Share possible DNS-Rebind logs

Zonkd

Very Senior Member
System logs reveal possible DNS Rebind attacks so I share them here..

This is the first I've seen since upgrading to the latest Merlin Firmware, any thoughts?:
Code:
dnsmasq[741]: possible DNS-rebind attack detected: localhost.megasyncloopback.mega.nz
Please share your own!

Info: Wikipedia says that DNS rebinding can breach private networks by causing a web browser to access private IP addresses. It can also be employed to use the victim's machine for spamming, distributed denial-of-service attacks or other malicious activities. The website rebind.network demonstrates the proof-of-concept attack and allows you to test if you are vulnerable.
 

ColinTaylor

Part of the Furniture
This is the first I've seen since upgrading to the latest Merlin Firmware, any thoughts?
You probably want to put rebind-localhost-ok in your dnsmasq.conf.add file.

I've noticed that some perfectly valid services, like Amazon's music player, use URL's that resolve to the local host (amazonmusiclocal.com=127.0.0.1) as in your example. This is different from an attack that resolves to something like 192.168.1.55.
 
Last edited:

john9527

Part of the Furniture
I've noticed that some perfectly valid services, like Amazon's music player, use URL's that resolve to the local host (amazonmusiclocal.com=127.0.0.1) as in you example. This is different from an attack that resolves to something like 192.168.1.55.
Interesting.
On my fork, I add 'rebind-localhost-ok' if you are using DoT (Nothing specific, but I was worried about dnsmasq and stubby both using localhost addresses). Maybe it should be a general option when enabling stop-dns-rebind?
 

RMerlin

Asuswrt-Merlin dev
Interesting.
On my fork, I add 'rebind-localhost-ok' if you are using DoT (Nothing specific, but I was worried about dnsmasq and stubby both using localhost addresses). Maybe it should be a general option when enabling stop-dns-rebind?
I see good and bad things with that. Good thing is to help oddly designed applications (why do they need a public hostname to access localhost when localhost is a perfectly valid hostname?). Bad thing is it could potentially be used for nefarious purposes (tho at least they can't use that to point at your router). So, kinda torn between both.
 

Zonkd

Very Senior Member
Code:
dnsmasq[741]: possible DNS-rebind attack detected: steamloopback.host
I see Valve's Steam client can cause it.
 

teknojnky

Senior Member

PeterR

Regular Contributor
Plex uses dns-rebind too. possibly useful reference.

https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/

Code:
rebind-domain-ok=/plex.direct/
I couldn't find any advanced settings box, I'm assuming that was removed at some point?

Further assuming this must be manually added somewhere via ssh ?
Create a file dnsmasq.conf.add in /jffs/configs containing the line you quoted above, it will be added automatically to the dnsmasq.conf file. Refer to the Asuswrt-Merlin wiki if you need more details.
 

Zonkd

Very Senior Member
Update below with more seen in my syslog.

Code:
NEWS SITE
dnsmasq[1152]: possible DNS-rebind attack detected: crta.dailymail.co.uk

ANTIVIRUS (Avast)
dnsmasq[731]: possible DNS-rebind attack detected: ipm-provider.ff.avast.com
dnsmasq[731]: possible DNS-rebind attack detected: analytics.ff.avast.com

SONOS (Internet of Things IoT Music Speaker Device)
dnsmasq[731]: possible DNS-rebind attack detected: msmetrics.ws.sonos.com

MOZILLA (Firefox Browser Tracker)
dnsmasq[731]: possible DNS-rebind attack detected: incoming.telemetry.mozilla.org

MICROSOFT
dnsmasq[731]: possible DNS-rebind attack detected: c.bing.com
dnsmasq[731]: possible DNS-rebind attack detected: watson.telemetry.microsoft.com
dnsmasq[731]: possible DNS-rebind attack detected: settings-win.data.microsoft.com
dnsmasq[731]: possible DNS-rebind attack detected: web.vortex.data.microsoft.com
dnsmasq[731]: possible DNS-rebind attack detected: v10.events.data.microsoft.com

GOOGLE
dnsmasq[731]: possible DNS-rebind attack detected: adservice.google.com
dnsmasq[1152]: possible DNS-rebind attack detected: googleads.g.doubleclick.net
dnsmasq[1152]: possible DNS-rebind attack detected: ssl.google-analytics.com
dnsmasq[1152]: possible DNS-rebind attack detected: www.googleadservices.com

