JJohnson1988
Regular Contributor
It does it for you. There is no option for it.
If you look at your profile's Analytics tab, you can see "Percentage of queries validated with DNSSEC".
Multiple DNS Servers - How does the router decide which one to use?
- Thread starter zakazak
- Start date
If you look at your profile's Analytics tab, you can see "Percentage of queries validated with DNSSEC".
JJohnson1988
Regular Contributor
The % rate is going to be low because most domains don't support DNSSEC. Maybe it will improve over time, but yeah. Expect it to be low for now.
Yeah that should be fine. Maybe the errors only show up on a more verbose logging level, but I definitely saw a bunch of entries in the log after about a day, complaining about rebinding.
Yeah that should be fine. Maybe the errors only show up on a more verbose logging level, but I definitely saw a bunch of entries in the log after about a day, complaining about rebinding.
Mogsy
Senior Member
Manage to try my spare AX86S with current 388 beta 4 and I do get these when Enable DNS Rebind protection set to enabled. Having the Rebind Protection off on NextDNS webui doesnt change things
Probably selecting blocklist file locally rather than NextDNS lists on their webui will make rebind protection on router better?
Code:
ov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: 0mso8yci6lb.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: tsbnvxa07hq.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: 3z4tkxqwwyv.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: giaon9xcu7s.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: tfhe7y2hrom.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: z7usj7vnb7m.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: hclj1zv7m1.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: hzodbrst5c6.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: dljq2berdy.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: ynx93w8alir.rtt-test.dnscheck.tools
Nov 30 22:03:20 dnsmasq[5108]: possible DNS-rebind attack detected: 5yswj3p02j7.rtt-test.dnscheck.toolsProbably selecting blocklist file locally rather than NextDNS lists on their webui will make rebind protection on router better?
ColinTaylor
Part of the Furniture
These are exactly the kind of messages I want to see when rebind protection is enabled. This is a Good Thing™. If some malicious or misconfigured device is resolving external domains to private addresses I want to know about it so I can fix it. I don't want it to be silently dropped so that I'm none the wiser.
In this case it happens to be a legitimate part the the dnscheck tool. As this is something I almost never run I can either ignore the fairly obvious messages in the log, or if it's something I run frequently I could add the following line to
dnsmasq.conf to suppress it for this specific test.
Mogsy
Senior Member
Cool and good to know but this is also happening with rebind protection enabled in router, disabled in NextDNS webui with blocklist from their webui
Code:
Nov 30 22:35:15 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: sb.scorecardresearch.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.bing.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: cookie-cdn.cookiepro.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: sessions.bugsnag.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: securepubads.g.doubleclick.netThis is why I am kind of interested with locally config blocklist and do all the dns stuff locally, and minimal config too
ColinTaylor
Part of the Furniture
Ah, I see. I've never used NextDNS' blocking. I guess they're returning 0.0.0.0 for the blocked domains. It looks like you'll have to use NextDNS' rebind protection if you want to continue using their blocking.
I block stuff locally using my own script which is similar to Diversion Lite.
ColinTaylor
Part of the Furniture
Coincidentally there was this bug report over on NextDNS the other day:
help.nextdns.io
Maybe try the solution suggested there.
Redirecting blocked hosts to localhost by returning 0.0.0.0 instead of NXDOMAIN is not ideal
Hi. Since this doesn't seem to be a security issue*, even though both Firefox [1] and Chrome/Chromium [2] allow this to happen currently, with both NextDNS and Cloudflare's 1.1.1.
help.nextdns.io
Maybe try the solution suggested there.
Code:
bogus-nxdomain=0.0.0.0Mogsy
Senior Member
Thank you but I'll have to PM you about a mess upCoincidentally there was this bug report over on NextDNS the other day:
Redirecting blocked hosts to localhost by returning 0.0.0.0 instead of NXDOMAIN is not ideal
Hi. Since this doesn't seem to be a security issue*, even though both Firefox [1] and Chrome/Chromium [2] allow this to happen currently, with both NextDNS and Cloudflare's 1.1.1.
Maybe try the solution suggested there.
