On Mon, Jan 16, 2023 at 19:41, Scott Howard wrote:

The term you're looking for to plug into Google is "DNS rebind protection", and it's common across a lot of consumer routers.

Sounds like a fun phrase to describe a terrible idea! Joe

...

On Mon, Jan 16, 2023 at 20:25, Scott Howard wrote:

It's actually a pretty important security feature.

Well, I agree that there's a security problem; browsers' security models shouldn't allow client-side scripts to connect out to random other places, RFC1918-numbered or otherwise, and even if they do the internal devices shouldn't be vulnerable to default-credential attacks. However, fixing problems like those in the DNS seems ludicrous. We are creating a class of edge devices constrained by hardware vendors and (in places where they supply the hardware) carriers. This was the model we replaced with the Internet. We shouldn't be in the business of reinventing it. Joe

Can corroborate, DNSmasq as found in many firmwares has a 'stop-dns-rebind' option. It is on by default AFAIK. Disable security features at your own risk etc etc -Stuart On 18/01/23 11:30, Simon Lyall wrote:

Thank you to Scott (and others who replied offlist).

This problem is occuring with people running VPNs on work laptops at home. I am wondering if perhaps the immediate cause of the problem for us is we are not correctly pushing out DNS settings so the local one is being used.

On Mon, 16 Jan 2023, Scott Howard wrote:

...

The term you're looking for to plug into Google is "DNS rebind protection", and it's common across a lot of consumer routers. This thread is a few years old, but seems to imply it can't be disabled on these modems. https://www.geekzone.co.nz/forums.asp?forumid=39&topicid=265543

  Scott

On Mon, Jan 16, 2023 at 2:44 PM Simon Lyall wrote:

      We are getting reports from a couple of people that some Skinny       Modems are       getting confused with some DNS records. It appears that if the       IP returned       from the lookup is a RFC 1918 one they won't return the result       to the       client.

      One modem in question has:

      Skinny Smart Modem VRV9517UWAC34-A-SP

      on it and I think VRV9517 is the model name.

      This appears to be a fairly recent problem, showing up since       people came       back from break. Not ruling out some other cause but direct       testing of       queries is doing the above. Possibly a recent software upgrade       or       "security" setting.

      Direct queries against the DNS servers themselves seem okay, it       only       breaks when you use the modem as the DNS server.

      Not confirmed for all of RFC1918 space, but definitly       192.168.1.x

      Anyone seen similar or know of a fix? (for now we are getting       people to       use 1.1.1.1 or similar for DNS).

      --       Simon Lyall  |  Very Busy  |  Web: http://www.simonlyall.com/       "To stay awake all night adds a day to your life" - Stilgar

      _______________________________________________       NZNOG mailing list -- nznog(a)list.waikato.ac.nz       To unsubscribe send an email to nznog-leave(a)list.waikato.ac.nz

_______________________________________________ NZNOG mailing list --nznog(a)list.waikato.ac.nz To unsubscribe send an email tonznog-leave(a)list.waikato.ac.nz