Updated my DNS Settings - DoT implications and DNS Rebind Attack message

[CaptnDanLKW]

I had been using my ISP's DNS, no DOT, and my clients all use DHCP (most have reservations), and my router is the DNS server they use.

Now I'm finally looking to increase my privacy (everywhere). Also

I just switched to quad 9 in the primary DNS section and also enabled DoT, picking the same Quad 9 servers (IPv4 and IPv6) and cloudflare's as well.

Few questions:

1) If DoT is enabled, are the regular DNS servers ever used?

2) Is the DoT Server list order displayed, the actual order that is used? How would that work since the first server would always respond, unless there's an outage - which is unlikely. So, what's the point of adding more than 2 (like we do traditionally) - or 4 (pair for ipv4 and pair for ipv6)?

3) How does the LAN->DNSFilters section work in conjunction with these settings and the DHCP Reservation setting which allows for returning a different DNS Server? I looked in there and the whole setup feels redundant. Am I mistaken?

4) Since the change, I have thousands of syslog entries for "possible DNS-rebind attack detected" for many different domains.
Is this a byproduct of DoT, should I just disable the DNS rebind protection setting? Or should I be looking for a config issue somewhere?

 

[jtp10181]

1) Not if you set it to strict mode. Possibly uses the regular DNS to validate the hostname on the certificates for the DOT connection.

2) Not sure, probably not was my guess. Usually whatever one responds faster gets used the most.

3) Sending a DNS server via DHCP is a suggestion. An app or device can also use whatever they want. The DNS Filter can FORCEFLY redirect DNS queries where you want. You could set it to "Router" globally to force all clients to use the Router DNS.

4) I have that enabled and only see a few from my work laptop which is trying to hit work domains when I am not on the VPN so it gets confused. Do you use a domain or VPN at all? The rebind would be if what it thinks is an external hostname is trying to resolve to a local IP.

 

[eibgrad]

1) Answered

2) Answered (although given enough time and demand, ALL the available DNS servers will typically be used. And what's considered fastest (and thus considered the preferred server) is always being reevaluated after so many queries and/or a given time period).

3) DNSFilter is simply an override. Whatever the client is configured to use for traditional DNS (Do53) is changed, on the fly, to your preference. It's just that simple. Just beware, if that override is NOT DNSMasq, but to say some public DNS server (e.g., 8.8.8.8), those clients bound to the DNSFilter will no longer be using DNSMasq's DNS server, and thus lose access to its features, such as local name resolution, local caching, ad blocking, etc. Also, there is no backup DNS server. Whatever the DNSFilter is set to, that's the one and only DNS server those clients must rely on. And so if it fails for any reason, they LOSE access to DNS!

IOW, the DNSFilter is a double-edged sword. It's convenient as an override for certain cases, but it comes w/ consequences that may NOT be so obvious until later on.

4) You normally want rebind protection, but why any one user gets more warnings than another just depends on your particular configuration, and even where you roam the internet. Obviously darker sides of the web are more likely to attempt this hack. But if it's from just a few locations that you normally visit and trust, you can make exceptions for those domains in DNSMasq (which will stop the warning messages).

rebind-domain-ok=/xyz.com/abc.com/qqq.com

The above would need to be added to DNSMasq w/ a user config file, specifically /jffs/configs/dnsmasq.conf.add. The option "Enable JFFS custom scripts and configs" has to set to Yes in Administration > System as well.

------------------------------

P.S. You might find the following helpful for understanding exactly what DNS server(s) are being used and how they are being routed.

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

 

[CaptnDanLKW]

Thanks.

1 & 3 are clear.

for #2, are we saying that dnsmasq, when processing a name lookup from a LAN client (who's using 192.168.1.1 as their DNS server, as advertised though DHCP, will blast a dns lookup to every one in the list and return the first one to respond back to the client?

This seems to break with the tradition of Primary, Secondary and Tertiary sequential method is a traditional OS stack where it would move though the choices only when the first lookup didn't respond AT ALL. (If it responds with a host name unknown, that in itself IS a response and won't try others).

for #4, before changing to DoT (opportunistic) I had one or two rebind warnings from a few azure and microsoft domains, so I did add them to the dnsmasq.conf.add file and that was successful. However, once enabling DoT, I get thousands of domains, just a sample below (i can tell which device is making the request because some of them are obvious, like my Roku devices). Nothing else changed other than enabling DoT, so still trying to understand the 'why'.

