G3100 - DNS-rebind issue
Paull62
Newbie

I just Decided  to check my G3100 routers system log because I haven’t checked it in a long time and am now noticing I keep getting the following errors in the router:

[SYS.4][SYS] possible DNS-rebind attack detected for the domains 

ucs02.engageya.com

gwallcheck.api-alliance.com

fbwallcheck.api-alliance.com

but I don’t know what to do please help me because I know the domains that are being blocked are ones I never even went to help!!!!

0 Likes
Reply
1 Solution
smith6612
Community Leader
Community Leader

DNS Rebind means the DNS Records resolve to IP addresses which would belong to an internal network, like a corporate or home network. It's not necessarily an attack. Some sites use DNS Rebinding to communicate with an application on your PC or network, without having to install a browser extension or other helper application. But yes it can also be used in attacks.

As for what caused those to occur, I believe those domains are more or less tracking related. Would have to find the problem service on the problem device. Did the router log a device IP?

View solution in original post

6 Replies
smith6612
Community Leader
Community Leader

DNS Rebind means the DNS Records resolve to IP addresses which would belong to an internal network, like a corporate or home network. It's not necessarily an attack. Some sites use DNS Rebinding to communicate with an application on your PC or network, without having to install a browser extension or other helper application. But yes it can also be used in attacks.

As for what caused those to occur, I believe those domains are more or less tracking related. Would have to find the problem service on the problem device. Did the router log a device IP?

Paull62
Newbie

@Smith6612

No how can I tell if it returned  a device ip and I have no laptops no computers at home just a iPhone 13

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

From what I am reading about the DNS rebind, some public DNS servers are responding a local IP address instead of a public routable IP address. Given you have an iPhone and a router, you have two local IP addresses already, so the DNS rebind could target either your iPhone, your router, or both.

You can monitor your WAN connection with a switch that supports port mirroring. You can capture the packet with WIreshark and read the DNS responses over time. I am not sure whether DNS over HTTPS is widely used though, I will defer to Smith6612 for this question.

Paull62
Newbie

@Cang_Household 

do you recommend  any switches that supports port mirroring?

and how do I monitor my WAN connection and how do I  l capture the packet with WIreshark and read the DNS responses over time????

0 Likes
Reply
LawrenceC
Moderator Emeritus

I would like to thank everyone for taking the time to post your comments and opinions related to this topic. This topic has been thoroughly discussed and will now be closed. Please feel free to open a new thread for further discussion. Thank you.

0 Likes
Reply
SteveCoy
Enthusiast - Level 1

Don't close this issue without pointing out the DNS rebind options in the G3100 that allow you turn off DNS rebind protection in various contexts, or to turn off DNS rebind protection entirely!

It is quite absurd to let nonsense be the final answer.

I solved this problem easily with a DNS rebind exception in G3100 / Advanced / Network Settings / DNS Server

 

0 Likes
Reply