DoT (Stubby) still has issues after upgrading v. 3.201 on Beryl

After upgrading my Beryl to firmware v. 3.201 for couple days now, today I found out that my phone and PC suddenly didn’t resolve to domain names but can PING to IP address directly (DNS issues).

Logging in router with SSH, check if Stubby(with NextDNS configured) is running ok, it seems that nothing goes wrong with DNS related setup. After fiddling around, uncheck “DNS Rebinding Attack Protection” option through GUI, DNS resolving on client side immediately returned to normal.

What I learned: Stubby still have issue with “DNS rebinding attack protection” option turned ON and it must be OFF to make sure it will resolve DNS normally in the long run.

Yes. This is still a problem.

FWIW – I think this is perhaps intrinsic to how NextDNS selective blocking works. It returns for blocked domains which dnsmasq considers, correctly in some sense, to be a private IP to protect from rebinding when that’s enabled (I think it’s the dnsmasq layer doing so, not stubby). Here are some links I found helpful in piecing this together:

But note that NextDNS has its own rebind protection setting which should do the job in this scenario.

Edited to add: appears that a recent change to dnsmasq treats as localhost, like, so that the --rebind-localhost-ok option would allow this response.

At some point, when 2.86 is released and adopted in openwrt, this problem should be solved, assuming that openwrt option rebind_localhost = 1 is set in /etc/config/dhcp (which does seem to be the case when configured for NextDNS).;a=blobdiff;f=src/rfc1035.c;h=24ff00dbe0584c2e453e17dc4e34fcc16324e989;hp=9f4504ee79d3d730211ab5c897881da0da990bdc;hb=4558c26fcdbea59f40af8131d6790d7283d554f3;hpb=a92c6d77dcd475579c39bdff141f5eb128e2a048

1 Like