Updated my DNS Settings - DoT implications and DNS Rebind Attack message

CaptnDanLKW

Senior Member
I had been using my ISP's DNS, no DOT, and my clients all use DHCP (most have reservations), and my router is the DNS server they use.

Now I'm finally looking to increase my privacy (everywhere). Also

I just switched to quad 9 in the primary DNS section and also enabled DoT, picking the same Quad 9 servers (IPv4 and IPv6) and cloudflare's as well.

Few questions:

1) If DoT is enabled, are the regular DNS servers ever used?

2) Is the DoT Server list order displayed, the actual order that is used? How would that work since the first server would always respond, unless there's an outage - which is unlikely. So, what's the point of adding more than 2 (like we do traditionally) - or 4 (pair for ipv4 and pair for ipv6)?

3) How does the LAN->DNSFilters section work in conjunction with these settings and the DHCP Reservation setting which allows for returning a different DNS Server? I looked in there and the whole setup feels redundant. Am I mistaken?

4) Since the change, I have thousands of syslog entries for "possible DNS-rebind attack detected" for many different domains.
Is this a byproduct of DoT, should I just disable the DNS rebind protection setting? Or should I be looking for a config issue somewhere?
 

jtp10181

Regular Contributor
1) Not if you set it to strict mode. Possibly uses the regular DNS to validate the hostname on the certificates for the DOT connection.

2) Not sure, probably not was my guess. Usually whatever one responds faster gets used the most.

3) Sending a DNS server via DHCP is a suggestion. An app or device can also use whatever they want. The DNS Filter can FORCEFLY redirect DNS queries where you want. You could set it to "Router" globally to force all clients to use the Router DNS.

4) I have that enabled and only see a few from my work laptop which is trying to hit work domains when I am not on the VPN so it gets confused. Do you use a domain or VPN at all? The rebind would be if what it thinks is an external hostname is trying to resolve to a local IP.
 

eibgrad

Part of the Furniture
1) Answered

2) Answered (although given enough time and demand, ALL the available DNS servers will typically be used. And what's considered fastest (and thus considered the preferred server) is always being reevaluated after so many queries and/or a given time period).

3) DNSFilter is simply an override. Whatever the client is configured to use for traditional DNS (Do53) is changed, on the fly, to your preference. It's just that simple. Just beware, if that override is NOT DNSMasq, but to say some public DNS server (e.g., 8.8.8.8), those clients bound to the DNSFilter will no longer be using DNSMasq's DNS server, and thus lose access to its features, such as local name resolution, local caching, ad blocking, etc. Also, there is no backup DNS server. Whatever the DNSFilter is set to, that's the one and only DNS server those clients must rely on. And so if it fails for any reason, they LOSE access to DNS!

IOW, the DNSFilter is a double-edged sword. It's convenient as an override for certain cases, but it comes w/ consequences that may NOT be so obvious until later on.

4) You normally want rebind protection, but why any one user gets more warnings than another just depends on your particular configuration, and even where you roam the internet. Obviously darker sides of the web are more likely to attempt this hack. But if it's from just a few locations that you normally visit and trust, you can make exceptions for those domains in DNSMasq (which will stop the warning messages).

Code:
rebind-domain-ok=/xyz.com/abc.com/qqq.com

The above would need to be added to DNSMasq w/ a user config file, specifically /jffs/configs/dnsmasq.conf.add. The option "Enable JFFS custom scripts and configs" has to set to Yes in Administration > System as well.

------------------------------

P.S. You might find the following helpful for understanding exactly what DNS server(s) are being used and how they are being routed.

 
Last edited:

CaptnDanLKW

Senior Member
Thanks.

1 & 3 are clear.

for #2, are we saying that dnsmasq, when processing a name lookup from a LAN client (who's using 192.168.1.1 as their DNS server, as advertised though DHCP, will blast a dns lookup to every one in the list and return the first one to respond back to the client?

This seems to break with the tradition of Primary, Secondary and Tertiary sequential method is a traditional OS stack where it would move though the choices only when the first lookup didn't respond AT ALL. (If it responds with a host name unknown, that in itself IS a response and won't try others).

for #4, before changing to DoT (opportunistic) I had one or two rebind warnings from a few azure and microsoft domains, so I did add them to the dnsmasq.conf.add file and that was successful. However, once enabling DoT, I get thousands of domains, just a sample below (i can tell which device is making the request because some of them are obvious, like my Roku devices). Nothing else changed other than enabling DoT, so still trying to understand the 'why'.

Thanks, I'll look at the post on how to monitor requests in real time.