Thanks, I'll look at the post on how to monitor requests in real time.

Jul 7 12:51:30 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Jul 7 12:54:12 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: securepubads.g.doubleclick.net
Jul 7 12:56:46 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: liberty.logs.roku.com
Jul 7 13:43:14 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: madison.logs.roku.com
Jul 7 13:54:20 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: device-metrics-us-2.amazon.com
Jul 7 13:55:02 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: scribe.logs.roku.com
Jul 7 14:12:06 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: device-metrics-us.amazon.com
Jul 7 14:36:29 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: austin.logs.roku.com
Jul 7 14:41:42 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: madison.logs.roku.com
Jul 7 14:48:46 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: device-metrics-us-2.amazon.com
Jul 7 14:50:26 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: scribe.logs.roku.com
Jul 7 15:07:20 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: ad.doubleclick.net
Jul 7 15:07:23 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: opus.analytics.yahoo.com
Jul 7 15:07:23 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: tag.idsync.analytics.yahoo.com
Jul 7 15:07:24 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: pubads.g.doubleclick.net
Jul 7 15:07:48 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: opus.analytics.yahoo.com
Jul 7 15:07:48 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: tag.idsync.analytics.yahoo.com
Jul 7 15:08:29 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: idsync.rlcdn.com
Jul 7 15:08:29 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: js-agent.newrelic.com
Jul 7 15:08:29 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: s.amazon-adsystem.com
Jul 7 15:08:29 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: ups.analytics.yahoo.com
Jul 7 15:08:32 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: s-static.innovid.com
Jul 7 15:08:34 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: q-aus1.contentsquare.net
Jul 7 15:08:34 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: c.contentsquare.net
Jul 7 15:08:40 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: s-static.innovid.com
Jul 7 15:08:59 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: c.contentsquare.net
Jul 7 15:09:42 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: dmxleo.dailymotion.com
Jul 7 15:12:46 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: madison.logs.roku.com
Jul 7 15:14:50 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: device-metrics-us-2.amazon.com
Jul 7 15:16:14 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: ad.doubleclick.net
Jul 7 15:16:15 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: prod-m-node-1111.ssp.advertising.com
Jul 7 15:16:23 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: dis.criteo.com

 

[dave14305]

However, once enabling DoT, I get thousands of domains, just a sample below (i can tell which device is making the request because some of them are obvious, like my Roku devices). Nothing else changed other than enabling DoT, so still trying to understand the 'why'.

Did you configure an ad-blocking DoT server in DNS Privacy? That would create a lot of rebind messages if it is returning 0.0.0.0.

are we saying that dnsmasq, when processing a name lookup from a LAN client (who's using 192.168.1.1 as their DNS server, as advertised though DHCP, will blast a dns lookup to every one in the list and return the first one to respond back to the client?

Every so often dnsmasq will send to all its configured upstream servers and use the fastest server until the next test interval.

 

[jtp10181]

Did you configure an ad-blocking DoT server in DNS Privacy? That would create a lot of rebind messages if it is returning 0.0.0.0.

All those domains he listed look like things that would be on a block list also, so thats my guess. I see logs, metrics, and ad domains. Did not realize that would trigger the rebind warning.

 

[ColinTaylor]

2) Is the DoT Server list order displayed, the actual order that is used? How would that work since the first server would always respond, unless there's an outage - which is unlikely. So, what's the point of adding more than 2 (like we do traditionally) - or 4 (pair for ipv4 and pair for ipv6)?

Stubby uses round_robin_upstreams: 1. So each new query is sent to the next (single) server in the list. When it gets to the end of the list it starts again from the beginning.

 

[eibgrad]

Every so often dnsmasq will send to all its configured upstream servers and use the fastest server until the next test interval.

Also, given enough demand, it will NOT hesitate to use multiple DNS servers if that will increase efficiency. IOW, if it only needs a single DNS server to satisfy current demand, then yes, it will use the preferred DNS server (based on the fastest response, which gets reevaluated from time to time).

That's why for any given DNSMasq configuration, you should assume ALL available DNS servers will eventually be used given enough time and demand.

