Puremin0rez
Occasional Visitor
Great Settings! Improved the stability of my network.
[Release] Asuswrt-Merlin 384.6 is now available
- Thread starter RMerlin
- Start date
Great Settings! Improved the stability of my network.
ColinTaylor
Part of the Furniture
Is it newly added? That blog post was from 10 years ago. I don't use OpenDNS but it sounds likes it's the same thing provided you have an OpenDNS account with that option selected. The only difference being that your router (dnsmasq) is returning the "can't resolve" error instead of OpenDNS.
Any "custom" devices are bypassing your router's DNS server and therefore its rebind protection.
Zonkd
Very Senior Member
Correct OpenDNS long ago made it a free feature to account holders. I'm hoping that this Rebind Protection feature in 384.6 does it just as well.
That makes sense to me.
ColinTaylor
Part of the Furniture
It would seem fairly straight forward. If the upstream DNS server replies with a private IP address don't send that to the client. Given that this is essentially breaking DNS I guess different implementations might give different responses.
You can test it by going to this URL: http://rebind.network/
Code:
Aug 13 14:12:34 dnsmasq[22010]: possible DNS-rebind attack detected: a.34.192.228.43.1time.192.168.1.233.forever.eb4462cb-45ff-408e-884c-7affa30a3907.rebind.network
Aug 13 14:12:54 dnsmasq[22010]: possible DNS-rebind attack detected: a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network
Aug 13 14:13:49 dnsmasq[22010]: possible DNS-rebind attack detected: a.34.192.228.43.1time.192.168.1.167.forever.43a6ff4a-bd57-4b70-97cc-a00eeda24ec4.rebind.network
Aug 13 14:13:56 dnsmasq[22010]: possible DNS-rebind attack detected: a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network
Aug 13 14:14:40 dnsmasq[22010]: possible DNS-rebind attack detected: a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network
Aug 13 14:18:04 dnsmasq[22010]: possible DNS-rebind attack detected: a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network
Code:
# nslookup a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network 192.168.1.1
Server: 192.168.1.1
Address 1: 192.168.1.1 router.asus.com
nslookup: can't resolve 'a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network'
# nslookup a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network 8.8.8.8
Server: 8.8.8.8
Address 1: 8.8.8.8 google-public-dns-a.google.com
Name: a.34.192.228.43.1time.192.168.1.27.forever.1343173a-5e69-4bc9-b767-2b82212c1221.rebind.network
Address 1: 192.168.1.27
Last edited:
scjr
Very Senior Member
You’re welcome, but the credit goes to these forums. I’ve found these settings here. Glad it’s worked out for you and others.
Already planned. However be aware that disabling strict will nullify a good portion of the added security provided by DNSSEC, as someone hijacking a domain usually secured by dnssec would then bypass it simply by using a non-signed zone...
If strict mode generates issues, then those issues should be resolved in the domain themselves, as pointed out by John. And it's actually a good thing if these issues are now visible, so people are aware about them, and can actually take steps toward fixing them.
Dunno if Simon decided not to do so for privacy reasons, but to me it looks like a no-brainer - without that critical information, it's impossible to tell what is going on, and that log message is mostly useless. That's something I will most likely port, and might see if Simon would be open in also merging that upstream.
DNSSEC is a rather complicated beast. Not all TLDs support every "official" ciphers for instance, so sometimes an issue might simply be a domain using a cipher type not supported by its TLD (or even its registrar).
I've always been using my ISP's DNS here, and never got a single complain in my system log.
ZekeMidasWoll
New Around Here
Hello.
I've experienced severe stability issues after upgrading from 384.5 to 384.6
I dont know if the upgrade was the cause, but the issues came right after/a day or so after the upgrade, and are gone after downgrading to 384.5.
Router : RT-AC68U, 4 years old, original psu.
Wireless clients, only 2.4 gHz enabled : Chromecasts, a laptop, IOS devices.
Wired clients : IP cameras, Windows PC, Synology diskstation, TV, BD player, Chromecast Ultra
Wired clients are connected through 2 switches.
After upgrading to 384.6 i started experiencing stability issues/dropped connections with the wired clients. No problems with wireless clients.
First i suspected one of the switches. An old and cheap one. Replaced it with a new D-link.
The problems persisted, the wired clients were only able to connect after the router was cold booted.
