Add plex.direct to DNS rebinding

SecureBoot · December 28, 2024, 10:19am

##My question:
How can I add plex.direct to dns rebinding rules in Pi-hole?

Expected Behaviour:

When connected to the same LAN as my Plex server, I am unable to make a direct connection to the service. Some Googling indicates that adding rebind-domain-ok=/plex.direct/ to /etc/dnsmasq.d/99-custom.conf of Pi-hole will solve this issue.

(see Plex Secure connections issues with DNS Rebinding. (Possible Fix!))

Actual Behaviour:

Even after add the 99-custom.conf file, I am still unable to access Plex directly from the same LAN as the server.

Debug Token:

https://tricorder.pi-hole.net/D41Rj35C/

DanSchaper · December 28, 2024, 7:45pm

Can you explain what you mean by 'unable to make a direct connection'? Rebind protection just allows a DNS record to be a local IP address instead of the actual IP address on the WAN internet.

Rebind protection isn't enabled by default with Pi-hole and typically it is something that would be managed be a router. Are you using a firewall application?

For instance this is on OPNsense:

DanSchaper · December 28, 2024, 7:53pm

Your pihole.log shows that FTL does see your additional configuration line and is using it.

-rw-r--r-- 1 root root 31 Dec 28 08:15 /etc/dnsmasq.d/99-custom.conf
   rebind-domain-ok=/plex.direct/

   Dec 28 08:05:43 dnsmasq[2156]: using nameserver 8.8.8.8#53
   Dec 28 08:05:43 dnsmasq[2156]: using nameserver 8.8.4.4#53
   Dec 28 08:05:43 dnsmasq[2156]: using nameserver 192.168.254.254#53 for domain 254.168.192.in-addr.arpa 
   Dec 28 08:05:43 dnsmasq[2156]: using nameserver 192.168.254.254#53 for unqualified names 
   Dec 28 08:05:43 dnsmasq[2156]: using only locally-known addresses for plex.direct
   Dec 28 08:05:43 dnsmasq[2156]: using only locally-known addresses for onion
   Dec 28 08:05:43 dnsmasq[2156]: using only locally-known addresses for bind
   Dec 28 08:05:43 dnsmasq[2156]: using only locally-known addresses for invalid
   Dec 28 08:05:43 dnsmasq[2156]: using only locally-known addresses for localhost
   Dec 28 08:05:43 dnsmasq[2156]: using only locally-known addresses for test

What address is being returned from Pi-hole for plex.direct? I don't see where that address has been defined so I don't think there will be an answer for queries for plex.direct.

Bucking_Horn · December 30, 2024, 9:33am

In addition to Dan's explanations, your debug log shows that your Pi-hole machine is aware of another DNS server besides Pi-hole:

-rw-r--r-- 1 root root 259 Dec 28 08:15 /etc/resolv.conf
   nameserver 192.168.254.254
   nameserver 172.16.0.1
   search home

That 192.168.254.254seems to be your router, and routers are likely to enable DNS rebind protection by default.
So if clients would use your router for DNS, not only would they by-pass Pi-hole, but they may not be able to resolve ip.*.plex.direct domains.

system · January 20, 2025, 9:33am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.