My router false positively detects DNS-rebind attack

Answers

Your Tomato router is using dnsmaq for resolving DNS queries (actually to forward them to a resolver, but don't mind me).

dnsmasq has a built in protection which you find out. It forbid upstreams resolver to return private IP addresses. You can however fix that only for your use case by using one the --rebind-* option in dnsmasq (see man page), excerpt:

--rebind-localhost-ok
    Exempt 127.0.0.0/8 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable
these services. 
--rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
    Do not detect and block dns-rebind on queries to these domains. The argument may be either a single domain, or multiple domains
surrounded by '/', like the --server syntax, eg.
--rebind-domain-ok=/domain1/domain2/domain3/

In your case, you might want to consider the option --rebind-domain-ok=/domain_name/ (replace domain_name by your domain name).

Huygens

Posted 2017-06-19T19:03:24.773

Reputation: 1 340

2Don't try and access your LAN from within the LAN using it's WAN address, it will confuse the router. – Ƭᴇcʜιᴇ007 – 2017-06-19T19:16:56.143

It is so much more convenient to only have a single set of bookmarks, though! (My use case is accessing several different services on different ports, ergo my need for bookmarks) – user740250 – 2017-06-19T20:12:27.877

You could setup a local host file on your computers within the LAN to use the private IP instead of the public IP, then you could still use your bookmarks. – David – 2017-06-19T20:37:35.660