Code:bogus-nxdomain=0.0.0.0
Mogsy
Senior Member
For those who use NextDNS with their blocking list and enabling DNS rebind on router instead of Nextdns'sThank you but I'll have to PM you about a mess up
Code:
killall dnsmasq; dnsmasq --log-async --bogus-nxdomain=0.0.0.0Thanks @ColinTaylor
How to make that setting stick on reboots/updates?
Also, is there any benefit of using DNS rebind on the router instead of NextDNS?
ColinTaylor
Part of the Furniture
Create a custom config file
/jffs/configs/dnsmasq.conf.add with bogus-nxdomain=0.0.0.0 in it.
Mogsy
Senior Member
Not sure about benefit, but I'd trust it to do locally more than NextDNS I think.
I am very new here and still learning. I have two AX86. AX86U which installed add-ons from amtm that is super easy to use and AX86S I am trying to configure minimally. The --bogus-nxdomain=0.0.0.0 would need to put in services-start or postconf scripts, which I am still figuring out
Mogsy
Senior Member
is this correct?
Code:
chmod a+rx /jffs/configs/dnsmasq.conf.add
Code:
nano /jffs/configs/dnsmasq.conf.addAnd edit inside nano
ColinTaylor
Part of the Furniture
Yes, but you don't need to do the
chmod because it's not an executable script.How many should there be on the list then? Currently I have cloud fare ipv4 and ipv6 two of each is that right or should I only have one of each?
Treadler
Very Senior Member
There’s no “should” I don’t think.
Ive read somewhere that it’s good to have both IPv4 & IPv6 servers selected, in case of outages.
I use two of each personally, but that’s just my preference.
StrikerXXX
Occasional Visitor
Friend, I'm still learning to use merlin, little by little I'm starting to configure many things by myself. But where is this dnsmasq.conf file? I don't know where it is in the merlin files. Do I have to create one in /jffs/configs/dnsmasq.conf.add and add this line in it?
ColinTaylor
Part of the Furniture
Yes. And enable "JFFS custom scripts and configs" in Administration - System.
Custom config files
Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng
github.com
Once you've made changes to the config file either reboot the router or restart the DNS server (
service restart_dnsmasq).
StrikerXXX
Occasional Visitor
Yes. And enable "JFFS custom scripts and configs" in Administration - System.
Custom config files
Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng
Once you've made changes to the config file either reboot the router or restart the DNS server (service restart_dnsmasq).
I did that, I think it's ok. Something I'm noticing is that after I added the line bogus-nxdomain=0.0.0.0 in dnsmasq.conf.add, no more logs of this type appear here:
Code:
Nov 30 22:35:15 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.msn.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: sb.scorecardresearch.com
Nov 30 22:35:16 dnsmasq[4446]: possible DNS-rebind attack detected: c.bing.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: browser.events.data.msn.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: cookie-cdn.cookiepro.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: sessions.bugsnag.com
Nov 30 22:35:20 dnsmasq[4446]: possible DNS-rebind attack detected: securepubads.g.doubleclick.netThe DNS Rebind protection option is enabled on merlin, dnssec is not. It's working correctly? After you add the bogus-nxdomain option in dnsmasq.conf.add do the logs stop appearing? Do I need to enable the dnssec option in merlin or not?
Similar threads
Similar threads
Similar threads
-
-
multiple entries using ‘arp-scan’ but not reflected in ‘arp’ command
- Started by Undareth
- Replies: 3
-
-
Running WireGuard Server and Multiple Clients Fails With PktRunner Error
- Started by HarryMuscle
- Replies: 5
-
-
Multiple "WAN_Connection: Fail to connect with some issues" and "nf_conntrack: expectation table full"
- Started by ExtremeFiretop
- Replies: 5
-
-
-
-
Latest threads
-
Accidentally flashed XT12 latest merlin on a ET12 Asus Zenwifi Pro. Can't flash back stock FW.
- Started by zapahacks
- Replies: 1
-
-
-
-
ASUSwrt DNSMASQ service can't be restarted
- Started by pseu_asus
- Replies: 1
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!