[Release] Asuswrt-Merlin 384.13 is now available

[Morac]

Since upgrading to iOS 13.1 from 12.4.1 on September 24, I’m seeing hundreds of the following a day in the logs. They are coming from my iOS devices.


Oct 3 11:11:33 dnsmasq[501]: possible DNS-rebind attack detected: universal-web-internal.production.gannettdigital.com

I have DNS-rebind protection so I know why they are being logged, what I’m trying to determine is from what. The only Gannett apps I have installed don’t run in the background.

Is anyone else seeing this in iOS 13?

 

[MDM]

Since upgrading to iOS 13.1 from 12.4.1 on September 24, I’m seeing hundreds of the following a day in the logs. They are coming from my iOS devices.


Oct 3 11:11:33 dnsmasq[501]: possible DNS-rebind attack detected: universal-web-internal.production.gannettdigital.com

I have DNS-rebind protection so I know why they are being logged, what I’m trying to determine is from what. The only Gannett apps I have installed don’t run in the background.

Is anyone else seeing this in iOS 13?

Just ignore them, I have it from AccuWeather, Plex... in hundreds.
Or just turn off DNS-rebind protection if if bothers you.

 

[dave14305]

Just ignore them, I have it from AccuWeather, Plex... in hundreds.
Or just turn off DNS-rebind protection if if bothers you.

If you still want DNS-rebind protection, but want to "whitelist" this domain, you can add the following entry to /jffs/configs/dnsmasq.conf.add (replace the domains I have below with your own):

rebind-domain-ok=/mcafee.com/amazonmusiclocal.com/

 

[MDM]

If you still want DNS-rebind protection, but want to "whitelist" this domain, you can add the following entry to /jffs/configs/dnsmasq.conf.add (replace the domains I have below with your own):

rebind-domain-ok=/mcafee.com/amazonmusiclocal.com/

Thanks for the info, did think there was a simple method to resolve it; but I am not sure how exactly to do this (haven't used ssh or enabled "JFFS custom scripts and configs"), the entries do not bother me that much since the programs are working so I am just ignoring them.
But if you have a link to give me with simple instructions, I am wiling to try it (have found only scattered info trough many threads and posts...).

 

[Nigel Jones]

I've had a reoccurance of the issue I reported with 384.13 on the RT-AC3200 at #869 . The router has only been up 3 days 21 hours.

Basically it's another out of memory error - this time the manifestation was that TimeMachine wouldn't work from my macbook to the asus router. Logging on I can see errors like

Oct 14 16:27:22 afpd[5515]: dsi_init_buffer: OOM

Some errors reported prior to this by afpd and smbd - but they may be normal
Overall the router isn't as in such a bad state as last time - I can still login via web & ssh , traffic is still normal

This isn't necessarily merlin specific of course, and there have been related threads for a long time. I am not using QOS currently (as the connection is 1 Gbps down at least) but the FreshJR scripts were still present - so I'll remove them as first step. I'd already shutdown one unnecessary VPN server

 

[Nigel Jones]

I've had a reoccurance of the issue I reported with 384.13 on the RT-AC3200 at #869 .

I removed FreshJR, switched off traffic & app analysis. Let's see if that helps reduce the load. If that still fails I may remove the vpn server (rarely used) and move to a pi.

 

[ColinTaylor]

So I copy the file services-start (with command to restart httpd) to /etc/rc.local,
and solve the issue.

The router doesn't use rc.local because it's not a Linux distribution, just a Linux kernel. That is why that file disappears after a reboot. The equivalent to rc.local in Asuswrt-Merlin is /jffs/scripts/services-start.

 

[Morac]

If you still want DNS-rebind protection, but want to "whitelist" this domain, you can add the following entry to /jffs/configs/dnsmasq.conf.add (replace the domains I have below with your own):

rebind-domain-ok=/mcafee.com/amazonmusiclocal.com/

So I tried this, I added the following to that file, enabled custom JFFS scripts, restarted dnsmasq and I’m still getting the log entries. Any idea what’s wrong?

admin@RT-AC88U-BC10:/tmp/home/root# cat /jffs/configs/dnsmasq.conf.add 
rebind-domain-ok=/universal-web-internal.production.gannettdigital.com/

Edit: I also tried just “gannettdigital.com” and also removing the slashes. Neither worked.

 

[dave14305]

So I tried this, I added the following to that file, enabled custom JFFS scripts, restarted dnsmasq and I’m still getting the log entries. Any idea what’s wrong?

admin@RT-AC88U-BC10:/tmp/home/root# cat /jffs/configs/dnsmasq.conf.add
rebind-domain-ok=/universal-web-internal.production.gannettdigital.com/

Maybe since it's only one domain right now, try omitting the slashes. Or just using gannettdigital.com.

rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
Do not detect and block dns-rebind on queries to these domains. The argument may be either a single domain, or multiple domains surrounded by '/', like the --server syntax, eg. --rebind-domain-ok=/domain1/domain2/domain3/

 

[Morac]

Maybe since it's only one domain right now, try omitting the slashes. Or just using gannettdigital.com.

rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
Do not detect and block dns-rebind on queries to these domains. The argument may be either a single domain, or multiple domains surrounded by '/', like the --server syntax, eg. --rebind-domain-ok=/domain1/domain2/domain3/

I tried both and neither worked.

