On 2013-05-10 15:36, Josh Bitto wrote:
I'm getting in my system logs the following:
firewall dnsmasq[35138]: possible DNS-rebind attack detected:
okanagan.bc.ca
Is this something to worry about? I've looked at the forums and most
people say to disable the rebind option in the system settings. I'm
kinda concerned if this is a serious log or if it is just a false
positive. Or if it's just an attempt and I have nothing to worry
about. Can anyone give me some insight into this?
Is your organization's network affiliated with okanagan.bc.ca in any
way? I'll assume not, but that might not be entirely correct given the
geographical proximity.
Assuming not, from the looks of it it's possible that it is designed as
an attack but it's more likely that okanagan.bc.ca has simply screwed up
their DNS. Either way, okanagan.bc.ca's internet-facing DNS records are
not set correctly:
okanagan.bc.ca. 3600 IN A 10.1.33.0
okanagan.bc.ca. 3600 IN A 142.23.95.114
;; Received 75 bytes from 142.23.79.254#53(142.23.79.254) in 99 ms
They shouldn't be leaking a 10/8 address out to the internet, since they
are, you'll (correctly) get DNS-rebind attack warnings approximately 50%
of the time when someone visits okanagan.bc.ca from within your internal
network.
You can likely ignore the warnings entirely, either 1) They're warning
you about a mis-configuration out on the net, or 2) You were just
protected against an attack.
Either way, everything worked the way it's supposed to. There's
absolutely no upside to disabling DNS rebinding attack detection unless
your networks are supposed to be interconnected and you are supposed to
be able to access each other's internal IPs.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
