Dns rebind warning & strange requests from router

Help Community Help
1

Hi everyone,
I'm seeing some strange things, hopefully someone can help me out if I'm doing something wrong.
My setup is as follow

ubuntu server and others ---> secondary router with wifi ( no dhcp, address 192.168.1.2) --- > powerline a ---> powerline b --- > main router ( dhcp,main wifi ap, 192.168.1.1) ---- > internet
connected via ethernet to my main router is my pihole & pivpn box, acting as dns to the whole network.

Pihole is running as native on ubuntu server, no docker, and works fine.

My issue is that on my second router, acting as a wifi AP and nothing else, I keep getting these warnings from dnsmasq, below an example.

possible DNS-rebind attack detected: mazu.3g.qq.com

And at the sime time pihole keeps recording impossible ammounts of traffic coming from my second router.
At first i tought it was from some wifi devices connected to it, but now I see request for facebook and other blocked domains even when no one is using that wifi network.

So what gives? What is generating those requests? Maybe some sort of loop I have accidentaly created?
I see no reason for traffic to come from that router, as my pihole dns server is connected directly via ethernet to my router.

also, my secondary router has a wifi network set at low power and 5 ghz used only by my devices, and cannot be detected outside that specific room, so no other devices can be using it.

what am I doing wrong?

my pihole debug token is at

https://tricorder.pi-hole.net/Qw2Wmmo1/

Thank you in advance

2

A dig on mazu.3g.qq.com shows:

;; ANSWER SECTION:
mazu.3g.qq.com. 467 IN CNAME ins-8bzcv1fb.ias.tencent-cloud.net.
ins-8bzcv1fb.ias.tencent-cloud.net. 120 IN A 14.18.202.184
ins-8bzcv1fb.ias.tencent-cloud.net. 120 IN A 14.18.202.195
ins-8bzcv1fb.ias.tencent-cloud.net. 120 IN A 14.18.202.245
ins-8bzcv1fb.ias.tencent-cloud.net. 120 IN A 14.18.202.208

I would guess that one of those routers is a tencent device. That would be a starting point.

3

That was just an example. There are countless others that are seemingly coming from the rounter. It's the most blocked client on the network. I don't understand it's a router... maybe some sort of loopback?

image
image1872×599 87.5 KB

image
image1895×194 13.5 KB

4

DNS requests originating from your router could be expected:
If your router sends DNS requests to your Pi-hole, that would indicate you have configured it to use Pi-hole as its upstream DNS server (commonly, a WAN/Internet setting in the router). While that is a valid configuration, it would be preferred if you'd configure your router tell its clients to use Pi-hole for DNS instead ((commonly, a LAN/DHCP kind of setting).
It would depend on your router's model and firmware if and how it would expose any of those options.

You'd have to refer to your router's documentation and support for details on its DNS configuration options.

As for your router's DNS rebind warning:

This is the only example of a rebind attack that you provided so far.

Are you implying that you see rebind warnings on your router for all of those requests shown on your screenshot above?

5

Well, to start, the only option to configure dns in my main router is a field named " DNS SERVER", and I configured it to point to pi-hole.
As for the second router, I loaded openwrt on it, and there is one option called dns forwarding, which, again, is set to pi-hole. Maybe that's the issue?
Could it be that I created some sort of loop here? My second router does not have dhcp, and only acts as a wifi ap and switch, and it gets all the dns and dhcp config from the main router. But I also set the "custom dns forward" on my second router, so maybe that is the issue?

Also, I get rebind attacks for, at least it seems that way, only blocked domains. Here's a screen below.
Also, I just noticed something weird. The blurred out domains look like local request. My main router is from my ISP, and for local devices they get a custom domain, a .local. My iphone, for example, is xxx's iPhone.local. But those are blocked domains that look like have been redirected to a non existing one locally. I don't get it.
An example is graph.facebook.com, which is answered by pihole, and graph.facebook.com.local which get's logged by my second router.

image
image1528×774 128 KB

image
image1528×774 107 KB

6

Yeah, the requests logged by the second router are
domain
domain.local

and so on. Where did I screw up?

7

Note that the local TLD is reserved for mDNS usage and should NOT be used with plain DNS.

Your debug log shows a different TLD, but just in case if any of your routers would indeed be using local, you should change that, e.g. to lan or home.arpa.

Typically, a rebind attack may be assumed if a DNS request for a public domain would be answered with a private range IP address.

What's the result of

nslookup flurry.com 192.168.1.148
8

Thank you. Yeah, you can see it as it starts with .homenet, i just didn't want that pubblic.
I don't know much about mDNS, and the default router the cable company provided does not seem to have the option to change it.

As for nslookup, this is what I get

nslookup flurry.com 192.168.1.148
Server: 192.168.1.148
Address: 192.168.1.148#53

Name: flurry.com
Address: 0.0.0.0
Name: flurry.com
Address: ::

Thank you

9

So, I found the issue.
My second router was acting just as a wifi AP, nothing else. I made the mistake of setting up the "DNS forwarding" field to the pihole, on my second router, while also having dns and dhcp set on the main router as well. I think, for whatever reason, some of the blocked queries were re-directed back by my second router to pi-hole. Maybe someone who knows networking better than me can shed some light on this.
Everything stopped as soon as I cleared the "DNS forwarding" field on the second router. No more rebind attacks, router DNS requests stopped; according to pi-hole there have been no requests in the past 10 hours ( as it should be!).

10

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.