That's why the Strict option for "Accept DNS configuration" on the OpenVPN client is misleading (and ineffective). It suggests that the choice of DNS server will be based on an ordered list, w/ those of the VPN provider having the highest priority. But as the DNS monitor shows, that does NOT mean it won't use every available DNS server if it decides that's most efficient. For all intents and purposes, the Strict option isn't any different from Relaxed. At least NOT in terms of preventing DNS leaks. Exclusive ends up being the only option to guarantee against DNS leaks.

DoT is a completely different situation since once enabled, DNSMasq is then bound to the Stubby local service ALONE for all public name resolution. Stubby is then free to use its own algorithms as to which DNS servers to use, what order, ALL or one at a time, etc.

 

[CaptnDanLKW]

Did you configure an ad-blocking DoT server in DNS Privacy? That would create a lot of rebind messages if it is returning 0.0.0.0.

Every so often dnsmasq will send to all its configured upstream servers and use the fastest server until the next test interval.

Actually, I did have AdGuard 1 (IPv4 and IPv6) in my list, along with quad 9 and cloudflare 1.1.1.1 in there. I removed it and turned off Rebind protection for a time (probably should have done one or the other, not both). As a new test I left adguard out but just turned back on rebind protection. I'll watch it today and check back later. If thats how the adguard servers work, by returning 0.0.0.0, then that could explain it. Good info. Thanks.

 

[Treadler]

Actually, I did have AdGuard 1 (IPv4 and IPv6) in my list, along with quad 9 and cloudflare 1.1.1.1 in there. I removed it and turned off Rebind protection for a time (probably should have done one or the other, not both). As a new test I left adguard out but just turned back on rebind protection. I'll watch it today and check back later. If thats how the adguard servers work, by returning 0.0.0.0, then that could explain it. Good info. Thanks.

Adguard DNS will give you the rebind warnings - yes.
I trialled Adguard for a while & my syslog got smashed.

 

[Paliv]

Wait AdGuard in DoT with other servers is going to only occasionally block ads right? Doesn’t Stubby do a round robin of all the resolvers?

 

[dave14305]

root@router:~# dig @94.140.14.14 AAAA pagead2.googlesyndication.com +short
::
root@router:~# dig @94.140.14.14 A pagead2.googlesyndication.com +short
0.0.0.0

 

[Treadler]

root@router:~# dig @94.140.14.14 AAAA pagead2.googlesyndication.com +short
::
root@router:~# dig @94.140.14.14 A pagead2.googlesyndication.com +short
0.0.0.0

Shows you what I (don’t) know…….
I’ll delete my misinformation.

 

[manup85]

Hello Guys, i have an issue now after moving to new ISP. i dont think is related to latest version but let me explain. my ISP now is T mobile and they gave me 5g router. from that router i have attached my currect one from LAN to WAN so i have two separate network. now the problem is with DNS which primary internet router doesnt gave you the possibility to change it. on the ASUS i have adguard but i have problem time to time to browse websites and often it timeout or slow to open. as soon i assign "get DNC from ISP" then everything looks smooth. i do not want to have ADS ecc.. so do someone know what the problem can be?

 

[jtp10181]

Hello Guys, i have an issue now after moving to new ISP. i dont think is related to latest version but let me explain. my ISP now is T mobile and they gave me 5g router. from that router i have attached my currect one from LAN to WAN so i have two separate network. now the problem is with DNS which primary internet router doesnt gave you the possibility to change it. on the ASUS i have adguard but i have problem time to time to browse websites and often it timeout or slow to open. as soon i assign "get DNC from ISP" then everything looks smooth. i do not want to have ADS ecc.. so do someone know what the problem can be?

You probably now have a double NAT going on if the T Mobile router is still in "router" mode. What is the WAN IP showing on the Asus router? If its a 192. address (or any other private range) then the t-Mobile setup is putting the Asus router behind a NAT firewall. Get into the t-mobile router admin UI and see if there is a way to set it to "Gateway" mode or otherwise disable the router functions. Then it should just pass the WAN IP over to your actual router and things will work as they did before.

