main_icn_My_Vodafone main_icn_Search main_icn_Chevron_right main_icn_Chevron_down main_icn_Close main_icn_Menu social-facebook social-google-plus social-linkedin social-twitter social-youtube main_icn_Community_or_Foundation main_icn_Location main_icn_Network_signal

Other broadband queries

THG3000 - Are there any more advanced settings (need to disable DNS rebind protection)

3: Seeker

I got my new Vodafone router yesterday. Seems to be fine, and have managed to setup everything almost as it was before. However, I have an unRaid server at home and I can't connect to it through HTTPS (I get the DNS_PROBE_FINISHED_NXDOMAIN error). I also see some messages in the event log saying "possible DNS-rebind attack detected:".

 

I believe for this to work properly I need to disable - or at least temporarily disable - DNS rebind protection, however I do not see that option available in the router. Is there a more advanced mode than "Expert Mode" on the router that I can use to access such settings?

View more options
7 REPLIES 7
6: Helper

Error in accessing https web pages is often caused by Vodafone's DNS servers resolving a hostname to the wrong IP address. Try configuring the router to use a public DNS server such as 8.8.8.8.

View more options
3: Seeker

Thanks for the suggestion but that unfortunately didn't work. One of the first things I did when I got the new router was to switch the DNS server settings on the router from automatic to the Google DNS servers of 8.8.8.8 and 8.8.4.4.

View more options
6: Helper

I think it will help if you give a bit more information about what you are trying to do and your set up, e.g.

  • Are you accessing your server from the LAN or the WAN side
  • What domain is the SSL certificate for
  • What IP address does the domain resolve to a) from the LAN, b) from the WAN
  • Does (b) above match your external IP address
View more options
3: Seeker

Fair point.

 

- I'm running an unRAID server on my home network for access over the LAN.

- The SSL certificate is for a subdomain of unraid.net (which I believe is randomly generated when it creates the cert, I'm unsure as to exactly how that part works. Effectively it's [large hex string].unraid.net.

- I can nslookup and also lookup the host record on the Google DNS lookup service. The public DNS record returns the server's address on my private LAN

 

I believe the issue is on the router side somewhere. Here's something interesting I noticed:

 

- If I set the router to use the Google DNS servers of 8.8.8.8 and 8.8.4.4 for DNS lookups, it doesn't seem to make a difference

- If I change the IPv4 settings for my ethernet adapter in Windows to the above Google DNS servers, it resolves correctly.

- I don't really consider that to be a "solution" as it doesn't resolve the core issue. It's as if the router is ignoring my DNS settings, or blocking that specific request (maybe due to the rebind error message that shows up, although I've noticed that also shows up when I make a successful attempt if the DNS server is manually set)

View more options
6: Helper

OK, now I understand. The problem arises because xxx.unraid.net resolves to a private IP address and the DNS server inside the router does not like it. The easy fix is to tell the DHCP server on the router to set the client-side DNS server to 8.8.8.8. Most routers will let you do that, but not the ones from Vodafone. As I see it you have 2 options:

  • Use a better router that allows you to turn off the rebind protection or set your own DNS server on the LAN side
  • Disable the DHCP server on the Vodafone router and Install dnsmasq on a spare linux box (any linux box will do but a Raspberry Pi is ideal as it consumes very little power). Set the DNS server in the dnsmasq configuration to 8.8.8.8. 
View more options
3: Seeker

Thanks for the response, those are certainly doable workarounds but as this is the Vodafone forum I was hoping to highlight the issue to Vodafone in the hopes that they may consider this issue in a future firmware release. This issue didn't occur on the previous Vodafone hub.

 

As an aside I actually used to use my own separate router and modem (Netgear R6400 router and DM200 modem), however I had a couple of issues with my connection while using them. Obviously when contacting VF for support they requested I plug in their router so they could see what the issue was, and I noticed I never experienced a single issue while using their equipment, hence why I'm still using the VF supplied gear - as far as my connection goes, it seems much more stable. Presumably the issue was on the modem side and would be fine with just my own router, but I don't think you can set the VF router to modem only mode (which is incredibly annoying).

View more options
3: Seeker

I have the same issues ... that's a deal breaker for me ... things were working excellent with my earlier provider. If they can't provide a firmware update in a few weeks, i am out unfortunately. 

 

 

View more options