Jul 7 12:51:30 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
Jul 7 12:54:12 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: securepubads.g.doubleclick.net
Jul 7 12:56:46 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: liberty.logs.roku.com
Jul 7 13:43:14 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: madison.logs.roku.com
Jul 7 13:54:20 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: device-metrics-us-2.amazon.com
Jul 7 13:55:02 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: scribe.logs.roku.com
Jul 7 14:12:06 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: device-metrics-us.amazon.com
Jul 7 14:36:29 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: austin.logs.roku.com
Jul 7 14:41:42 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: madison.logs.roku.com
Jul 7 14:48:46 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: device-metrics-us-2.amazon.com
Jul 7 14:50:26 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: scribe.logs.roku.com
Jul 7 15:07:20 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: ad.doubleclick.net
Jul 7 15:07:23 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: opus.analytics.yahoo.com
Jul 7 15:07:23 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: tag.idsync.analytics.yahoo.com
Jul 7 15:07:24 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: pubads.g.doubleclick.net
Jul 7 15:07:48 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: opus.analytics.yahoo.com
Jul 7 15:07:48 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: tag.idsync.analytics.yahoo.com
Jul 7 15:08:29 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: idsync.rlcdn.com
Jul 7 15:08:29 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: js-agent.newrelic.com
Jul 7 15:08:29 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: s.amazon-adsystem.com
Jul 7 15:08:29 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: ups.analytics.yahoo.com
Jul 7 15:08:32 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: s-static.innovid.com
Jul 7 15:08:34 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: q-aus1.contentsquare.net
Jul 7 15:08:34 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: c.contentsquare.net
Jul 7 15:08:40 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: s-static.innovid.com
Jul 7 15:08:59 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: c.contentsquare.net
Jul 7 15:09:42 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: dmxleo.dailymotion.com
Jul 7 15:12:46 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: madison.logs.roku.com
Jul 7 15:14:50 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: device-metrics-us-2.amazon.com
Jul 7 15:16:14 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: ad.doubleclick.net
Jul 7 15:16:15 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: prod-m-node-1111.ssp.advertising.com
Jul 7 15:16:23 RTAC86U dnsmasq[1431]: possible DNS-rebind attack detected: dis.criteo.com
 
Last edited:

dave14305

Part of the Furniture
However, once enabling DoT, I get thousands of domains, just a sample below (i can tell which device is making the request because some of them are obvious, like my Roku devices). Nothing else changed other than enabling DoT, so still trying to understand the 'why'.
Did you configure an ad-blocking DoT server in DNS Privacy? That would create a lot of rebind messages if it is returning 0.0.0.0.
are we saying that dnsmasq, when processing a name lookup from a LAN client (who's using 192.168.1.1 as their DNS server, as advertised though DHCP, will blast a dns lookup to every one in the list and return the first one to respond back to the client?
Every so often dnsmasq will send to all its configured upstream servers and use the fastest server until the next test interval.
 

jtp10181

Regular Contributor
Did you configure an ad-blocking DoT server in DNS Privacy? That would create a lot of rebind messages if it is returning 0.0.0.0.
All those domains he listed look like things that would be on a block list also, so thats my guess. I see logs, metrics, and ad domains. Did not realize that would trigger the rebind warning.
 

ColinTaylor

Part of the Furniture
2) Is the DoT Server list order displayed, the actual order that is used? How would that work since the first server would always respond, unless there's an outage - which is unlikely. So, what's the point of adding more than 2 (like we do traditionally) - or 4 (pair for ipv4 and pair for ipv6)?
Stubby uses round_robin_upstreams: 1. So each new query is sent to the next (single) server in the list. When it gets to the end of the list it starts again from the beginning.
 

eibgrad

Part of the Furniture
Every so often dnsmasq will send to all its configured upstream servers and use the fastest server until the next test interval.

Also, given enough demand, it will NOT hesitate to use multiple DNS servers if that will increase efficiency. IOW, if it only needs a single DNS server to satisfy current demand, then yes, it will use the preferred DNS server (based on the fastest response, which gets reevaluated from time to time).

That's why for any given DNSMasq configuration, you should assume ALL available DNS servers will eventually be used given enough time and demand.

That's why the Strict option for "Accept DNS configuration" on the OpenVPN client is misleading (and ineffective). It suggests that the choice of DNS server will be based on an ordered list, w/ those of the VPN provider having the highest priority. But as the DNS monitor shows, that does NOT mean it won't use every available DNS server if it decides that's most efficient. For all intents and purposes, the Strict option isn't any different from Relaxed. At least NOT in terms of preventing DNS leaks. Exclusive ends up being the only option to guarantee against DNS leaks.

DoT is a completely different situation since once enabled, DNSMasq is then bound to the Stubby local service ALONE for all public name resolution. Stubby is then free to use its own algorithms as to which DNS servers to use, what order, ALL or one at a time, etc.
 
Last edited:

CaptnDanLKW

Senior Member
Did you configure an ad-blocking DoT server in DNS Privacy? That would create a lot of rebind messages if it is returning 0.0.0.0.

Every so often dnsmasq will send to all its configured upstream servers and use the fastest server until the next test interval.

Actually, I did have AdGuard 1 (IPv4 and IPv6) in my list, along with quad 9 and cloudflare 1.1.1.1 in there. I removed it and turned off Rebind protection for a time (probably should have done one or the other, not both). As a new test I left adguard out but just turned back on rebind protection. I'll watch it today and check back later. If thats how the adguard servers work, by returning 0.0.0.0, then that could explain it. Good info. Thanks.
 

Treadler

Very Senior Member
Actually, I did have AdGuard 1 (IPv4 and IPv6) in my list, along with quad 9 and cloudflare 1.1.1.1 in there. I removed it and turned off Rebind protection for a time (probably should have done one or the other, not both). As a new test I left adguard out but just turned back on rebind protection. I'll watch it today and check back later. If thats how the adguard servers work, by returning 0.0.0.0, then that could explain it. Good info. Thanks.
Adguard DNS will give you the rebind warnings - yes.
I trialled Adguard for a while & my syslog got smashed.;)
 

Paliv

Senior Member
Wait AdGuard in DoT with other servers is going to only occasionally block ads right? Doesn’t Stubby do a round robin of all the resolvers?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top