 

[manup85]

currently setup is DHCP on at t mobile modem with 5g sim in. LAN ip set for 10.10.2.1. APN is not changable and has it's owen ip and DNS servers. i have disable wifi on xiaomi router. then i'm using xiaomi LAN connected to WAN port at ASUS where all devices are connected. ASUS IP is 10.10.1.1. ASUS WAN ip is showing 10.10.2.61. i have tried first configure DNS on ASUS or ADGUARD DNS at Xiaomi Modem. it actually doesnt matter which DNS i use. if i surf i got time to time DNS timeout or very big slowness and possibly reconnecting to the website. if i exclude any manual DNS, it is working smooth. thank you

 

[Tech9]

Isn't it the whole T-Mobile 5G network IPv4 CG-NAT + IPv6? DNS you can fix somehow, but running accessible from Internet services will be more challenging.

 

[manup85]

i dont know. this is the log from ASUS when i apply ADGUARD DNS at Xiaomi router. it seems ASUS already know what i'm doing:

May 21 18:35:16 dnsmasq[22147]: read /etc/hosts - 24 names
May 21 18:35:16 dnsmasq[22147]: using nameserver 94.140.14.14#53
May 21 18:35:16 dnsmasq[22147]: using nameserver 94.140.15.15#53
May 21 18:35:16 dnsmasq[22147]: using nameserver 94.140.14.14#53
May 21 18:35:16 dnsmasq[22147]: using nameserver 94.140.15.15#53
May 21 18:35:17 wan: finish adding multi routes
May 21 18:35:17 miniupnpd[21977]: shutting down MiniUPnPd
May 21 18:35:17 WAN(0)_Connection: WAN was restored.
May 21 18:35:17 dnsmasq[22147]: read /etc/hosts - 24 names
May 21 18:35:17 dnsmasq[22147]: using nameserver 94.140.14.14#53
May 21 18:35:17 dnsmasq[22147]: using nameserver 94.140.15.15#53
May 21 18:35:17 dnsmasq[22147]: using nameserver 94.140.14.14#53
May 21 18:35:17 dnsmasq[22147]: using nameserver 94.140.15.15#53
May 21 18:35:22 miniupnpd[15540]: HTTP listening on port 50874
May 21 18:35:22 miniupnpd[15540]: no HTTP IPv6 address, disabling IPv6
May 21 18:35:22 miniupnpd[15540]: Listening for NAT-PMP/PCP traffic on port 5351
May 21 18:35:22 ddns: IP address, server and hostname have not changed since the last update.
May 21 18:35:23 BWDPI: force to flush flowcache entries
May 21 18:35:25 BWDPI: fun bitmap = 43f
May 21 18:35:26 kernel: HTB: quantum of class 10001 is big. Consider r2q change.
May 21 18:35:26 kernel: HTB: quantum of class 20001 is big. Consider r2q change.
May 21 18:35:26 kernel: HTB: quantum of class 10009 is big. Consider r2q change.
May 21 18:35:26 kernel: HTB: quantum of class 20009 is big. Consider r2q change.
May 21 18:35:26 kernel: HTB: quantum of class 30010 is small. Consider r2q change.
May 21 18:35:26 kernel: HTB: quantum of class 20010 is small. Consider r2q change.
May 21 18:35:26 kernel: HTB: quantum of class 40011 is small. Consider r2q change.
May 21 18:35:26 kernel: HTB: quantum of class 20011 is small. Consider r2q change.
May 21 18:35:26 rc_service: udhcpc_wan 15257:notify_rc stop_samba
May 21 18:35:26 wsdd2[22166]: 'Terminated' signal received.
May 21 18:35:26 wsdd2[22166]: terminating.
May 21 18:35:26 Samba_Server: smb daemon is stopped
May 21 18:35:27 rc_service: udhcpc_wan 15257:notify_rc start_samba
May 21 18:35:27 dnsmasq[22147]: exiting on receipt of SIGTERM
May 21 18:35:27 dnsmasq[15710]: started, version 2.90 cachesize 1500
May 21 18:35:27 dnsmasq[15710]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile
May 21 18:35:27 dnsmasq[15710]: DNSSEC validation enabled
May 21 18:35:27 dnsmasq[15710]: configured with trust anchor for <root> keytag 20326
May 21 18:35:27 dnsmasq[15710]: warning: interface pptp* does not currently exist
May 21 18:35:27 dnsmasq[15710]: asynchronous logging enabled, queue limit is 5 messages