 

[Morac]

I tried a few more things and as far as I can tell the rewind-domain-ok option isn’t being used. I checked in /tmp/etc/dnsmasq.conf and the line is being added, but it doesn’t work.

Based on https://serverfault.com/questions/939775/whitelist-all-sub-domains-with-rebind-domain-ok the following should work, but it doesn’t.

rebind-domain-ok=/.gannettdigital.com/

 

[Morac]

So this appears to be a bug in dnsmasq.

If I exempt gannettdigital.com, it won’t log production.gannettdigital.com, but it will log universal-web-internal.production.gannettdigital.com.

 

[dave14305]

So this appears to be a bug in dnsmasq.

If I exempt gannettdigital.com, it won’t log production.gannettdigital.com, but it will log universal-web-internal.production.gannettdigital.com.

Works for me like this:

rebind-domain-ok=/mcafee.com/amazonmusiclocal.com/gannettdigital.com/

universal-web-internal.production.gannettdigital.com resolves to 10.151.192.5.

 

[Morac]

Works for me like this:

rebind-domain-ok=/mcafee.com/amazonmusiclocal.com/gannettdigital.com/

universal-web-internal.production.gannettdigital.com resolves to 10.151.192.5.

When I tried that I’m still getting log entries telling me that it blocked a potential rebind attack to universal-web-internal.production.gannettdigital.com if I try to go to universal-web-internal.production.gannettdigital.com in a web browser. I don’t get a log entry when I go to production.gannettdigital.com which is also a private IP address.

Edit: okay when I use exactly what you put it worked. I’m not sure why that works and not what I had before.

Edit 2: So it is only kind of working. I’m still seeing the following in the logs now then:

Oct 14 20:06:18 dnsmasq[15781]: possible DNS-rebind attack detected: universal-web-internal.production.gannettdigital.com

This is with the following set:

rebind-domain-ok=/mcafee.com/amazonmusiclocal.com/gannettdigital.com/

When I specifically try to go to universal-web-internal.production.gannettdigital.com in a web browser though or do DNS lookup, I’m not seeing anything in the logs which is odd.

 

[ottofreud]

Hi All -- Newbie on the forum
Running 384.13. Mostly good, a few bugs.
1. The 5GHz issue that has been discussed in the forum. Work-around that has been indicated works
2. If I set my WAN setting to automatic IP, the router never links to my ISP "cable disconnected", "ISP DHCP not working" (left it for 6 hours after rebooting router and modem -- no link). If I set it for static (and use the IP within the range that my ISP normally serves to me), it will link up. If I then set it to Automatic, and hit Apply, it will link up. But if I reboot or hard boot the router, it will again fail on Automatic IP until I do the "static dance"
Router is RT-AX88U, Hard Boot and Hardware button to reset factory before and after Merlin FW flash.
Used Merlin on my (replaced) RT-AC87U (384.13_1 latest) for years and have been greatly satisfied.
Any thoughts / help would be appreciated

 

[BlezZ]

Below bugs still existent on this release.

- Client list is still empty.
Apart from the missing visibility, this is an issue with AI protection as you have to add MAC manually.
- LED's goes dark after some time

I ran the original ASUS fw for 2 weeks and above issues were gone.

RT-AC88U

 

[krgck]

Below bugs still existent on this release.

- Client list is still empty.
Apart from the missing visibility, this is an issue with AI protection as you have to add MAC manually.
- LED's goes dark after some time

I ran the original ASUS fw for 2 weeks and above issues were gone.

RT-AC88U

Maybe clean firmware update would help you idk. I have ac88u and all you mentioned does work including 24/7 leds on.

 

[BlezZ]

Maybe clean firmware update would help you idk. I have ac88u and all you mentioned does work including 24/7 leds on.

Thank, but I did this already.
I even used the ASUS restore tool to cleanly restore original firmware and then flash Merlin's, with fresh blank settings.
As soon as I flash Merlin's the Client list is empty.

Also the iPhone app does not show traffic anymore after flashing with Merlin.

 

[krgck]

Thank, but I did this already.
I even used the ASUS restore tool to cleanly restore original firmware and then flash Merlin's, with fresh blank settings.
As soon as I flash Merlin's the Client list is empty.

Also the iPhone app does not show traffic anymore after flashing with Merlin.

Then i don't know whats wrong. I tried asus app on android even i don't use it myself. But it still sees all my clients and seems working like should.

 

[L&LD]

Thank, but I did this already.
I even used the ASUS restore tool to cleanly restore original firmware and then flash Merlin's, with fresh blank settings.
As soon as I flash Merlin's the Client list is empty.

Also the iPhone app does not show traffic anymore after flashing with Merlin.

Simply flashing new firmware (or two, no matter which method is used) does not give you a 'clean install'.

After flashing the firmware you wish to use, you need to do a full reset to factory defaults including formatting the JFFS partition properly too.