Share possible DNS-Rebind logs

[Zonkd]

System logs reveal possible DNS Rebind attacks so I share them here..

This is the first I've seen since upgrading to the latest Merlin Firmware, any thoughts?:

dnsmasq[741]: possible DNS-rebind attack detected: localhost.megasyncloopback.mega.nz

Please share your own!

Info: Wikipedia says that DNS rebinding can breach private networks by causing a web browser to access private IP addresses. It can also be employed to use the victim's machine for spamming, distributed denial-of-service attacks or other malicious activities. The website rebind.network demonstrates the proof-of-concept attack and allows you to test if you are vulnerable.

 

[ColinTaylor]

This is the first I've seen since upgrading to the latest Merlin Firmware, any thoughts?

You probably want to put rebind-localhost-ok in your dnsmasq.conf.add file.

I've noticed that some perfectly valid services, like Amazon's music player, use URL's that resolve to the local host (amazonmusiclocal.com=127.0.0.1) as in your example. This is different from an attack that resolves to something like 192.168.1.55.

 

[john9527]

I've noticed that some perfectly valid services, like Amazon's music player, use URL's that resolve to the local host (amazonmusiclocal.com=127.0.0.1) as in you example. This is different from an attack that resolves to something like 192.168.1.55.

Interesting.
On my fork, I add 'rebind-localhost-ok' if you are using DoT (Nothing specific, but I was worried about dnsmasq and stubby both using localhost addresses). Maybe it should be a general option when enabling stop-dns-rebind?

 

[RMerlin]

Interesting.
On my fork, I add 'rebind-localhost-ok' if you are using DoT (Nothing specific, but I was worried about dnsmasq and stubby both using localhost addresses). Maybe it should be a general option when enabling stop-dns-rebind?

I see good and bad things with that. Good thing is to help oddly designed applications (why do they need a public hostname to access localhost when localhost is a perfectly valid hostname?). Bad thing is it could potentially be used for nefarious purposes (tho at least they can't use that to point at your router). So, kinda torn between both.

 

[Zonkd]

dnsmasq[741]: possible DNS-rebind attack detected: steamloopback.host

I see Valve's Steam client can cause it.

 

[teknojnky]

Plex uses dns-rebind too. possibly useful reference.

https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/

rebind-domain-ok=/plex.direct/

I couldn't find any advanced settings box, I'm assuming that was removed at some point?

Further assuming this must be manually added somewhere via ssh ?

 

[PeterR]

Plex uses dns-rebind too. possibly useful reference.

https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/

rebind-domain-ok=/plex.direct/

I couldn't find any advanced settings box, I'm assuming that was removed at some point?

Further assuming this must be manually added somewhere via ssh ?

Create a file dnsmasq.conf.add in /jffs/configs containing the line you quoted above, it will be added automatically to the dnsmasq.conf file. Refer to the Asuswrt-Merlin wiki if you need more details.

 

[Zonkd]

Update below with more seen in my syslog.

NEWS SITE
dnsmasq[1152]: possible DNS-rebind attack detected: crta.dailymail.co.uk

ANTIVIRUS (Avast)
dnsmasq[731]: possible DNS-rebind attack detected: ipm-provider.ff.avast.com
dnsmasq[731]: possible DNS-rebind attack detected: analytics.ff.avast.com

SONOS (Internet of Things IoT Music Speaker Device)
dnsmasq[731]: possible DNS-rebind attack detected: msmetrics.ws.sonos.com

MOZILLA (Firefox Browser Tracker)
dnsmasq[731]: possible DNS-rebind attack detected: incoming.telemetry.mozilla.org

MICROSOFT
dnsmasq[731]: possible DNS-rebind attack detected: c.bing.com
dnsmasq[731]: possible DNS-rebind attack detected: watson.telemetry.microsoft.com
dnsmasq[731]: possible DNS-rebind attack detected: settings-win.data.microsoft.com
dnsmasq[731]: possible DNS-rebind attack detected: web.vortex.data.microsoft.com
dnsmasq[731]: possible DNS-rebind attack detected: v10.events.data.microsoft.com

GOOGLE
dnsmasq[731]: possible DNS-rebind attack detected: adservice.google.com
dnsmasq[1152]: possible DNS-rebind attack detected: googleads.g.doubleclick.net
dnsmasq[1152]: possible DNS-rebind attack detected: ssl.google-analytics.com
dnsmasq[1152]: possible DNS-rebind attack detected: www.googleadservices.com

APPLE
dnsmasq[731]: possible DNS-rebind attack detected: news.iadsdk.apple.com
dnsmasq[731]: possible DNS-rebind attack detected: metrics.icloud.com
dnsmasq[1152]: possible DNS-rebind attack detected: apple.comscoreresearch.com
dnsmasq[1152]: possible DNS-rebind attack detected: cf.iadsdk.apple.com
dnsmasq[1152]: possible DNS-rebind attack detected: iadsdk.apple.com
dnsmasq[1152]: possible DNS-rebind attack detected: stats.gc.apple.com
dnsmasq[1152]: possible DNS-rebind attack detected: stats.gc-apple.com.akadns.net
dnsmasq[1152]: possible DNS-rebind attack detected: stats.gc.fe.apple-dns.net

