cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

possible DNS-rebind attack detected: dc.rm.skyq.info

gipjon
16: Advanced member
16: Advanced member

last 18 months no issues at all with the router 

I started having issues , 3 times so far in 6 weeks

I think the router software crashes or the router is locking up 

The router stays connected to the internet

All devices are reporting connected to the router but only some will have internet, Other devices say connected to the router but no internet. you can swap from wired to wifi and still have the same issue, it's like the mac address is blocked.  

The other thing is, you can't log into the router even on a device that's not affected. The website address times out. 

the only cure is to unplug the Vodafone router from the mains and plug it back in then it's fine again. 

. The other night the router dropped 3 times around 2.30 am which is probably not related but a little odd as the router has never done that before. the only thing I notice is in the logs it keeps saying " possible DNS-rebind attack detected: dc.rm.skyq.info" 

On the sky forum, there is some reference about: dc.rm.skyq.info being blocked by a firewalls which then is blocking the sky paramount plus app 

 

anyone any ideas 

 

27 REPLIES 27

CrimsonLiar
16: Advanced member
16: Advanced member

@Cynric It's fair to say Sky Q and the minis cause problems all over.  I've a neighbour who has taken to only turning the minis on at the socket when they are wanted.

The call on multiple DNS when there are Q minis is probably a good one.  If the mini is providing an access point and a second DNS (either itself or via the main Q box) on the same IP address as the VF router that would indeed show as a rebind attack!

Interested to see where this goes!

gipjon
16: Advanced member
16: Advanced member

update, had a scan through the router log today and came across this below. not really sure where why what how ????

 

possible DNS-rebind attack detected: googlecm.hit.gemius.pl

possible DNS-rebind attack detected: ib.beintoo.com

possible DNS-rebind attack detected: ln1prdapp01-canary.cloudapp.net

possible DNS-rebind attack detected: dc.rm.skyq.info

 

 15:36:09 data Warning possible DNS-rebind attack detected: net192.rebindtest.com
 15:36:09 data Warning possible DNS-rebind attack detected: net172.rebindtest.com
 15:36:09 data Warning possible DNS-rebind attack detected: net10.rebindtest.com
 15:36:09 data Warning possible DNS-rebind attack detected: net192.rebindtest.com
 15:36:09 data Warning possible DNS-rebind attack detected: net172.rebindtest.com
 15:36:08 data Warning possible DNS-rebind attack detected: net10.rebindtest.com

 

Cynric
16: Advanced member
16: Advanced member

.@gipjon Have you got a blocker returning 0.0.0.0 for certain domains and, if so, can you disable it and see what happens?

Has the router got dnsmasq rebind protection on?

Is something attached to port 53 that shouldn't be?

Are all the devices set to resolve DNS servers in the same sequence?

(FX: Opens BT helpdesk script) Have you turned everything off and the back on one device at a time? 🙂 

 

Edit: Also, is port 53 exposed to the internet?

gipjon
16: Advanced member
16: Advanced member

as far as I know, everything is standard 

no blocker, port 53 seems okay,

standard Vodafone router running on google DNS 

 

not tried connecting devices 1 by 1 yet to see where it's coming from but I have swapped google DNS to Cloudflare in the router to see if that does anything (long shot) 

 

I really don't understand the rebindtest.com bit in the log 

Jayach
16: Advanced member
16: Advanced member

@gipjon 

There are plenty in my log too. No idea what they mean, but then there is a lot in the log I don't understand.

27.11.2022 02:28:59 data Error failed to send packet: Address family not supported by protocol
27.11.2022 02:28:22 firewall Warning [5480325.149680] DROP wan in: IN=pppoe-wan OUT= MAC= src=79.124.62.78 DST=(my I.P address) LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=34155 PROTO=TCP SPT=40711 DPT=35172 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
27.11.2022 02:28:20 data Warning possible DNS-rebind attack detected: feliz-amp.data.tm-awx.com
27.11.2022 02:28:20 data Warning possible DNS-rebind attack detected: feliz-amp.data.tm-awx.com
27.11.2022 02:28:07 system Error Failed to send DHCPV6 message to ff02::1:2 (Permission denied)
27.11.2022 02:28:05 data Warning possible DNS-rebind attack detected: feliz-amp.data.tm-awx.com
27.11.2022 02:28:05 data Warning possible DNS-rebind attack detected: feliz-amp.data.tm-awx.com
27.11.2022 02:28:01 data Warning possible DNS-rebind attack detected: feliz-amp.data.tm-awx.com
27.11.2022 02:28:01 data Warning possible DNS-rebind attack detected: feliz-amp.data.tm-awx.com

Am I bovvered?

Cynric
16: Advanced member
16: Advanced member

.@gipjon The rebindtest.com lines look link something is doing a test (well duh silly me that's obvious) but the next question is "why". There's a Microsoft URL that is a bit like a heartbeat test for the NCSI function. I wonder if that could be part of the fun.

 

.@Jayach that awx.com address is in a blacklist on GitHub. It will return 0.0.0.0 I think. Assuming that you are blacklisting.

 

If a DNS lookup returns a localhost (either IP4 or 6) the alarm bells go off because there was a well know route into your lan by spoofing the lookup result and because you didn't get the "NOT KNOWN" result code from DNS it trips the warning. I still don't know why you see all this muck in the log, I don't see these but then I am using a Pi-Hole.

gipjon
16: Advanced member
16: Advanced member

that's is my thoughts, something was running a test for something .but why and from where is the question 

 

 

feliz-amp.data.tm-awx.com has something to do with a media company and amazon . what DNS are you running jay

 

I'm sure there is a pattern to these 

gipjon
16: Advanced member
16: Advanced member

just read this and not sure what to think tbh

 

https://mwhubbard.blogspot.com/2018/08/dns-rebinding-attacks.html

Jayach
16: Advanced member
16: Advanced member

@Cynric wrote:

.@Jayach that awx.com address is in a blacklist on GitHub. It will return 0.0.0.0 I think. Assuming that you are blacklisting..


No blocking/blacklisting by me, just the Vodafone THG3000 with DNS's 1.1.1.1 and 8.8.8.8.

The only form of blocking is Adblock plus in the browser(s)

 

@gipjon wrote:

feliz-amp.data.tm-awx.com has something to do with a media company and amazon . what DNS are you running jay 


I do have various Echo devices all around the house.

gipjon
16: Advanced member
16: Advanced member
just been reviewing the logs 
Every ten minutes down to the second for a whole day and a half. Then none for about 14 hours 
 
11/24/2022 13:13:35 possible DNS-rebind attack detected: dc.rm.skyq.info
11/24/2022 13:03:35 possible DNS-rebind attack detected: dc.rm.skyq.info
11/24/2022 12:53:35 possible DNS-rebind attack detected: dc.rm.skyq.info
11/24/2022 12:43:35 possible DNS-rebind attack detected: dc.rm.skyq.info
11/24/2022 12:33:35 possible DNS-rebind attack detected: dc.rm.skyq.info
11/24/2022 12:23:35 possible DNS-rebind attack detected: dc.rm.skyq.info