May 21 18:35:27 dnsmasq-dhcp[15710]: DHCP, IP range 192.168.102.2 -- 192.168.102.254, lease time 1d
May 21 18:35:27 dnsmasq-dhcp[15710]: DHCP, IP range 192.168.101.2 -- 192.168.101.254, lease time 1d
May 21 18:35:27 dnsmasq-dhcp[15710]: DHCP, IP range 10.10.1.2 -- 10.10.1.254, lease time 1d
May 21 18:35:27 dnsmasq[15710]: read /etc/hosts - 24 names
May 21 18:35:27 dnsmasq[15710]: using nameserver 94.140.14.14#53
May 21 18:35:27 dnsmasq[15710]: using nameserver 94.140.15.15#53
May 21 18:35:27 dnsmasq[15710]: using nameserver 94.140.14.14#53
May 21 18:35:27 dnsmasq[15710]: using nameserver 94.140.15.15#53
May 21 18:35:27 Samba_Server: daemon is started
May 21 18:35:27 wsdd2[15728]: starting.
May 21 18:35:28 dhcp_client: bound 10.10.2.61/255.255.255.0 via 10.10.2.1 for 43200 seconds.
May 21 18:37:10 dnsmasq[15710]: possible DNS-rebind attack detected: browser.pipe.aria.microsoft.com
May 21 18:40:15 wlceventd: wlceventd_proc_event(685): eth7: Auth 76:BE:43:C2:B3:2F, status: Successful (0), rssi:0
May 21 18:40:15 hostapd: eth7: STA 76:be:43:c2:b3:2f IEEE 802.11: associated
May 21 18:40:15 wlceventd: wlceventd_proc_event(722): eth7: Assoc 76:BE:43:C2:B3:2F, status: Successful (0), rssi:-38
May 21 18:40:15 kernel: CFG80211-ERROR) wl_cfg80211_change_station : WLC_SCB_AUTHORIZE sta_flags_mask not set
May 21 18:40:15 hostapd: eth7: STA 76:be:43:c2:b3:2f RADIUS: starting accounting session 0F41A7F8AFBB59C3
May 21 18:40:15 hostapd: eth7: STA 76:be:43:c2:b3:2f WPA: pairwise key handshake completed (RSN)
May 21 18:40:15 dnsmasq-dhcp[15710]: DHCPREQUEST(br0) 10.10.1.29 76:be:43:c2:b3:2f
May 21 18:40:15 dnsmasq-dhcp[15710]: DHCPACK(br0) 10.10.1.29 76:be:43:c2:b3:2f
May 21 18:40:15 dnsmasq-dhcp[15710]: DHCPREQUEST(br0) 10.10.1.29 76:be:43:c2:b3:2f
May 21 18:40:15 dnsmasq-dhcp[15710]: DHCPACK(br0) 10.10.1.29 76:be:43:c2:b3:2f
May 21 18:40:56 wlceventd: wlceventd_proc_event(645): eth7: Deauth_ind 9A:40:BA:76:02:6C, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:0
May 21 18:40:56 hostapd: eth7: STA 9a:40:ba:76:02:6c IEEE 802.11: disassociated
May 21 18:44:22 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:44:22 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:44:37 dnsmasq[15710]: possible DNS-rebind attack detected: browser.pipe.aria.microsoft.com
May 21 18:49:28 dnsmasq[15710]: possible DNS-rebind attack detected: browser.pipe.aria.microsoft.com
May 21 18:49:52 dnsmasq-dhcp[15710]: DHCPDISCOVER(br0) 64:1c:b0:a4:6b:93
May 21 18:49:52 dnsmasq-dhcp[15710]: DHCPOFFER(br0) 10.10.1.154 64:1c:b0:a4:6b:93
May 21 18:49:52 dnsmasq-dhcp[15710]: DHCPREQUEST(br0) 10.10.1.154 64:1c:b0:a4:6b:93
May 21 18:49:52 dnsmasq-dhcp[15710]: DHCPACK(br0) 10.10.1.154 64:1c:b0:a4:6b:93 Samsung
May 21 18:50:14 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:50:35 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:50:56 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:51:17 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:51:38 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:51:55 dnsmasq[15710]: possible DNS-rebind attack detected: browser.pipe.aria.microsoft.com
May 21 18:52:00 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:54:09 dnsmasq[15710]: possible DNS-rebind attack detected: beacons5.gvt3.com
May 21 18:54:09 dnsmasq[15710]: possible DNS-rebind attack detected: beacons5.gvt3.com
May 21 18:54:09 dnsmasq[15710]: possible DNS-rebind attack detected: beacons5.gvt3.com
May 21 18:54:10 dnsmasq[15710]: possible DNS-rebind attack detected: beacons5.gvt3.com
May 21 18:54:19 dnsmasq[15710]: possible DNS-rebind attack detected: browser.pipe.aria.microsoft.com
May 21 18:54:30 dnsmasq[15710]: possible DNS-rebind attack detected: beacons5.gvt3.com