APPLE
dnsmasq[731]: possible DNS-rebind attack detected: news.iadsdk.apple.com
dnsmasq[731]: possible DNS-rebind attack detected: metrics.icloud.com
dnsmasq[1152]: possible DNS-rebind attack detected: apple.comscoreresearch.com
dnsmasq[1152]: possible DNS-rebind attack detected: cf.iadsdk.apple.com
dnsmasq[1152]: possible DNS-rebind attack detected: iadsdk.apple.com
dnsmasq[1152]: possible DNS-rebind attack detected: stats.gc.apple.com
dnsmasq[1152]: possible DNS-rebind attack detected: stats.gc-apple.com.akadns.net
dnsmasq[1152]: possible DNS-rebind attack detected: stats.gc.fe.apple-dns.net

ADOBE
dnsmasq[1152]: possible DNS-rebind attack detected: assets.adobedtm.com

VARIOUS OTHERS
dnsmasq[731]: possible DNS-rebind attack detected: ads.api.vungle.com
dnsmasq[731]: possible DNS-rebind attack detected: ads.nexage.com
dnsmasq[731]: possible DNS-rebind attack detected: ds-aksb-a.akamaihd.net
dnsmasq[1152]: possible DNS-rebind attack detected: settings.crashlytics.com
dnsmasq[1152]: possible DNS-rebind attack detected: reports.crashlytics.com
dnsmasq[1152]: possible DNS-rebind attack detected: e.crashlytics.com
dnsmasq[1152]: possible DNS-rebind attack detected: ads.flurry.com
dnsmasq[1152]: possible DNS-rebind attack detected: data.flurry.com
dnsmasq[1152]: possible DNS-rebind attack detected: js-agent.newrelic.com
dnsmasq[1152]: possible DNS-rebind attack detected: www.adtilt.com
dnsmasq[1152]: possible DNS-rebind attack detected: app-measurement.com
dnsmasq[1152]: possible DNS-rebind attack detected: n.appcontent.stream
dnsmasq[1152]: possible DNS-rebind attack detected: api.keen.io
dnsmasq[1152]: possible DNS-rebind attack detected: c.evidon.com
dnsmasq[1152]: possible DNS-rebind attack detected: ap.lijit.com
dnsmasq[1152]: possible DNS-rebind attack detected: bnc.lt
dnsmasq[1152]: possible DNS-rebind attack detected: storage.cloud.kargo.com
dnsmasq[1152]: possible DNS-rebind attack detected: app.adjust.com
dnsmasq[1152]: possible DNS-rebind attack detected: sb.scorecardresearch.com
dnsmasq[1152]: possible DNS-rebind attack detected: www.vungle.com
dnsmasq[1152]: possible DNS-rebind attack detected: bnc.lt
dnsmasq[1152]: possible DNS-rebind attack detected: s0.2mdn.net
dnsmasq[1152]: possible DNS-rebind attack detected: tags.tiqcdn.com
dnsmasq[741]: possible DNS-rebind attack detected: localhost.megasyncloopback.mega.nz
dnsmasq[741]: possible DNS-rebind attack detected: steamloopback.host
 

ColinTaylor

Part of the Furniture
@Zonkd Apart from the last two all the others appear to return valid addresses. I'm guessing you're seeing them because you're using some sort of ad-blocker on those addresses.
 

Zonkd

Very Senior Member
Then it looks like every single blocked site will be classified as a rebind attack making listing them rather pointless?
I have a lot of other sites getting blocked by diversion and skynet which aren’t being flagged as a rebind attack. So I’m uncertain.

Edit: is anyone else seeing these in their logs? Maybe it’s just a network configuration issue on my end. The rebind.network proof of concept website shows it’s already a workable solution for locating interoperable IoT devices, but what other uses may it have? On topic and purely out of curiosity: would performing a quick rebind in the background be a practical method of confirming a visitors network topology and if there is visibility/accessibility to any other devices on the vlan? Sounds like a cool (but ugly) way to fingerprint a user to later match against a shadow profile. Not that I believe it’s happening in this case. I can only imagine these are false positives.
 
Last edited:

Zonkd

Very Senior Member
Then it looks like every single blocked site will be classified as a rebind attack making listing them rather pointless?
Actually it seems like you may be correct, disabling adblockers on my host put the load onto Diversion, and sure enough the blocks it performed showed up in syslogs as possible rebind attacks. So it's basically all false positives, which yes does make it pointless listing them in syslogs.
 

john9527

Part of the Furniture
Actually it seems like you may be correct, disabling adblockers on my host put the load onto Diversion, and sure enough the blocks it performed showed up in syslogs as possible rebind attacks. So it's basically all false positives, which yes does make it pointless listing them in syslogs.
Try adding
rebind-localhost-ok
to dnsmasq.conf with a /jffs/configs/dnsmasq.conf.add
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top