Spark Smart Modem (VRV9517) Plex DNS-rebind Issue

Forums › Spark New Zealand (including Skinny and BigPipe) › Spark Smart Modem (VRV9517) Plex DNS-rebind Issue

1 | 2

dan

1134 posts

Uber Geek
+1 received by user: 105

Lifetime subscriber

#2408064 28-Jan-2020 12:30

hio77:

@dan thanks for the screenshot, It's a new addition, never used to be there. I've made a recommendation to the team that work with the modem vendor.

its not new - i would have added those exceptions a few years ago atleast when i switched from mediaportal to plex.

i can see it in the manual for a 7390 which is older again than the model im using

you do need to enable the "advanced view" global setting in the fritzbox webui however

SuaveBugger

6 posts

Wannabe Geek

#2533999 3-Aug-2020 20:19

I've not seen a router that runs dnsmasq that supports such an option that isn't third party (eg open wrt)

I don't believe it is nearly as bad as you state. I personally use plex at home without issue.

I've got the same issue - Plex works fine, but the Plex add-on in Kodi doesn't... On the router I get this error:

Aug 3 20:17:45 VRV9517 daemon.warn dnsmasq[4937]: possible DNS-rebind attack detected: 192-168-1-65.00777fb7bbb147de932cdabe0bc34498.plex.direct

Any ideas on a fix? Or should I return the router and get my money back?

Mikek

112 posts

Master Geek
+1 received by user: 42

#2542014 15-Aug-2020 22:57

I have the same issue or close to it. I share my plex server with friends, Everytime they try and log-on to plex on TV apps or web it pings the DNS rebind attack and shuts down the open port & upnp port for plex, Says server not avalible When checking the remote access part on plex it then says its blocked,

Local connections carry on working sweet, I figure if i put the server in the DMZ zone it would work but opens my server up for attack. Which i dont want to do, Real shame to be honest the spark smart modem with mesh setup is impressive for the cost, Im currently running my older Router and just using the smart router & mesh as bridge mode AP's, If anyone works out a fix to this let us know ?

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2544336 19-Aug-2020 11:56

Mikek:

I have the same issue or close to it. I share my plex server with friends, Everytime they try and log-on to plex on TV apps or web it pings the DNS rebind attack and shuts down the open port & upnp port for plex, Says server not avalible When checking the remote access part on plex it then says its blocked,

Local connections carry on working sweet, I figure if i put the server in the DMZ zone it would work but opens my server up for attack. Which i dont want to do, Real shame to be honest the spark smart modem with mesh setup is impressive for the cost, Im currently running my older Router and just using the smart router & mesh as bridge mode AP's, If anyone works out a fix to this let us know ?

It's on our list, however fairly low priority compared to other items.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Benji23

32 posts

Geek
+1 received by user: 3

#2579147 4-Oct-2020 16:58

Hi I have been having problems with my modem since Friday whether it is anything to do with update 16 not sure but it keeps restarting, logs show multiple dns rebind attacks but also it shows leasing expiring then being reasiigned which corresponds to whenever 1 f our laptops goes to sleep the modem drops out any help would be great thanks.

Have you tried turning it off then on again

Lambchop

245 posts

Master Geek
+1 received by user: 2

#2622279 16-Dec-2020 02:50

hio77:

Mikek:

I have the same issue or close to it. I share my plex server with friends, Everytime they try and log-on to plex on TV apps or web it pings the DNS rebind attack and shuts down the open port & upnp port for plex, Says server not avalible When checking the remote access part on plex it then says its blocked,

Local connections carry on working sweet, I figure if i put the server in the DMZ zone it would work but opens my server up for attack. Which i dont want to do, Real shame to be honest the spark smart modem with mesh setup is impressive for the cost, Im currently running my older Router and just using the smart router & mesh as bridge mode AP's, If anyone works out a fix to this let us know ?

It's on our list, however fairly low priority compared to other items.

hey guys, may want to increase the priority on this one because as it turns out, this in ablity to add an dns rebind exception for plex.direct stops the PS5 plex client being able to connect to a local server.

see conversation here https://forums.plex.tv/t/ps5-app-will-not-connect-to-local-servers/652947/63

user in this post was able to get it working because his router had the edit feature https://forums.plex.tv/t/ps5-app-will-not-connect-to-local-servers/652947/64

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

ztytian

31 posts

Geek
+1 received by user: 22

#2643836 28-Jan-2021 21:41

I dug around a bit and found out that on the Smart Modem, dnsmasq is configured as follows:

config dnsmasq

option domainneeded1

option boguspriv1

option filterwin2k0 # enable for dial on demand

option localise_queries1

option rebind_protection 1 # disable if upstream must serve RFC1918 addresses

option rebind_localhost 1 # enable for RBL checking and similar services

#list rebind_domain example.lan # whitelist RFC1918 responses for domains

Altering the configuration might fix the issue for you. You may find the instructions to export, decrypt and re-encrypt the configurations here.

The configuration in question is under /config/dhcp, once you extract config.tzg. I haven't tried that myself yet but it seems fairly promising.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2643844 28-Jan-2021 22:20

To answer your question in the gist, yes serial won't help you. It's locked down in the public firmwares.

Admire the effort in pulling it apart though!

Also even with root access, that file is generated on boot from the configuration.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

ztytian

31 posts

Geek
+1 received by user: 22

#2643867 28-Jan-2021 23:06

hio77: To answer your question in the gist, yes serial won't help you. It's locked down in the public firmwares.

Admire the effort in pulling it apart though!

Also even with root access, that file is generated on boot from the configuration.

Nah I wasn’t the author of that gist. Welp I guess there goes my hope of downgrading the Smart Modem. v6.00.16 seems have killed the ability for a normal smart modem to act as a smart mesh unit, was working on v6.00.15 for me :(

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#2643947 29-Jan-2021 09:30

hio77: To answer your question in the gist, yes serial won't help you. It's locked down in the public firmwares.

I've never understood why companies lock up their device firmware like that, nor why the government allows them too. It's just petty anti consumer behaviour at it's finest and yet another sign we need robust right to repair / hack / modify laws.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2644221 29-Jan-2021 18:48

Lias:

hio77: To answer your question in the gist, yes serial won't help you. It's locked down in the public firmwares.

I've never understood why companies lock up their device firmware like that, nor why the government allows them too. It's just petty anti consumer behaviour at it's finest and yet another sign we need robust right to repair / hack / modify laws.

the bigpipe one is fully open, so there is a hardware version lock between that and the spark/skinny ones.

it all comes down to having vectors for attacks etc.

I would personally tend to agree with you, but i do understand and agree with many of the discussion points for tightening access up.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Lego

Shop now for Lego sets and other gifts (affiliate link).

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#2644310 30-Jan-2021 09:11

hio77:

it all comes down to having vectors for attacks etc.

I would personally tend to agree with you, but i do understand and agree with many of the discussion points for tightening access up.

I understand some of those points, I just think they are wrong :-)

1 | 2