Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




28 posts

Geek


#265543 26-Jan-2020 23:49
Send private message

Hi all,

 

I am having an issue with the new spark smart modem (model VRV9517) and plex.  From googling and looking into the modem logs I can ascertain that its something to do with DNS-rebind attacks...  The log on the modem keeps coming up with an error message saying "Jan 26 23:35:13 VRV9517 daemon.warn dnsmasq[5106]: possible DNS-rebind attack detected: 192-168-1-80.(lots of letters and numbers).plex.direct"

 

When I do a NSlookup on the IP address it says the server name is smart.mesh... (I do not have any mesh setup) but it appears this is built into the modem....

 

No too much of a problem in theory, cos you should be able to add an exception for plex, however I am not able to locate where to do that... It appears that a work around would be to add the plex server to the DMZ, but surely there is a proper way to deal with it?

 

The issue that is being created is that INTERNAL users are getting indirect connections - remote seems to work fine.

 

Any thoughts or suggestions appreciated.


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
/dev/null
9386 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2407275 26-Jan-2020 23:59
Send private message

Do not add your Plex server to the DMZ. Forget about the DMZ. You're just opening yourself up to massive problems.

 

This is not something I tested when I had my unit. @hio77 may know more.







28 posts

Geek


  #2407276 27-Jan-2020 00:03
Send private message

michaelmurfy:

 

Do not add your Plex server to the DMZ. Forget about the DMZ. You're just opening yourself up to massive problems.

 

This is not something I tested when I had my unit. @hio77 may know more.

 

 

 

 

Thanks, I didn't think DMZ was the right way to go, I did a bit of googling, but wasn't confident on this.


 
 
 
 


1466 posts

Uber Geek


  #2407278 27-Jan-2020 00:09
Send private message

DNS rebind is where a FQDN resolves to RFC1918 local address space and this is supposed to be a security issue and the query response can be blocked, not sure why the application has been designed that way, not familiar with Plex sorry.

 

Vendor seems to be aware of it and offers some workarounds which may or may not be applicable to the Spark modem: https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/


'That VDSL Cat'
12331 posts

Uber Geek

Trusted
Spark
Subscriber

  #2407289 27-Jan-2020 07:06
Send private message

Technically is a security risk. Possibly plex could be an exception though. Will discuss.

Given it only impacts local viewing though is http that bad?




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


dan

1160 posts

Uber Geek

Lifetime subscriber

  #2407349 27-Jan-2020 09:29
Send private message

hio77:

Given it only impacts local viewing though is http that bad?

 

 

 

doesnt work that way, by not been able to add an exception to the DNS rebind security its forcing his local plex to be streamed via the plex relay servers "middle man" at a massivly reduced transcoded quality and poor preformance (those servers are not in NZ)  for viewing content on his own network

 

 

 

if you cant get a exception added for DNS rebind for the plex domain the router is useless for plex and he may as well dump it and get something else, that is the first router

 

ive seen that has DNS rebind protection and no way to add an exception, its pretty poor really if that is really the case.

 

 

 

 


'That VDSL Cat'
12331 posts

Uber Geek

Trusted
Spark
Subscriber

  #2407373 27-Jan-2020 10:52
Send private message

dan:

hio77:

Given it only impacts local viewing though is http that bad?


 


doesnt work that way, by not been able to add an exception to the DNS rebind security its forcing his local plex to be streamed via the plex relay servers "middle man" at a massivly reduced transcoded quality and poor preformance (those servers are not in NZ)  for viewing content on his own network


 


if you cant get a exception added for DNS rebind for the plex domain the router is useless for plex and he may as well dump it and get something else, that is the first router


ive seen that has DNS rebind protection and no way to add an exception, its pretty poor really if that is really the case.


 


 


I've not seen a router that runs dnsmasq that supports such an option that isn't third party (eg open wrt)

I don't believe it is nearly as bad as you state. I personally use plex at home without issue.




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


dan

1160 posts

Uber Geek

Lifetime subscriber

  #2407410 27-Jan-2020 11:46
Send private message

hio77:

I don't believe it is nearly as bad as you state. I personally use plex at home without issue.

 

 

 

if you play something in plex and check the PMS dashboard or client says indirect/relay or similar, your plex configuration is not correct, DNS rebind issues are very common

 

cause of it and as the OP said, he saw it in his log the plex url it is trying to resolve is been blocked/modified so he has diagnoised the problem correctly, he needs to add a DNS rebind exception or try changing to DNS that is not on the router on both PMS and the clients

 

 

 

[b] I've not seen a router that runs dnsmasq that supports such an option that isn't third party (eg open wrt)[b]

 

fritzbox is running dnsmasq im pretty sure? and it does have the option without any 3rd party trickey.  i have in the past had to manually add an exception

 

via terminal to a few different branded routers however to allow the exception for plex, not all have had it in the Web GUI

 

 

 

 

 

 


 
 
 
 




28 posts

Geek


  #2407501 27-Jan-2020 13:15
Send private message

Thanks all for your replies...

