Can I block fanhattan.com?

[RocketJSquirrel]

I get dozens of these messages in my AC68U router log every day. I don't really understand what they mean. Is there a router setting I can apply to block this entire domain or at least these sites from screwing with my DNS?

Dec 20 00:45:10 dnsmasq[206]: possible DNS-rebind attack detected: www.serv-wwwm-dev.fanhattan.com
Dec 20 00:45:11 dnsmasq[206]: possible DNS-rebind attack detected: serv-wwwm-dev.fanhattan.com
Dec 20 00:51:25 dnsmasq[206]: possible DNS-rebind attack detected: serv-www-dev.fanhattan.com
Dec 20 00:51:25 dnsmasq[206]: possible DNS-rebind attack detected: www.serv-www-dev.fanhattan.com

 

[ColinTaylor]

If you're using a router based ad-blocker like Diversion then just add those two addresses to its blacklist.

 

[RocketJSquirrel]

Not running any add-ons, just plain ol' Merlin. So an add-on like an ad-blocker is required for this?

 

[ColinTaylor]

Not running any add-ons, just plain ol' Merlin. So an add-on like an ad-blocker is required for this?

It's not required, it's just one way of suppressing those messages. The messages themselves aren't a problem, it's just dnsmasq telling you that it's blocked those domains because they return bogus addresses.

If you still want to suppress those messages you could create a /jffs/configs/dnsmasq.conf.add file that contains the following line (you also need to enable support for custom configs in the router's GUI):

address=/serv-wwwm-dev.fanhattan.com/serv-www-dev.fanhattan.com/

EDIT: corrected statement, see post #8

 

[Dabombber]

I found the same thing with timeline-sync.getpebble.com, since they shut down the services they just pointed the address to 0.0.0.0. Easiest way to get rid of the warning messages is to manually set the address using /jffs/configs/dnsmasq.conf.add.

In your case you'd want to add the line

address=/serv-wwwm-dev.fanhattan.com/serv-www-dev.fanhattan.com/#

The # is just a shortcut for both 0.0.0.0 and ::1.

 

[ColinTaylor]

@Dabombber I think you've made a typo in your dnsmasq statement. I assume you intended for one of the domains to be the one that begins with www? In this particular case it can be omitted because www is a host of the parent domain.

The difference between my post and yours is that mine returns NXDOMAIN instead of a valid address.

 

[dave14305]

Not running any add-ons, just plain ol' Merlin. So an add-on like an ad-blocker is required for this?

Or you could disable “Enable DNS Rebind protection” on the WAN page to stop these messages if you don’t know why you are getting them.

or exclude the domain using the instructions I posted for someone else here:
[Release] Asuswrt-Merlin 384.13 is now available

 

[Dabombber]

From the logs it looks like there's 2 subdomains of fanhattan.com, serv-wwwm-dev and serv-www-dev. Using nxdomain instead of 0.0.0.0/::1 seems like a more intuitive solution but can cause longer load times and/or break some things entirely.

 

[ColinTaylor]

From the logs it looks like there's 2 subdomains of fanhattan.com, serv-wwwm-dev and serv-www-dev.

Yes, you're quite correct. My old eyes failed me.

 

[RocketJSquirrel]

Thanks, guys. The new entry in dnsmasq.conf.add seems to have done the trick. No log messages about fanhattan.com since I added it.