54k blocked DNS rebinds with AP mini and NextDNS

I had enabled DNS rebind protection in NextDNS and noticed the AP mini getting blocked in the logs with over 6k rebinds

The AP is managed by my Balance 20x controller

I disabled dns rebind protection for now but wondering if there is something I need to do in my setup.

Are you running the AP in router mode? If so, it could be a device on the other side of the NAT translation.

Nope, joined in bridge mode (without LAN IP address)… not sure what the diff is between that mode and “bridge mode”

image

One thing i noticed is event though it states its managed by AP controller, I can’t get the web admin port to use my custom one:

image

And disabling WAN connection access isnt working either on the AP itself… not sure if this is a bug or I’m not doing something right

Running latest firmware on both the B20x (8.1.0 b4938) and AP Mini (HW2 v3.7.2 b1029)

Anyone have any further comment? I had my ap mini offline for a few days and finally re-installed it permanently.

Since then, its been firing DNS rebinding requests that are blocked by NextDNS.

Trying to understand why and whether by having them blocked is potentially hindering the AP mini functionality.

In 4 days it had close to 50k dns rebind requests blocked.

Cause for concern?

Do you have a lot of mobile devices (Apple mainly) on this network? I have seen these devices do all kinds of weird stuff at the network layer (mainly to save battery life). One side effect is multiple dhcp requests (and possibly the dns registrations).

Do you recognize those host names?

I do have many ios devices yes. But NextDNS is telling these 54k+ dns rebind requests are coming from my AP ONE Mini!

I have the first hardware revision AC AP One Minis at my house, so I don’t have the “Bridge mode without IP address”. It does seem odd that if you never configure the DNS server address on the AP, how would even know where to send DNS queries to?

As far as your remote management from WAN, make sure you make the appropriate firewall rules to allow connections to your custom port. If you are using NAT, you would also need to supply the appropriate port forwarders on each WAN connection.

I can’t tell from the screenshots if those are settings on the AP or on the Balance 20, I personally don’t use the AP controller since I only have three APs and they are rotisserie style (set it and forget it). I don’t think the remote management custom port is tied in with the AP Controller functions. I am pretty sure that the AP makes calls outbound to the controller, where the remote management is all going to be inbound traffic (to the AP)

Peplink staff, does the AP mini make this many outbound DNS registrations under any scenario that you know of? I did a packet capture on my LAN for any traffic from my APs and all I saw were dns queries for InControl addresses (which is odd because they shouldn’t be trying to talk with InControl - they are all locally managed)

Sorry those screenshots are from the AP One Mini.

I tried disabling access from wan on the AP mini but it never saves! Maybe because I have it tied to the B20x AP controller. (That screen on the AP does say config managed by controller)

Im not sure what Bridge Mode without Lan IP ADDRESS means compared to Bridge Mode. In any case I set a static IP for my APs in the B20x.

I still have another AP mini to setup this weekend.

Are those DNS entries (1414599294.localhost, 905923484.localhost, etc) names that you recognize? At first I thought maybe they were sip addresses, but they have a seemingly random number of digits.

Did you ever at any point in time have apple airports? How about Apple TVs? I only ask because they “lend” mac addresses to other devices when they go to sleep. The apple TV and/or apple airport will “steal” the mac address and then handle any network traffic destined to that device (the one that is sleeping). If the device needs to actually respond - the airport or AppleTV will send a magic packet and wake it up, then release the mac address back to the device. I am about 75% sure apple watches do similar stuff. If you converted an airport SSID over to the AP mini – the apple devices still think they can hand off their mac address to the AP. No telling what the peplink gear is doing with that kind of scenario.

I am really hoping a Peplink Engineer jumps in soon, I am running out of ideas. You might try to do a packet capture and try to track it back from the DNS server back. From what I have read online about DNS rebinding is that it is to prevent DNS servers on the internet from returning 127.0.0.1 as a response to clients. I don’t know that the protection is necessary when on a private LAN with NAT at the internet gateway DNS.

