Dns – OpenWRT dnsmasq: possible DNS-rebind detected

dnsmasqopenwrt

I have a problem since I use a new router (TP-Link WDR4300 + OpenWRT BarrierBreaker) and in the System log is full of this periodically:

<Timestamp> dnsmasq[2524]: possible DNS-rebind attack detected: 4385410-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net

I use my ISP's DNS (Telekom Hungary, IPv4 DNS) but I've tried Google's too (8.8.8.8 and 8.8.4.4 too), but there is this issue.

I can reach my router from WAN (via DDNS (duckdns)), may it possible that this is the source of my problem?

I've tried to search DNS-rebind attack and so in OpenWRT topics but sadly I can't found anything useful there.

There is any workaround to prevent those bots to rebind?

Best Answer

It looks like dnsmasq is reachable from the internet. This allows DNS scanners to attempt rebind attacks. Check your firewall configuration. This particular server appears to be a research server, although I would expect only a few attempts from such a server.

Generally you want a mostly closed configuration on the internet interface with only the services you need enabled. DNS is usually not one of the services you want to enable.

Related Solutions

Networking – How to log all DNS requests made through OpenWRT router

You can edit the config file:

vi /etc/dnsmasq.conf

    # /etc/dnsmasq.conf
    log-dhcp
    log-queries
    log-facility=/tmp/dnsmasq.log

Or edit another config file:

vi /etc/config/dhcp

    config dnsmasq
        ...
        option logdhcp '1'
        option logqueries '1'
        option logfacility '/tmp/dnsmasq.log'

Then restart service:

/etc/init.d/dnsmasq restart

Log file can be parsed in real-time with tail+awk:

$ vi dnsmasq.awk

    #!/usr/bin/awk -f

    BEGIN {
      OFS = ",";
    }

    $5 == "query[A]" {
      time = mktime( \
        sprintf("%04d %02d %02d %s\n", \
          strftime("%Y", systime()), \
          (match("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3, \
          $2, \
          gensub(":", " ", "g", $3) \
        ) \
      );
      query = $6;
      host = $8;
      print time, host, query;
    }

$ chmod +x dnsmasq.awk

$ tail -f /tmp/dnsmasq.log | ./dnsmasq.awk

1468999090,192.168.1.100,google.com
1468999092,192.168.1.101,youtube.com
1468999095,192.168.1.102,facebook.com
1468999097,192.168.1.100,qa.sockets.stackexchange.com

More advanced method is sending log via filebeat to ELK in realtime.

Dns – How to prevent local host name resolving from DHCP names in OpenWRT/dnsmasq

Your option of choice for dnsmasq appears to be:

--dhcp-ignore-names[=tag:[,tag:]] - Ignore hostnames provided by DHCP clients.

When all the given tags appear in the tag set, ignore any hostname provided by the host. Note that, unlike dhcp-ignore, it is permissible to supply no tags, in which case DHCP-client supplied hostnames are always ignored, and DHCP hosts are added to the DNS using only dhcp-host configuration in dnsmasq and the contents of /etc/hosts and /etc/ethers.

This option is available in dnsmasq 2.71, which is part of OpenWrt Barrier Breaker 14.07.

If you don't specify any hosts in /etc/hosts or /etc/ethers (or disable using them completely) no hostname information should "leak" anymore. However, be aware that thare're other tools like ie. Netscan, nbtscan, or the whole lots of Metasploit scanners, that can provide this information if not firewalled tightly.

Best Answer

Related Solutions

Networking – How to log all DNS requests made through OpenWRT router

Dns – How to prevent local host name resolving from DHCP names in OpenWRT/dnsmasq

Related Question