FYI we were having fiber disconnection issues (once or twice a week) for the past 6 months. One of the attempts to fix it was to replace the modem, hence why we ended up with the smart modem.

In the latest effort to resolve the disconnection issues spark have replaced our smart modem with the older modem. (they phoned me this morning and I went to the local shop to do the swap today), therefore this (plex) issue is no longer a problem for me.

I am uncertain of the logic behind the switch, as we were already having issues with the modem module they have now put me on, however i am happy they are trying as yesterday I was being told that unless there are 10 disconnects on any given day there was not much they could do.

The new (hg659b) modem has now been installed and we will see how we go.

'That VDSL Cat'
12331 posts

Uber Geek

Trusted
Spark
Subscriber

  #2407800 27-Jan-2020 21:53
Send private message

Please pass me your case details. We should not be swapping the smart modem out like that.

Iver your hsving WiFi issues which is tough go solve, or there is a genuine fault that I'll fix.




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


'That VDSL Cat'
12331 posts

Uber Geek

Trusted
Spark
Subscriber

  #2407802 27-Jan-2020 21:56
Send private message

dan:

fritzbox is running dnsmasq im pretty sure? and it does have the option without any 3rd party trickey.  i have in the past had to manually add an exception


via terminal to a few different branded routers however to allow the exception for plex, not all have had it in the Web GUI


 


 


 


So it's always been a configuration in the terminal. Which is very different to wanting a exclude option for it.

We do disable access to ssh on the spark smart modem.




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


dan

1160 posts

Uber Geek

Lifetime subscriber

  #2407909 28-Jan-2020 09:02
Send private message

hio77:

 

So it's always been a configuration in the terminal. Which is very different to wanting a exclude option for it.

 

 

 

 

what do you mean its always been a configuration in the terminal? re the fritzbox?  that is not correct? you dont need to use ssh to add an exception on the fritzbox

 

and some other routers, only a few brands ive ever had to use terminal to do it, think it might have been a ubiquity and synology maybe

 

 

 

 

 

 

 

 


dan

1160 posts

Uber Geek

Lifetime subscriber

  #2407914 28-Jan-2020 09:12
Send private message

FYI example from the Fritz:

 

Click to see full size


4542 posts

Uber Geek

Trusted

  #2407929 28-Jan-2020 09:53
Send private message

I feel like the only way you will get "indirect" streams on Plex is if you have a domain name for plex that resolves to your public IP even within the LAN, rather than the private IP of the server.... in which case it's just a simple config change...

 

How do you access your plex server? As in, what address do you use to get to it?


'That VDSL Cat'
12331 posts

Uber Geek

Trusted
Spark
Subscriber

  #2408054 28-Jan-2020 12:19
Send private message

I've located the service in question.

 

 

 

Your connection is fine, It's WiFi disconnections as far as i can see.

 

I'd be keen on pulling the log files from the Smart modem when it "Fails" as what i'm seeing on record is purely device reboots (as in physical pressing of the power button)

 

 

 

 

 

@dan thanks for the screenshot, It's a new addition, never used to be there. I've made a recommendation to the team that work with the modem vendor.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


'That VDSL Cat'
12331 posts

Uber Geek

Trusted
Spark
Subscriber

  #2408060 28-Jan-2020 12:22
Send private message

chevrolux:

 

I feel like the only way you will get "indirect" streams on Plex is if you have a domain name for plex that resolves to your public IP even within the LAN, rather than the private IP of the server.... in which case it's just a simple config change...

 

How do you access your plex server? As in, what address do you use to get to it?

 

 

This might be the detail that I'm missing. Personally i use the :34000 page and deliberately don't enable web as when i had a pfsense box it seemed to do funny things.

 

I am beginning to suspect this was the cause; I never really bothered to look at it as i didnt have a public IP service with enough upstream.

 

 

 

I holepunch my 'VPN' option over CGNat for my higher bandwidth connection to stream off plex..





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

National Institute for Health Innovation develops treatment app for gambling
Posted 6-Jul-2020 16:25


Nokia 2.3 to be available in New Zealand
Posted 6-Jul-2020 12:30


Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53


Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48


Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44


Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41


Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07


New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58


Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10


Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30


Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14


Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17


Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56


Apple introduces new features for iPhone iOS14 and iPadOS 14
Posted 23-Jun-2020 08:28


Apple announces Mac transition to Apple silicon
Posted 23-Jun-2020 08:18



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.