N66U + Huawei 658 v2 martian packets / dnsmasq[3803]: possible DNS-rebind attack detected: dns.msftncsi.com

FCM

Occasional Visitor
Hello,

I have a N66U set up as AP router with public IP behind a Huawei 658 v2 ADSL router set up in bridge mode.

A linux box connected to the N66U keeps logging martian packets for the interface attached to that lan:

Code:
kernel: IPv4: martian source 192.168.100.51 from 192.168.100.51, on dev eno2
kernel: ll header: 00000000: c0 06 c3 02 95 d6 78 24 af 99 36 60 08 00

The two MACs mentioned are for the eno2 interface and the router respectively.

Additionally, the N66U router logs the following error:

Code:
dnsmasq[3803]: possible DNS-rebind attack detected: dns.msftncsi.com



Now comes the interesting part: the Huawei router when used in AP / DHCP server / standalone mode would try to install it's own security certificate for SSL connections: SSL connections I had this prompt pop up when accesing my Outlook inbox, never installed it of course as I found it weird :).

On top of that, the Huawei would also randomly open a page to
Code:
dns.msftncsi.com
which is some kind of keep alive address from Microsoft? I've seen this triggered for a brief period via the N66U when it was set up behind the Huawei with double NAT


I believe the issues are somehow related and the Huawei router is still trying some shenanigans even though it no longer acts as a DHCP server (it is disabled in its interface) and the N66U reports public WAN.

How should I investigate this further?

Please not that due to ISPs present in my area, I can't simply switch to another provider / plan to get rid of this issue.

Any help appreciated.
 

ColinTaylor

Part of the Furniture
I have a N66U set up as AP router with public IP behind a Huawei 658 v2 ADSL router set up in bridge mode.
This is completely wrong. You should never have an access point connected directly to the public internet.
 

FCM

Occasional Visitor
This is completely wrong. You should never have an access point connected directly to the public internet.
I might have used the wrong nomenclature, but this setup is similar to what I've typically used in the past where I would connect via PPPoE from my ASUS router and that router would get a public IP for it's WAN interface and then preform NAT for it's clients. What's wrong with this setup?
 

ColinTaylor

Part of the Furniture
What is the LAN IP address of the N66U?
 

FCM

Occasional Visitor
LAN IP: 192.168.100.1
WAN IP: 90.95.xxx.xxx
 

Attachments

  • pic.png
    pic.png
    53.4 KB · Views: 71

dave14305

Part of the Furniture
I've seen this recently since the IPv6 (AAAA) result for dns.msftncsi.com is considered a private address that would be considered a rebind attack by dnsmasq.

Add this line to /jffs/configs/dnsmasq.conf.add if you're running Merlin:
Code:
rebind-domain-ok=dns.msftncsi.com
 

ColinTaylor

Part of the Furniture
I've seen this recently since the IPv6 (AAAA) result for dns.msftncsi.com is considered a private address that would be considered a rebind attack by dnsmasq.

Add this line to /jffs/configs/dnsmasq.conf.add if you're running Merlin:
Code:
rebind-domain-ok=dns.msftncsi.com
How strange. What AAAA address is it returning that is private? I get fd3e:4f5a:5b81::1 which isn't private, unless there's been some change I'm not aware of.
 

ColinTaylor

Part of the Furniture
I think it's due to it being a ULA address.
Ah, yes. I see it now (I got confused with link local addresses). Still, it's strange that Microsoft is using a local address for a public server. Oh well, whatever.
 

FCM

Occasional Visitor
Added the entry, no more dns-rebind attack.

As for the martian packets: I removed netplan from the linux box and I'm using NetworkManager instead. Edited the interface metric via nmcli. No more martian packets in syslog.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top