Rt-ac68u with Reolink doorbell rebind attack.

[eastavin]

Hello. Seems Santa dropped off some new toys and one of them is causing some head scratching. The new item is a Reolink WiFi doorbell powered from a cube.

Wondering if anyone can advise if this is an Asus issue or a Reolink issue or a big nothing. Starting up the doorbell cold or rebooting the doorbell causes the Asus router log to be instantly flooded with DNS rebind attack warnings. If I then reboot the router, the warnings stop once the router comes back up and the doorbell functions in a way that seems normal. See sample excerpt below. The sample repeats endlessly. Further restarting the router every time the doorbell is restarted is not a practical solution.

Is there anything else that could be done? I initialized the router just prior to attempting to install this doorbell on the rt-ac68u with the latest Merlin FW with DNS over TLS and CloudFlare security 1.1.1.2.

Happy to return this doorbell if this condition is a security risk. Seems this category has lots of duds. Already tried a Eufy C32 doorbell and that was one malfunctioning beast. Open to any suggestion for a problem free product.

Many thanks for any advice.

Edward... Router Log below

Jan 3 20:33:01 dnsmasq[22930]: possible DNS-rebind attack detected: p2pm-abr.reolink.com
Jan 3 20:33:01 dnsmasq[22930]: possible DNS-rebind attack detected: p2p14.reolink.com
Jan 3 20:33:02 dnsmasq[22930]: possible DNS-rebind attack detected: p2p15.reolink.com
Jan 3 20:33:02 dnsmasq[22930]: possible DNS-rebind attack detected: p2p15.reolink.com
Jan 3 20:33:02 dnsmasq[22930]: possible DNS-rebind attack detected: p2p16.reolink.com

 

[Tech9]

This Cloudflare Security DNS is a filtering service and it blocks something your device needs. The message in logs is because you have enabled rebind protection in your DNS settings. Every time something is blocked upstream you'll get this log message.

 

[OzarkEdge]

I use Cloudflare Security DoT... I cannot setup a Wyze cam until I disable the DoT bit. Once the cam is added, I can re-enable DoT and all works normally. I have not checked the log on this since cause and affect were immediately obvious.

OE

 

[eastavin]

Thanks for the interesting input. At another location I have an Arris TG3452 and it too is using CloudFlare security 1112 and no problem there, so this is not likely to be it. Though I can switch to 1111 and retest on the Asus.

Does anyone know of a command I can run to create a rebind protection exception for those URLs/domains in the Asus rt-ac68u? Kind of groping in the dark here. Not my area of expertise.

 

[Tech9]

Just disable rebind protection when using upstream filtering DNS. The same log message will be triggered by other things blocked upstream by Cloudflare. Wyze camera issue with DNS encryption is product specific and unrelated.

 

[ColinTaylor]

Does anyone know of a command I can run to create a rebind protection exception for those URLs/domains in the Asus rt-ac68u?

Just change plex.direct to reolink.com in the following example.

Share possible DNS-Rebind logs

System logs reveal possible DNS Rebind attacks so I share them here.. This is the first I've seen since upgrading to the latest Merlin Firmware, any thoughts?: dnsmasq[741]: possible DNS-rebind attack detected: localhost.megasyncloopback.mega.nz Please share your own! Info: Wikipedia says...

www.snbforums.com

 

[dave14305]

The same log message will be triggered by other things blocked upstream by Cloudflare.

This particular domain is not being blocked. It just resolves to 127.0.0.1 for whatever reason the product requires.

rtradmin@router:/tmp/home/root# dig p2p16.reolink.com. +short @1.1.1.1
127.0.0.1
rtradmin@router:/tmp/home/root# dig p2p16.reolink.com. +short @1.1.1.2
127.0.0.1
rtradmin@router:/tmp/home/root# dig p2p16.reolink.com. +short @8.8.8.8
127.0.0.1

 

[Crimliar]

This is one of my cameras as logged by Diversion. I'm not seeing rebind attacks on those same addresses, and there's noting in the main logs!
*Hopefully in your doorbell they oriented the radios correctly, unlike in some of their cameras!

 

[sfx2000]

Jan 3 20:33:01 dnsmasq[22930]: possible DNS-rebind attack detected: p2pm-abr.reolink.com

This is a warning printed out by dnsmasq that a public DNS request is returning a private IP address - as some of mentioned, the loopback address (127.0.0.1) can trigger this, as will any RFC1918 private IP addresses...

In normal operations, dnsmasq will fire off the error, but will not block it...

It's always good to investigate what's happening behind the error, and make the appropriate decisions - since it is known in this particular thread, it's basically log-spam at most...

 

[ColinTaylor]

In normal operations, dnsmasq will fire off the error, but will not block it...

In normal operations dnsmasq will block it... by not returning an answer section...

--stop-dns-rebind
Reject (and log) addresses from upstream nameservers which are in the private ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network. For IPv6, the private range covers the IPv4-mapped addresses in private space plus all link-local (LL) and site-local (ULA) addresses.

But if by "normal" you mean without the --stop-dns-rebind parameter then it will not block it but it will also not fire off an error...

 

[sfx2000]

In normal operations dnsmasq will block it... by not returning an answer section...

But if by "normal" you mean without the --stop-dns-rebind parameter then it will not block it but it will also not fire off an error...

All depends on how dnsmasq is configured...

Normally it's just a warning - and one worth checking in on...

 

[RMerlin]

All depends on how dnsmasq is configured...

Normally it's just a warning - and one worth checking in on...

It's up to the end user.

 

[Crimliar]

So, I decided to have a look at the dnsmasq logs directly in /opt/var/log and there are all those "possible rebind attack" messages. These aren't showing up in my normal - System Log>General Log - results, and as I can only view the cameras via apps, I don't see them as you would if you could use a browser. So I guess I'd need to change my log level to view them.
*If I get the chance (household permitting) I may switch to one of my LetsFartAround domains later and create some anon logs! It does look as though the rebind warnings are the result of an active choice by Reolink about how the devices are accessed.

 

[ColinTaylor]

All depends on how dnsmasq is configured...

Normally it's just a warning - and one worth checking in on...

Either way your statement is false... If you see the warning message then the query has been blocked...

 

[dave14305]

These aren't showing up in my normal - System Log>General Log - results, and as I can only view the cameras via apps, I don't see them as you would if you could use a browser. So I guess I'd need to change my log level to view them.

If Diversion logging is enabled, all dnsmasq messages only go to /opt/var/log/dnsmasq.log.