Fixing DNS Rebind on DD-WRT

Posted by Ripdubski on 2013.03.04
Posted in: DD-WRT. Tagged: , , , . 4 Comments

NOTE: I no longer use DD-WRT and am unable to answer any questions about it.

DNS rebinding is a form of computer attack.  The DNS service (dnsmasq) built into DD-WRT has protections against this which are turned ON by default.  You might need to disable it if you use Netflix on any iOS devices due to the way Netflix is implemented (if you can’t stream from an iOS device you probably need this turned off).

Since the current build (v24-sp2-14896) of DD-WRT for the ASUS RT-N16 router does not have the option to toggle DNS rebind protection on and off, and it can’t be set as a parameter, a post boot fix is required.  This is a show to setup a small script that will make the required changes.  It is executed after the router boots.  You must have previously enabled JFFS for this to work.

  • Login to the router as the administrator via ssh (command line not web interface).
  • Change directory to the bin directory under /jffs (create it if its not there):
cd /jffs/bin
  • Use vi to create the script (vi boot_set.sh), or you can create it elsewhere and scp for ftp it up to the router.  Just make sure its in the /jffs directory tree.  Contents should be:
#!/bin/sh
# Fix DNS Rebind

# Make a copy of the booted configuration
cp /tmp/dnsmasq.conf /tmp/dnsmasq.orig

# Copy the contents of the booted configuration to a new file
# but excluding the stop-dns-rebind line
cat /tmp/dnsmasq.conf | sed -e '/stop-dns-rebind/d' > /tmp/dnsmasq.norebind

# Kill off the dnsmasq service
killall -9 dnsmasq

# Wait 1 second
sleep 1

# Move the new configuration file over the booted one
mv /tmp/dnsmasq.norebind /tmp/dnsmasq.conf

# Restart the dns service (dnsmasq) and tell it where 
# the configuration file is
dnsmasq --conf-file=/tmp/dnsmasq.conf
  • Mark the file as executable
chmod 755 boot_set.sh
  • Logout of the command line with ‘exit’.
  • Now login to the web interface of the router.
  • Select ‘Administration > Commands’ from the menu tabs.
  • In the commands field of the “Command Shell” section (at the top) enter (assuming you put it in /jffs/bin):
/jffs/bin/boot_set.sh
  • Click the “Save Startup” button.
  • Select ‘Administration > Management’ from the menu tabs.
  • Scroll to the bottom of the page.
  • Click the “Reboot Router” button.

After the reboot, DNS rebinding should be disabled!

 

 

4 comments on “Fixing DNS Rebind on DD-WRT

  1. Thanks. This fixed an issue I was having with my Fitbit Aria and DNSMASQ. I was able to narrow down it was DNSMASQ on my DD-WRT after changing DHCP servers (which changed dns servers) and it worked, and fiddling with the settings but couldn’t figure out what it didn’t like about dnsmasq. A fortunate google search for fitbit + dnsmasq hit your site talking about DNS Rebind! So it breaks Netflex according to you but also breaks fitbit scales. Nice.

    Reply

    • Thanks! Glad it helped. That’s good information about the scale. I have a Withings scale (basically the same thing as the Aria) but had not run into the issue with it, presumably because I already had the rebind fix in place. For clarification, it breaks Netflix on iOS specifically.

      Reply

  2. Pingback: DD-WRT Web Server for Viewing All Network IPs | Unfinished Bitness

  3. Pingback: Using DD-WRT for Local DNS and DHCP | Unfinished Bitness

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.