OpenWRT dnsmasq: possible DNS-rebind detected
Solution 1
The solution was a port restriction on port 53.
Solution 2
It looks like dnsmasq is reachable from the internet. This allows DNS scanners to attempt rebind attacks. Check your firewall configuration. This particular server appears to be a research server, although I would expect only a few attempts from such a server.
Generally you want a mostly closed configuration on the internet interface with only the services you need enabled. DNS is usually not one of the services you want to enable.
Related videos on Youtube
03 : 55
03 : 06
01 : 40
09 : 02
08 : 38
04 : 52
05 : 38
03 : 48
Bálint Babics
Updated on September 18, 2022Comments
-
Bálint Babics 8 months
I have a problem since I use a new router (
TP-Link WDR4300 + OpenWRT BarrierBreaker) and in theSystem logis full of this periodically:<Timestamp> dnsmasq[2524]: possible DNS-rebind attack detected: 4385410-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.netI use my ISP's DNS (
Telekom Hungary, IPv4 DNS) but I've tried Google's too (8.8.8.8and8.8.4.4too), but there is this issue.I can reach my router from
WAN(viaDDNS(duckdns)), may it possible that this is the source of my problem?I've tried to search
DNS-rebind attackand so in OpenWRT topics but sadly I can't found anything useful there.There is any workaround to prevent those
botstorebind? -
Bálint Babics almost 7 yearsThank you for your answer @BillThor. I've ran
netstat -plnand the result is: HERE. As you can se somewhy thednsmasqopens the port but I don't know why and don't know how to close that port (I've made port restrict, but the port is still open, just not forward it).