Problems increased, so that the router was not able to get internet connection from the fiber modem (was possible with pc connected directly to the fiber modem).
At first it could be solved by a cold boot of the router.
Then at last it was not possible for the router to connect to the internet at all.
wireless connections with the router did not show any instability. (they were of course not able to have internet access).
Finally i downgraded to 384.5
At first it did not solve the problem
Disconnected AC68U from power and the network.
(Fought to get my old router up running, but gave up)
After half an hour : connected the AC68U again.
It has been working fine since. That was yesterday
I suspected it was the power supply, so ordered a new power supply, noname 19V 3.42 A delivered.
That seems to work fine also.
I will test the original psu again when i get the time, but so far the problems seems to have been caused by upgrade to 384.6
I've experienced severe stability issues after upgrading from 384.5 to 384.6
I dont know if the upgrade was the cause, but the issues came right after/a day or so after the upgrade, and are gone after downgrading to 384.5.
Router : RT-AC68U, 4 years old, original psu.
Wireless clients, only 2.4 gHz enabled : Chromecasts, a laptop, IOS devices.
Wired clients : IP cameras, Windows PC, Synology diskstation, TV, BD player, Chromecast Ultra
Wired clients are connected through 2 switches.
After upgrading to 384.6 i started experiencing stability issues/dropped connections with the wired clients. No problems with wireless clients.
First i suspected one of the switches. An old and cheap one. Replaced it with a new D-link.
The problems persisted, the wired clients were only able to connect after the router was cold booted.
Problems increased, so that the router was not able to get internet connection from the fiber modem (was possible with pc connected directly to the fiber modem).
At first it could be solved by a cold boot of the router.
Then at last it was not possible for the router to connect to the internet at all.
wireless connections with the router did not show any instability. (they were of course not able to have internet access).
Finally i downgraded to 384.5
At first it did not solve the problem
Disconnected AC68U from power and the network.
(Fought to get my old router up running, but gave up)
After half an hour : connected the AC68U again.
It has been working fine since. That was yesterday
I suspected it was the power supply, so ordered a new power supply, noname 19V 3.42 A delivered.
That seems to work fine also.
I will test the original psu again when i get the time, but so far the problems seems to have been caused by upgrade to 384.6
Just a thought: could the issue be with the packet size? DNSSEC signed zones can get a bit large, and adding encryption on top of that would make them even larger.
Could be an RT-AC1900 or RT-AC1900P. What's on the label at the back of the router? Look for any FCC ID for instance, in addition to actual model number.
Try using the latest 384.7 test build:
https://asuswrt.lostrealm.ca/test-builds
A few RT-AC68U users have experienced issues with their wifi with some of Asus' recent releases. Some reported that the latest release from Asus (which is used by 384.7) resolved the issues for them.
Last edited:
Thanks and please add this information in that new option so that I or anybody understand what happens if you deactivate the Strict mode:
- Disabling Strict will nullify a good portion of the added security provided by DNSSEC
I did the test and that message does not appear in log, is it good or bad?
ColinTaylor
Part of the Furniture
I couldn't say as I know nothing about your setup.
I use cloudflare dns in wan, disable DNS Rebind protection and that message does not appear in log, after i test with DNS Rebind protection Enable and that message does not appear in log.
Note: For test DNS Rebind I uninstall DNSCrypt and delete my client VPN and restart the router.
Last edited:
I don't want to overburden the UI with a user manual... Especially as people never read these anyway.
ColinTaylor
Part of the Furniture
ColinTaylor
Part of the Furniture
That doesn't matter.
Last edited:
john9527
Part of the Furniture
I added it to the popup help for dnssec...
Similar threads
- Locked
Similar threads
Similar threads
-
-
-
-
Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices
- Started by RMerlin
- Replies: 28
-
Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14
- Started by B0GDAN
- Replies: 1
-
Several Questions Re:Asuswrt-Merlin Feature Implementation
- Started by fenixreign
- Replies: 2
-
-
Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices
- Started by RMerlin
- Replies: 70
-
-
Latest threads
-
-
-
ASUS RT-AC86U Firmware version 3.0.0.4.386_51955 (2024/11/08)
- Started by lepicane
- Replies: 0
-
iPhone 16 Pro w/ GT-Be98 Pro & BQ16
- Started by Jadehsn
- Replies: 0
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!