How Microsoft Windows is flooding the dnsmasq log

[vpx]

You may know the Network Connectivity Status Indicator (NCSI) in Windows which checks if you're connected to the Internet (shows a globe with prohibition sign when not connected).

It's all described here: https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions

Well, one of the active probes is a DNS query to "dns.msftncsi.com". Strangely the IPv6 address the DNS server resolves to is the unique local address (ULA) fd3e:4f5a:5b81::1, the equivalent of a private address in IPv4.

And that leads dnsmasq to log this DNS query as a rebind attack:

Code: [Select]

2023-07-21T08:10:00 Warning dnsmasq possible DNS-rebind attack detected: dns.msftncsi.com
Thanks to dave14305 at the OpenWRT forums for pointing that out: https://forum.openwrt.org/t/dns-rebind-attacks/150585/3

The funny thing is that in the Whois lookup of this address it states:

"remarks: This network should never be routed outside an enterprise"

https://findipv6.com/ipv6-whois/fd3e:4f5a:5b81::1

Microsoft is definitely an enterprise and the address is used outside of it.

So I created a group policy in the Windows domain to disable the active probing of NCSI. This reduced the amount of log entries but there are still PCs that are not in the domain.

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::NoActiveProbe

As there is no possibility to add a domain exception via the GUI I also created a feature request.

[Maurice]

Do you have a specific need for using dnsmasq? Afaik that's only still included in OPNsense for historical reasons. Unbound has been the default resolver for many years and does have the feature you're looking for (and many others).

Cheers
Maurice

[vpx]

I just need a simple forwarder.

I saw the option "Enable Forwarding Mode" for Unbound in older posts but I can't find it in the Unbound settings.

Was it removed or is it only visible if Unbound is enabled?

Anyway I think I'm gonna replace dnsmasq with os-dnscrypt-proxy as dnsmasq does not support any encryption and I have the feeling dnsmasq is planned to be removed.

[Maurice]

You can configure forwarding in Services: Unbound DNS: Query Forwarding. Or if you want to encrypt upstream requests, Services: Unbound DNS: DNS over TLS.

[vpx]

But if you check "Use System Nameservers" in Services->Unbound DNS->DNS over TLS it states "DNS over TLS will never be used for any query bound for a system nameserver." I want to forward everything except domain overrides. Unbound doesn't seem to support general encrypted forwarding, at least not via the GUI.

I'm curious if Unbound also logs the "dns.msftncsi.com" domain as a rebind attack, can anybody check this with a DNS lookup on a client?

[Maurice]

The "Use System Nameservers" setting only uses plain DNS, not DoT. This checkbox showing up on the DNS over TLS page is indeed misleading, it should be only on the Query Forwarding page imho.

For "general encrypted forwarding", go to DNS over TLS and add custom forwarding to the desired server(s). Don't enter a domain, thus it will become a "catch all" rule. Domain overrides still work.

I would expect Unbound to detect this as a rebinding attack, too (because it essentially is). But you can add exceptions.