ADOBE
dnsmasq[1152]: possible DNS-rebind attack detected: assets.adobedtm.com

VARIOUS OTHERS
dnsmasq[731]: possible DNS-rebind attack detected: ads.api.vungle.com
dnsmasq[731]: possible DNS-rebind attack detected: ads.nexage.com
dnsmasq[731]: possible DNS-rebind attack detected: ds-aksb-a.akamaihd.net
dnsmasq[1152]: possible DNS-rebind attack detected: settings.crashlytics.com
dnsmasq[1152]: possible DNS-rebind attack detected: reports.crashlytics.com
dnsmasq[1152]: possible DNS-rebind attack detected: e.crashlytics.com
dnsmasq[1152]: possible DNS-rebind attack detected: ads.flurry.com
dnsmasq[1152]: possible DNS-rebind attack detected: data.flurry.com
dnsmasq[1152]: possible DNS-rebind attack detected: js-agent.newrelic.com
dnsmasq[1152]: possible DNS-rebind attack detected: www.adtilt.com
dnsmasq[1152]: possible DNS-rebind attack detected: app-measurement.com
dnsmasq[1152]: possible DNS-rebind attack detected: n.appcontent.stream
dnsmasq[1152]: possible DNS-rebind attack detected: api.keen.io
dnsmasq[1152]: possible DNS-rebind attack detected: c.evidon.com
dnsmasq[1152]: possible DNS-rebind attack detected: ap.lijit.com
dnsmasq[1152]: possible DNS-rebind attack detected: bnc.lt
dnsmasq[1152]: possible DNS-rebind attack detected: storage.cloud.kargo.com
dnsmasq[1152]: possible DNS-rebind attack detected: app.adjust.com
dnsmasq[1152]: possible DNS-rebind attack detected: sb.scorecardresearch.com
dnsmasq[1152]: possible DNS-rebind attack detected: www.vungle.com
dnsmasq[1152]: possible DNS-rebind attack detected: bnc.lt
dnsmasq[1152]: possible DNS-rebind attack detected: s0.2mdn.net
dnsmasq[1152]: possible DNS-rebind attack detected: tags.tiqcdn.com
dnsmasq[741]: possible DNS-rebind attack detected: localhost.megasyncloopback.mega.nz
dnsmasq[741]: possible DNS-rebind attack detected: steamloopback.host

 

[ColinTaylor]

@Zonkd Apart from the last two all the others appear to return valid addresses. I'm guessing you're seeing them because you're using some sort of ad-blocker on those addresses.

 

[Zonkd]

@Zonkd Apart from the last two all the others appear to return valid addresses. I'm guessing you're seeing them because you're using some sort of ad-blocker on those addresses.

Yes I'm using Diversion

 

[ColinTaylor]

Yes I'm using Diversion

Then it looks like every single blocked site will be classified as a rebind attack making listing them rather pointless?

 

[Zonkd]

Then it looks like every single blocked site will be classified as a rebind attack making listing them rather pointless?

I have a lot of other sites getting blocked by diversion and skynet which aren’t being flagged as a rebind attack. So I’m uncertain.

Edit: is anyone else seeing these in their logs? Maybe it’s just a network configuration issue on my end. The rebind.network proof of concept website shows it’s already a workable solution for locating interoperable IoT devices, but what other uses may it have? On topic and purely out of curiosity: would performing a quick rebind in the background be a practical method of confirming a visitors network topology and if there is visibility/accessibility to any other devices on the vlan? Sounds like a cool (but ugly) way to fingerprint a user to later match against a shadow profile. Not that I believe it’s happening in this case. I can only imagine these are false positives.

 

[Zonkd]

Then it looks like every single blocked site will be classified as a rebind attack making listing them rather pointless?

Actually it seems like you may be correct, disabling adblockers on my host put the load onto Diversion, and sure enough the blocks it performed showed up in syslogs as possible rebind attacks. So it's basically all false positives, which yes does make it pointless listing them in syslogs.

 

[john9527]

Actually it seems like you may be correct, disabling adblockers on my host put the load onto Diversion, and sure enough the blocks it performed showed up in syslogs as possible rebind attacks. So it's basically all false positives, which yes does make it pointless listing them in syslogs.

Try adding
rebind-localhost-ok
to dnsmasq.conf with a /jffs/configs/dnsmasq.conf.add

 

[Yota]

Sorry to resurrect an old thread. I am just setting up the XT12 with Merlin and I need to add this line to the dnsmasq file.
"rebind-domain-ok=/plex. Direct/"

I'm fairly computer savvy but I am linux illiterate and I'm getting nowhere with putty - all I'm getting is "not found". I did manage to do this before but I've forgotten how to do it and all the instructions I can find assume a basic level of linux knowledge.

Could some kind soul possibly provide me with the commands I need to enter into Putty to add the above line to the dnsmasq file. I have gotten as far as logging in with putty on SSH.

Thank you in advance if anyone can put me out of my misery.

If you are already logged into SSH, try entering these commands:

echo "rebind-domain-ok=/plex.direct/" >> /jffs/configs/dnsmasq.conf.add

then enable "JFFS custom scripts and configs" in the router's admin -- system settings.


You also need to run the following command for it to take effect:

service restart_dnsmasq

or just restart your router

 

[ColinTaylor]

I have gotten as far as logging in with putty on SSH.

First make sure JFFS custom scripts and configs are enabled in the GUI (Administration - System). Then from SSH:

echo "rebind-domain-ok=/plex.direct/" >> /jffs/configs/dnsmasq.conf.add

Then:

service restart_dnsmasq

 

[barcote]

Many thanks - wasn't expecting a reply today. All done - very grateful