Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
How Microsoft Windows is flooding the dnsmasq log
« previous
next »
Print
Pages: [
1
]
Author
Topic: How Microsoft Windows is flooding the dnsmasq log (Read 2136 times)
vpx
Jr. Member
Posts: 87
Karma: 6
How Microsoft Windows is flooding the dnsmasq log
«
on:
July 21, 2023, 08:48:25 am »
You may know the Network Connectivity Status Indicator (NCSI) in Windows which checks if you're connected to the Internet (shows a globe with prohibition sign when not connected).
It's all described here:
https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions
Well, one of the active probes is a DNS query to "dns.msftncsi.com". Strangely the IPv6 address the DNS server resolves to is the unique local address (ULA) fd3e:4f5a:5b81::1, the equivalent of a private address in IPv4.
And that leads dnsmasq to log this DNS query as a rebind attack:
Code:
[Select]
2023-07-21T08:10:00
Warning
dnsmasq
possible DNS-rebind attack detected: dns.msftncsi.com
Thanks to dave14305 at the OpenWRT forums for pointing that out:
https://forum.openwrt.org/t/dns-rebind-attacks/150585/3
The funny thing is that in the Whois lookup of this address it states:
"remarks: This network should never be routed outside an enterprise"
https://findipv6.com/ipv6-whois/fd3e:4f5a:5b81::1
Microsoft is definitely an enterprise and the address is used outside of it.
So I created a group policy in the Windows domain to disable the active probing of NCSI. This reduced the amount of log entries but there are still PCs that are not in the domain.
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::NoActiveProbe
As there is no possibility to add a domain exception via the GUI I also created a feature request.
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: How Microsoft Windows is flooding the dnsmasq log
«
Reply #1 on:
July 21, 2023, 10:39:43 am »
Do you have a specific need for using dnsmasq? Afaik that's only still included in OPNsense for historical reasons. Unbound has been the default resolver for many years and does have the feature you're looking for (and many others).
Cheers
Maurice
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
vpx
Jr. Member
Posts: 87
Karma: 6
Re: How Microsoft Windows is flooding the dnsmasq log
«
Reply #2 on:
July 21, 2023, 11:15:26 am »
I just need a simple forwarder.
I saw the option "Enable Forwarding Mode" for Unbound in older posts but I can't find it in the Unbound settings.
Was it removed or is it only visible if Unbound is enabled?
Anyway I think I'm gonna replace dnsmasq with os-dnscrypt-proxy as dnsmasq does not support any encryption and I have the feeling dnsmasq is planned to be removed.
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: How Microsoft Windows is flooding the dnsmasq log
«
Reply #3 on:
July 21, 2023, 11:23:11 am »
You can configure forwarding in Services: Unbound DNS: Query Forwarding. Or if you want to encrypt upstream requests, Services: Unbound DNS: DNS over TLS.
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
vpx
Jr. Member
Posts: 87
Karma: 6
Re: How Microsoft Windows is flooding the dnsmasq log
«
Reply #4 on:
July 21, 2023, 12:45:25 pm »
But if you check "Use System Nameservers" in Services->Unbound DNS->DNS over TLS it states "DNS over TLS will never be used for any query bound for a system nameserver." I want to forward everything except domain overrides. Unbound doesn't seem to support general encrypted forwarding, at least not via the GUI.
I'm curious if Unbound also logs the "dns.msftncsi.com" domain as a rebind attack, can anybody check this with a DNS lookup on a client?
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: How Microsoft Windows is flooding the dnsmasq log
«
Reply #5 on:
July 21, 2023, 01:05:36 pm »
The "Use System Nameservers" setting only uses plain DNS, not DoT. This checkbox showing up on the DNS over TLS page is indeed misleading, it should be only on the Query Forwarding page imho.
For "general encrypted forwarding", go to DNS over TLS and add custom forwarding to the desired server(s). Don't enter a domain, thus it will become a "catch all" rule. Domain overrides still work.
I would expect Unbound to detect this as a rebinding attack, too (because it essentially is). But you can add exceptions.
«
Last Edit: July 21, 2023, 01:22:02 pm by Maurice
»
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
How Microsoft Windows is flooding the dnsmasq log