possible DNS-rebind attack: secure.base.shared.live.com.akadns.net

[randomName]

Hi there, I keep getting this spammed in my logs. Anyone have any idea what that's about?

Thanks

 

[RMerlin]

That record returns 127.0.0.1, which will trigger dnsmasq's rebind protection, so it's working as expected.

 

[randomName]

That record returns 127.0.0.1, which will trigger dnsmasq's rebind protection, so it's working as expected.

Should I consider blocking it, if that's an option?

 

[RMerlin]

Should I consider blocking it, if that's an option?

Frankly, I don't know what this record is used for.

 

[ColinTaylor]

The address seems to be a CDN used by Microsoft Office 365.

https://docs.microsoft.com/en-us/office365/enterprise/managing-office-365-endpoints

I wonder whether it's something to do with its deployment in an enterprise setup. Some sort of black-hole to stop intranet traffic leaking onto the internet. Just a thought.

 

[follower]

Hi there, I keep getting this spammed in my logs. Anyone have any idea what that's about?

Thanks

Do you use any Firewall?

 

[randomName]

Do you use any Firewall?

I was using the router firewall + Skynet, but my firmware was going corrupt as my WAN kept disconnecting from y ISP. It disconnected 5 times today so I had to reinstall the firmware, not just reset. I think there might be something going on with either my USB 3.0 port on my 86U or my USB drive is junk so I haven't reinstalled Skynet just yet as I'm seeing how it behaves the next 24hrs to trouble shoot things. Whether or not it was causing the issue I'm not sure, though.

 

[follower]

I was using the router firewall + Skynet, but my firmware was going corrupt as my WAN kept disconnecting from y ISP. It disconnected 5 times today so I had to reinstall the firmware, not just reset. I think there might be something going on with either my USB 3.0 port on my 86U or my USB drive is junk so I haven't reinstalled Skynet just yet as I'm seeing how it behaves the next 24hrs to trouble shoot things. Whether or not it was causing the issue I'm not sure, though.

Kill those firewalls and test it. I think this is the firewall issue.

 

[ColinTaylor]

Kill those firewalls and test it. I think this is the firewall issue.

Why do you think it's a firewall issue? Merlin stated the reason for the messages in post #2 and I stated a likely cause in post #5.

 

[randomName]

Kill those firewalls and test it. I think this is the firewall issue.

As far as I know the reinstall of the firmware has fixed the WAN disconnect issue. It seems to be stable so far, today.

@ColinTaylor
As far as the issue about the rebind, I don't have office 365 installed. It's a fresh Windows 10 install, though.

 

[ColinTaylor]

@ColinTaylor
As far as the issue about the rebind, I don't have office 365 installed. It's a fresh Windows 10 install, though.

As it's just a Microsoft general purpose "live.com" CDN it's used by other products as well, e.g. Skype, Azure, etc.

If you want to suppress the messages just add the URL to your local blacklist.

 

[dave14305]

Or whitelist it with dnsmasq. Example dnsmasq.conf.add:

rebind-domain-ok=/mcafee.com/amazonmusiclocal.com/

replace my domains with akadns.net if you trust it.