DNS rebind protection doesn't prevent you from login into router's internal page in any way.
DNS rebinding attacks
- Thread starter Parkinsond
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
No, this DDR seems to be a different Windows specific thing, not related to how Chromium handles their DoH. DDR seems to be the opposite. It discovers DoH address using DNS IP through Microsoft's partnership with Quad9 and Cisco OpenDNS.Yet they work without it. I have even disabled DDR in Windows and ipv4only.arpa is blocked by DNS.
But good point, and I did some research, and it turns out the Chromium Engineers have already thought of a scenario where methods of resolving the DoH IP will be blocked.
When any standard and recommended methods are blocked like in your system, they have a fallback mechanism called, "Secure DNS Enhanced Bootstrap".
Many DNS provider's DoH addresses, along with their IP addresses, are hardcoded into the Chromium code. So when any regular method doesn't work, they fall back to using those.
They even gave some reasons why they don't use it as their default method which is understandable. Check the below links.
Secure DNS Enhanced Bootstrap
https://source.chromium.org/chromium/chromium/src/+/main:net/dns/public/doh_provider_entry.cc
So, what I said remains accurate. Chromium's unencrypted port 53 DNS query is an expected behaviour/feature, not a bug.
The best thing to do for you might be to use something that redirects port 53 to your DoH provider at the OS/router level like I have.
My modem router has no dns rebind protection settings; I rely on DNS provider settings.
If you use uBlock Origin, it has filter called
Block Outsider Intrusion into LAN that protects from DNS rebinding attacks.
Yes, I am using; grateful for your kind instructions
Yes, I am using; grateful for your kind instructions
Filter list no longer needed with LNA protection enabled with flags for Chromium-based browsers..................
As I would have written several posts ago.
Well, it seems like a dns-binding attack can allow modification of your router settings plus any other network equipment you have on your LAN. Router setting modification can include a lot of harmful things, like changing your WiFi passwords, (so that the attacker can join your LAN), setting up a DMZ ( so it exposes a particular PC completely ), changing your router address ( sorta DOS, so you cannot find the web site to admin your router ). Just to list a few. You basically lost control of your LAN if the attacker can modify it's settings.
As bot says, there are plenty of other easier attacks. But it is not that there are easier attacks, it is that this one is more dangerous. We don't touch the router everyday, so the attacker's modifications may go unnoticed for weeks or months. Lets say the attacker chose to change your router's DNS settings to point to her DNS server, then you have a man-in-the-middle situation.
Last edited:
even if the router is protected by a very strong log in password?
Yes,protects against DNS attacks, Bitdefender has a feature called Network Attack Defense (NAD)(,I got this response when googling), any one know if Cyberlock protects this kind of attack? Or any other?, windows Defender?
As long as there is no password reuse then the router is safe. You never know if a cloud based app/service will be compromised along with your re-used password. Credential stuffing is a current hot attack.
Last edited:
I'm guessing the biggest risk of DNS attacks comes from IoT devices, like bulbs, vacuums, etc. Computers with modern browsers and adblockers should be covered without the need of an AV dedicated feature.
Best thing to do is put those on a guest network whenever possible.
I followed through and investigated how to make my DNS rebinding protection more complete. As it turns out, my DNS policy based on Cloudflare's "private IP addresses" security category was limited to domains pre-classified by Cloudflare's threat intelligence. This was never going to pass benign rebinding tests on its own.Using Cloudflare Zero Trust, I thought I explicitly set up DNS rebinding protection with a policy blocking private IP address traffic. I fail the ControlD test in both Brave and Firefox.
I don't know how definitive this test is, but I can try playing around with things later.
I implemented a post-resolution DNS policy blocking all traffic resolving to private IP address ranges. The result? I now pass DNS rebinding tests, including the one on ControlD's website and a manual DNS lookup of
net192.rebindtest.com.This catch-all policy creates strong protection at the cost of blocking some legitimate traffic. I'll likely need to make some exceptions.
A post from five years ago, which in this field is like saying I did it in the Triassic period and now we're in the Jurassic period.
Anyway, I don't want to get into it... enable LNA protections in your browser.
I don't quite understand (maybe it's my age
)... do you use NextDNS?
I got it enabled in uBOL filter lists.
Switching between NextDNS free and customized AG DNS free.
NextDNS pros: more options and less no of queries per month.
AG DNS: Hagezi threat intelligence list and slightly faster.
It's a good (not great) choice if you never disable uBoL, even temporarily.
Be careful with websites where you may have disabled filtering and perhaps don't remember doing so.
Development - filtering mode details
I had opened an issue, but you know Gorhill always says no at first... then months later he reconsiders.
___________________________________________________________________________________
Another tip.
Check if a series of malware, phishing, and fake websites blocked by NextDNS are also blocked by AG DNS (perhaps even on Sundays when updates are slower).
In my case, having chosen NextDNS, I did not find an identical match in the block.
Update: I think ControlD test for dns rebinding protection is "inaccurate".
Until yesterday, NextDNS pass the test; today, with same settings, it fails to pass.
Until yesterday, NextDNS pass the test; today, with same settings, it fails to pass.
Always wondered what that filter did, thanks for educating me
Your much more likely to get pwned by your crappy router with outdated and exploitable firmware than some weird edge case DNS attack. My 2 cents
You may also like...
-
-
-
-
Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers- Started by Parkinsond
- Replies: 10
-
