What's new

N66U + Huawei 658 v2 martian packets / dnsmasq[3803]: possible DNS-rebind attack detected: dns.msftncsi.com

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

FCM

Occasional Visitor
Hello,

I have a N66U set up as AP router with public IP behind a Huawei 658 v2 ADSL router set up in bridge mode.

A linux box connected to the N66U keeps logging martian packets for the interface attached to that lan:

Code:
kernel: IPv4: martian source 192.168.100.51 from 192.168.100.51, on dev eno2
kernel: ll header: 00000000: c0 06 c3 02 95 d6 78 24 af 99 36 60 08 00

The two MACs mentioned are for the eno2 interface and the router respectively.

Additionally, the N66U router logs the following error:

Code:
dnsmasq[3803]: possible DNS-rebind attack detected: dns.msftncsi.com



Now comes the interesting part: the Huawei router when used in AP / DHCP server / standalone mode would try to install it's own security certificate for SSL connections: SSL connections I had this prompt pop up when accesing my Outlook inbox, never installed it of course as I found it weird :).

On top of that, the Huawei would also randomly open a page to
Code:
dns.msftncsi.com
which is some kind of keep alive address from Microsoft? I've seen this triggered for a brief period via the N66U when it was set up behind the Huawei with double NAT


I believe the issues are somehow related and the Huawei router is still trying some shenanigans even though it no longer acts as a DHCP server (it is disabled in its interface) and the N66U reports public WAN.

How should I investigate this further?

Please not that due to ISPs present in my area, I can't simply switch to another provider / plan to get rid of this issue.

Any help appreciated.
 
I have a N66U set up as AP router with public IP behind a Huawei 658 v2 ADSL router set up in bridge mode.
This is completely wrong. You should never have an access point connected directly to the public internet.
 
This is completely wrong. You should never have an access point connected directly to the public internet.
I might have used the wrong nomenclature, but this setup is similar to what I've typically used in the past where I would connect via PPPoE from my ASUS router and that router would get a public IP for it's WAN interface and then preform NAT for it's clients. What's wrong with this setup?
 
LAN IP: 192.168.100.1
WAN IP: 90.95.xxx.xxx
 

Attachments

  • pic.png
    pic.png
    53.4 KB · Views: 162
I've seen this recently since the IPv6 (AAAA) result for dns.msftncsi.com is considered a private address that would be considered a rebind attack by dnsmasq.

Add this line to /jffs/configs/dnsmasq.conf.add if you're running Merlin:
Code:
rebind-domain-ok=dns.msftncsi.com
 
I've seen this recently since the IPv6 (AAAA) result for dns.msftncsi.com is considered a private address that would be considered a rebind attack by dnsmasq.

Add this line to /jffs/configs/dnsmasq.conf.add if you're running Merlin:
Code:
rebind-domain-ok=dns.msftncsi.com
How strange. What AAAA address is it returning that is private? I get fd3e:4f5a:5b81::1 which isn't private, unless there's been some change I'm not aware of.
 
Added the entry, no more dns-rebind attack.

As for the martian packets: I removed netplan from the linux box and I'm using NetworkManager instead. Edited the interface metric via nmcli. No more martian packets in syslog.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top