Tue Jul 06, 2021 3:37 pm
#1857133
There may be a less harmful explanation.
Firstly to explain DNS rebind attacks .... these are a technique to bypass the cross-domain scripting restrictions in web browsers.
For example, normally a script running under the domain example.com cannot access resources hosted under any other domain than example.com. This is a security feature of web browsers to limit the ability of a malicious script on a web page accessing unintended data/resources.
In a DNS rebind attack the DNS will initially resolve the IP address to an internet webserver where it loads its dodgy script from.
However, the TTL (how long the IP address is cached for) is set to a very short period, and when it is re-queried it returns a different non-routable LAN IP address.
This bypasses the cross-site scripting protections and the browser will let it make queries to the internal LAN device.
A common trick is to target common router IP addresses (e.g. 192.168.0.1) where the attack will often attempt to change the DNS servers of the router to give more control.
Back to the specific example here....
It looks like the router in question is using dnsmaq as its DNS server.
To protect against DNS rebind attached, dnsmaq does not resolve any non-routable IP addresses, and logs the error shown.
However, non-routable IP addresses can arise in a number of legitimate scenarios:
- Ad blocking DNS servers tend to return an IP address of 0.0.0.0 for blocked domains
- Some ad serving tools set the DNS of expired sub-domains to 0.0.0.0 to stop expired code generating hits on their infrastructure
This could be as simple as a tracking pixel for a client that's expired, or the result of up-stream DNS ad blocking.