fritz!box doesn't reply on dnsmasq rules that point to IPs within 192.168.178.### range

dns dnsmasq web-filtering fritzbox
5,523

Solution 1

I think I found the solution to the problem I had myself: The Fritz!Box actually tries to protect you from domain names that resolve into your home network.

I cite http://service.avm.de/support/en/SKB/FRITZ-Box-7360-int/1274:No-DNS-resolution-of-private-IP-addresses:

For safety reasons, no DNS resolution of private IP addresses

If a DNS query from a DNS server on the Internet is answered with an IP address from the FRITZ!Box home network, the FRITZ!Box does not forward this DNS reply to the network device. This is a security feature of the FRITZ!Box to protect you from so-called "DNS rebinding attacks"

If anybody still got ideas on how to work around this or disable this feature, I would be honored to see them around.

Solution 2

The key part is "except for domains that thus resolve into my local network."

I had the same issue and this fixed it.

The FritzBox has a security feature which you need to override.

All you need to do is add your the domain to the list of exceptions. Follow the instructions in the following link.

http://en.avm.de/nc/service/fritzbox/fritzbox-7390/knowledge-base/publication/show/663_No-DNS-resolution-of-private-IP-addresses/

Also you may need to update your firmware for the option to show up.

Firmware version: 84.05.51

Kind regards

Solution 3

As allready said, this is a security feature. Exceptions for local IPs can be defined by configuring the router.

Configuring the FRITZ!Box

  1. Switch to the "Advanced View".
  2. Click "Home Network" in the FRITZ!Box user interface.
  3. Click "Network" in the "Home Network" menu.
  4. Click the "Network Settings" tab.
  5. Enter the name of the domain for which DNS rebind protection should not >apply in the "Domain name exceptions" field. If you wish to enter several domain names as exceptions, separate the domain names from each other with a line break.
  6. Click "Apply" to save your settings.
Share:
5,523
Sebastian A.
Author by

Sebastian A.

Updated on September 18, 2022

Comments

  • Sebastian A.
    Sebastian A. almost 2 years

    To ensure better monitoring of my home network (parental control) I tried and set up a Raspberry Pi with dnsmasq and added in some rules to the dnsmasq.conf, that basically come down to the following:

    address=/filtered.website/192.168.178.49

    I set this up, and as long as I use IP addresses that are outside the range of 192.168.178.###, everything works fine. I now planned on wirining these websites with a local warning message so that not only the browser shows an error, but the user gets a warning.

    To process all DNS queries though the Pi, I used the Fritz!Box settings and set both primary and secondary DNS server to the Pi's address. Everything resolves as wanted, except for domains that thus resolve into my local network. Is my router just trying to 'protect me' from websites redirecting to my local network or what's up?

    Thank you for your time and help!

    • Dave C
      Dave C over 11 years
      More detail is required. So you are replacing the IP addresses of blocked sites? On the clients do they resolve correctly to your new IP addresses through a ping? If so are you sure that the 192.168.178.### address they return is that of the Pi and it is running a web server that will accept all site names correctly? What happens if you manually go to that IP from one of the client browsers?
  • Henning
    Henning about 4 years
    Newer Fritz OSes have the option to add some hostnames which are excluded for DNS rebind protection. It's in the network settings.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

DNSMasq forwarding on specific domains
Can not restart dnsmasq due to " configuration syntax check [fail]"
/var/run/dnsmasq/resolv.conf nameserver contents
how to setup split-dns for vpn with network-manager
Lost editing DNS config in Ubuntu 18.04
Troubleshooting dnsmasq
How to set the upstream servers of dnsmasq on ubuntu 15.10?
NetworkManager writing to resolv.conf every reboot, breaking dnsmasq?
dnsmasq without dns functionality
Something is listening on port 53