May 21 18:54:31 dnsmasq[15710]: possible DNS-rebind attack detected: beacons5.gvt3.com
May 21 18:54:31 dnsmasq[15710]: possible DNS-rebind attack detected: beacons5.gvt3.com
May 21 18:55:01 kernel: eth1 (Ext switch port: 0) (Logical Port: 8) (phyId: 8) Link DOWN.
May 21 18:55:01 kernel: br0: port 1(eth1) entered disabled state
May 21 18:55:01 kernel: br1: port 2(eth1.501) entered disabled state
May 21 18:55:01 kernel: br2: port 2(eth1.502) entered disabled state
May 21 18:55:03 kernel: eth1 (Ext switch port: 0) (Logical Port: 8) (phyId: 8) Link UP at 10 mbps full duplex
May 21 18:55:03 kernel: br0: port 1(eth1) entered forwarding state
May 21 18:55:03 kernel: br0: port 1(eth1) entered forwarding state
May 21 18:55:03 kernel: br1: port 2(eth1.501) entered listening state
May 21 18:55:03 kernel: br1: port 2(eth1.501) entered listening state
May 21 18:55:03 kernel: br2: port 2(eth1.502) entered listening state
May 21 18:55:03 kernel: br2: port 2(eth1.502) entered listening state
May 21 18:55:18 kernel: br1: port 2(eth1.501) entered learning state
May 21 18:55:18 kernel: br2: port 2(eth1.502) entered learning state
May 21 18:55:29 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:55:30 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:55:32 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:55:33 kernel: br1: topology change detected, propagating
May 21 18:55:33 kernel: br1: port 2(eth1.501) entered forwarding state
May 21 18:55:33 kernel: br2: topology change detected, propagating
May 21 18:55:33 kernel: br2: port 2(eth1.502) entered forwarding state
May 21 18:55:34 dnsmasq[15710]: possible DNS-rebind attack detected: logs.netflix.com
May 21 18:55:34 kernel: eth1 (Ext switch port: 0) (Logical Port: 8) (phyId: 8) Link DOWN.
May 21 18:55:34 kernel: br0: port 1(eth1) entered disabled state
May 21 18:55:34 kernel: br1: port 2(eth1.501) entered disabled state
May 21 18:55:34 kernel: br2: port 2(eth1.502) entered disabled state
May 21 18:55:37 kernel: eth1 (Ext switch port: 0) (Logical Port: 8) (phyId: 8) Link UP at 1000 mbps full duplex
May 21 18:55:37 kernel: br0: port 1(eth1) entered forwarding state

 

[sfx2000]

Isn't it the whole T-Mobile 5G network IPv4 CG-NAT + IPv6? DNS you can fix somehow, but running accessible from Internet services will be more challenging.

T-Mobile is not CG-NAT... it's worse than that - search the forums for 464XLAT for IPv6, so they assign a local IP range, eg. RFC1918, usually in the 192.168.12.0/24 range, but that depends on the gateway config.

IPv6 is even more problematic, as they do not assign a PD, so you cannot subnet..

That being said - it can be done with a router behind the T-Mobile GW, but you will be double-nat'ed and IPv6 will be link-local addressing - on the router you can assign both IPv4 and IPv6 DNS hosts, and DoT/DoH isn't a problem with T-Mobile when using your own router.

 

[sfx2000]

Get into the t-mobile router admin UI and see if there is a way to set it to "Gateway" mode or otherwise disable the router functions.

With the consumer/retail T-Mobile TMHI accounts and Gateways, there is no way to bridge them...