Sorry I can’t be more helpful, but I am very curious as to what is causing this behavior.

May i know the WAN health check settings for the AP ? Using DNS ? Possible to change that and check again ?

Sound like bug for me. Can you please open a ticket and allow support team to follow up on this.

Confirmed it’s a bug explained by TK :grinning:

Thanks … that bug was relating to the password field being truncated in the AP controller to 32 chars without warning.

This screen on the AP mini however, no matter what I do, I can’t disable the WAN connection. It doesn’t save. Is that because it is controlled by the AP controller in the B20x?

If these settings are ignored due to AP controller control then its fine, but I don’t believe the AP controller profile settings in the B20x has an option for WAN connection admin, only LAN admin.

May i know the WAN health check settings for the AP ? Using DNS ? Possible to change that and check again ?

WAN Health check was enabled on the AP Mini and set to default DNS check. I disabled it for now.

But for some unexplained reason, the blocked DNS rebind requests flatlined at 2:40am this morning.

image

I am now seeing the following unblocked requests

image

My B20x event log reported a System startup event at exactly 2:41am and WAN connected at 2:42am…

Not sure what to make of this… I already have a ticket open for issues with the B20x dropping wifi and DHCP without warning

@stego,

Web admin access for AP will be managed by AP Controller after Web Administration Settings below is enabled in AP Controller.

May I know below is what you want to achieve? If so, you may have a problem to access the AP’s web admin when your LAN device (e.g. ethernet client) is not connected to the SSID that broadcasts by this AP. Can you share your intention of doing this since the AP is in a secure environment (LAN of B20X)?

For the blocked DNS rebind requests, I believe it is the health check packet (DNS Lookup) sent from B20X since health check was disabled in AP. You may change the health check target to 8.8.8.8 and 8.8.4.4 if the DNS rebind protection is needed in NextDNS. Alternatively, you may use another health check method. Health check is important for WAN failover purposes.

For the issue of device locks up (of course, WIFI AP will be dropped at that time), we need more times to investigate as this problem quite challenging.

Thank you for your patience.

May I know below is what you want to achieve? If so, you may have a problem to access the AP’s web admin when your LAN device (e.g. ethernet client) is not connected to the SSID that broadcasts by this AP. Can you share your intention of doing this since the AP is in a secure environment (LAN of B20X)?

100% want the APs managed by the B20x AP controller. That I get. I guess I was only concerned when poking around the AP One web admin directly seeing that WAN was enabled on the admin security and it wasn’t disabled. But if it’s being ignored/inactive due to AP ONE being managed by the controller then it’s ok.

For the blocked DNS rebind requests, I believe it is the health check packet (DNS Lookup) sent from B20X since health check was disabled in AP. You may change the health check target to 8.8.8.8 and 8.8.4.4 if the DNS rebind protection is needed in NextDNS. Alternatively, you may use another health check method. Health check is important for WAN failover purposes.

The DNS rebind request blocks stopped before I dsabled the DNS health check in the AP mini. I still had them enabled in the B20x however.

I haven’t seen any other DNS rebind blocked requests since 3 days ago when they stopped in the middle of the night. No idea why.

I disabled WAN health checks everywhere for now, since I don’t have or need WAN failover/balancing.

I’m keeping an eye on my ticket to see what support comes up with.

Thanks @TK_Liew

Just a thought, I am wondering if this has something to do with an Apple feature gone haywire. iOS 14 implemented a mac tumbling type of feature where it will use a fake mac address when scanning for networks. It is supposed to use the same “fake” mac address per SSID, but they may have goofed and been tumbling the mac address repeatedly (causing repeated DHCP/DNS registrations). If they got patched in the middle of the night (2:30) – that could be the cause of the voodoo stopping.

Do you have auto-update enabled on your Apple iOS devices?