DNSBinding question [SOLVED]



  • Firstly thanks to Monocle Cam team for getting the gateway working so well.

    After a bit of tinkering and trial and error I discovered that the final issue I was having was my router was set to disable DNSBinding.

    I have been able to disable this function on my router but I appreciate the this is now disabled system wide which probably isn’t ideal as I assume it could cause a security issue.

    The walkthrough mentions it is possible to make an exception for my my proxy.io entry and i was wondering if anyone is able to give me some pointers in how I might do that in DDWRT.

    I appreciate there are lots of routers and OS’s out there but I am hoping that with DDWRT being such a wide reaching OS, there might be a simple way to do so.

    Thanks in advance



  • @Jouster-74 said in DNSBinding question:

    DDWRT

    Sorry, I don’t know specifically how to configure this for DDWRT, only PFSense.

    However, I found this forum post elsewhere: (https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1064711)

    Don’t disable “No DNS Rebind”. That’s taking a sledgehammer to a problem that can be corrected w/ a scalpel. This feature is designed to protect you against known DNS vulnerabilities. Instead, be selective by using the rebind-domain-ok directive in Additional DNSMasq Options.

    Code:
    rebind-domain-ok=private.morestina.net

    If you have more than one domain, use the same directive and separate them w/ forward slashes.

    Code:
    rebind-domain-ok=/private.morestina.net/someother.domain.com/

    So it looks like you could use the optional config in Additional DNSMasq Options of
    rebind-domain-ok=/mproxy.io/
    or
    rebind-domain-ok=/xxxxxxxx.mproxy.io/ . (where “xxxxxxxx” is your custom FQDN you can find in the startup log of your monocle gateway.)

    This is very similar to PFSense I believe it also uses DNSMasq under the hood. This is exactly what I do on my PFSense router to limit the DNS Rebinding to only allow specific domains through.



  • i’ll give this a try tomorrow and report back.

    many thanks for reaching out and suggesting a workaround. it’s exactly what i needed so thanks

    also thanks for resolving the SSL issue.

    is there a twitter account or email we can make aware of issues such as this



  • @Jouster-74

    You can PM me on this forum and that will send an email directly to me.

    Thanks, Robert



  • this appears to have worked…at least I can ping my camera and I get back the name and IP address of the rPI running the gateway…and I’ve re-enabled the NO DNS REBIND option in the DDWRT settings.

    Thanks a lot for your assistance in this

    I



  • @Jouster-74

    Glad to hear its working now! Thanks, Robert


Log in to reply