is considered a rebind attack and dnsmasq is subsequently returning NXDOMAIN to you.

Code:

# dig ad.doubleclick.net @76.76.2.2

; <<>> DiG 9.18.10 <<>> ad.doubleclick.net @76.76.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43392
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ad.doubleclick.net.            IN      A

;; ANSWER SECTION:
ad.doubleclick.net.     60      IN      A       0.0.0.0

;; Query time: 29 msec
;; SERVER: 76.76.2.2#53(76.76.2.2) (UDP)
;; WHEN: Wed Jan 11 21:17:47 EST 2023
;; MSG SIZE  rcvd: 52

Best to disable rebind protection if using an ad-blocking DNS service upstream.

ColinTaylor · Jan 11, 2023

Are you sure it's returning NXDOMAIN? That wouldn't normally generate a rebind message. There was a recent discussion about NextDNS returning 0.0.0.0 for blocked domains which will trigger a rebind warning.

https://www.snbforums.com/threads/m...ter-decide-which-one-to-use.82014/post-804869

bbunge · Jan 11, 2023

Wouldn't it be a whole lot easier to just run Diversion or a Pi with Pi-Hole?

HarryMuscle · Jan 11, 2023

bbunge said:
Wouldn't it be a whole lot easier to just run Diversion or a Pi with Pi-Hole?

You mean instead of using ControlD? Definitely no. ControlD is a few clicks and everything is done. Running PiHole is way more work.

HarryMuscle · Jan 11, 2023

ColinTaylor said:
Are you sure it's returning NXDOMAIN? That wouldn't normally generate a rebind message. There was a recent discussion about NextDNS returning 0.0.0.0 for blocked domains which will trigger a rebind warning.

https://www.snbforums.com/threads/m...ter-decide-which-one-to-use.82014/post-804869

Turns out the bogus-nxdomain configuration entry mentioned in that thread solved the issue. So I guess they do return 0.0.0.0 instead of NXDONAIN like they (or someone somewhere when I Googled) claim.

Thread starter	Title	Forum	Replies	Date
	custom domains report NXDOMAIN for IPv6 DNS and fail to resolve in Alpine OS	Asuswrt-Merlin	2	Feb 18, 2024
	NXDOMAIN on server but the router can resolve queries	Asuswrt-Merlin	1	Mar 18, 2024
S	Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf	Asuswrt-Merlin	1	Nov 5, 2024
T	Wireguard Client VPN not using DNS	Asuswrt-Merlin	14	Oct 20, 2024
	DNS Issue?? AX5800 Pro Issue??	Asuswrt-Merlin	2	Oct 11, 2024
H	DNS-rebind attack detected: farm.plista.com. etc...??	Asuswrt-Merlin	3	Oct 9, 2024
	DNS Director	Asuswrt-Merlin	7	Sep 29, 2024
P	DNS Director - Proprietary?	Asuswrt-Merlin	6	Sep 25, 2024
	Hardcoded Google DNS IPTABLES rule	Asuswrt-Merlin	6	Sep 24, 2024
	Wireguard client optional DNS Server setting	Asuswrt-Merlin	2	Sep 16, 2024

Search

Search

NXDOMAIN DNS Results Flagged As "Possible DNS-rebind attack detected" In Log

HarryMuscle

Senior Member

dave14305

Part of the Furniture

ColinTaylor

Part of the Furniture

bbunge

Part of the Furniture

HarryMuscle

Senior Member

HarryMuscle

Senior Member

Similar threads

Similar threads

Latest threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest

Members online