[Dnsmasq-discuss] "possible DNS-rebind attack detected" ??

Carlos Carvalho carlos at fisica.ufpr.br
Sat Feb 2 23:08:08 GMT 2008


I use --stop-dns-rebind and I'm getting "possible DNS-rebind attack
detected" msgs. in the log. This happens after a series of nxdomain
answers (from the recursor or cached). I don't understand why this is
a possible attack because the manual says that this should be
triggered by answers within private ranges, not nxdomain. Here is an
excerpt of the log; in this particular case the answers were cached
but there are cases where they all come from the server at 127.0.0.1.

Feb  2 20:54:44 dnsmasq[17406]: query[A] 167.176.132.209.zen.spamhaus.org from 192.168.3.18
Feb  2 20:54:44 dnsmasq[17406]: cached 167.176.132.209.zen.spamhaus.org is NXDOMAIN-IPv4
Feb  2 20:54:44 dnsmasq[17406]: query[A] 167.176.132.209.dnsbl.sorbs.net from 192.168.3.18
Feb  2 20:54:44 dnsmasq[17406]: cached 167.176.132.209.dnsbl.sorbs.net is NXDOMAIN-IPv4
Feb  2 20:54:44 dnsmasq[17406]: query[A] 80.168.122.91.dnsbl.sorbs.net from 192.168.3.18
Feb  2 20:54:44 dnsmasq[17406]: forwarded 80.168.122.91.dnsbl.sorbs.net to 127.0.0.1
Feb  2 20:54:44 dnsmasq[17406]: query[A] 241.132.85.209.dnsbl.sorbs.net from 192.168.3.18
Feb  2 20:54:44 dnsmasq[17406]: forwarded 241.132.85.209.dnsbl.sorbs.net to 127.0.0.1
Feb  2 20:54:44 dnsmasq[17406]: query[A] vger.kernel.org.dob.sibl.support-intelligence.net from 192.168.3.18
Feb  2 20:54:44 dnsmasq[17406]: cached vger.kernel.org.dob.sibl.support-intelligence.net is NXDOMAIN-IPv4
Feb  2 20:54:44 dnsmasq[17406]: query[A] 167.176.132.209.list.dnswl.org from 192.168.3.18
Feb  2 20:54:44 dnsmasq[17406]: forwarded 167.176.132.209.list.dnswl.org to 127.0.0.1
Feb  2 20:54:44 dnsmasq[17406]: possible DNS-rebind attack detected



More information about the Dnsmasq-discuss mailing list