DNS rebind protection

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

DNS rebind protection

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
DNS rebind protection
DNS rebind protection
2019-10-24 20:09:25
Model: Archer A20  
Hardware Version:
Firmware Version: 1.0.0 Build 20181122 rel.29339(5553)

I'm trying to set up a new Archer A20 on our network, and I have hit a snag: when trying to point the router to our internal DNS, the interface refuses to save the setting. It displays a message: "DNS server IP address and LAN IP address cannot be in the same subnet. Please enter another one."

 

The best reason I can come up with for this behavior would be built-in protection from DNS rebinding attacks, which is ordinarily quite a useful feature. But we have control over our internal DNS, so we aren't really worried about this particular type of attack. Moreover, we need to point everything on our network to our DNS to keep our domain controller happy, and to avoid a few other annoying slowdowns and conflicts.

 

There does not appear to be any option in the administration interface to disable this restriction, and my communications with TP-Link support have been...frustrating.

 

Have I missed some configuration option to allow pointing to a DNS on the local subnet? Is this feature simply missing from the current firmware? Will the firmware be updated soon?

 

Thanks,

Daniel

 

 

  0      
  0      
#1
Options
12 Reply
Re:DNS rebind protection
2019-10-25 18:13:51

@bifkit 

 

Log into the router and go to Advanced > Network > DHCP Server > Modify the Primary and Secondary DNS servers to point to a internal IP.

  0  
  0  
#2
Options
Re:DNS rebind protection
2019-10-31 14:21:27

@Tony 

 

Please read the entire post before replying. In the first paragraph, I mentioned that I am prevented by the router from changing the DNS to an internal IP, not that I don't know where the setting is.

 

Thank you.

 

  0  
  0  
#3
Options
Re:DNS rebind protection
2019-11-08 19:30:41

@Tony

 

I suppose I should take my own advice and read your reply more thoroughly before snapping back with a quick response. I apologize for my tone, but the problem I am having can't be solved in the DHCP settings either.

 

My network is dependent on Active Directory and our domain controller, which also must act as our DNS. To simplify matters, the domain controller is also our DHCP server.

 

The TP-Link router must be able to point to our local DNS, and the DHCP server must be disabled. Therefore, the workaround of assigning the local DNS via the router's DHCP settings won't work.

 

When trying to point the router to our DNS via the Internet settings, the GUI refuses to save the address, and displays "DNS server IP address and LAN IP address cannot be in the same subnet. Please enter another one." This is incredibly frustrating, and ought to be configurable via firmware.

 

Thank you for your help.

 

Daniel

 

  0  
  0  
#4
Options
Re:DNS rebind protection
2019-11-12 17:29:44

@bifkit 

 

Would it be possible to set the DC to designate the default gateway to the A20, and the DNS (itself)?

 

And in turn disable the DHCP on the A20, similar to setting up the A20 in WDS. 

 

That way the connected devices to the A20 will send the DHCP requests, and in turn the DHCP sever will give the needed info rather then relying on the router to do that.

  0  
  0  
#5
Options
Re:DNS rebind protection
2019-11-14 18:38:49

@Tony 

That is exactly how I'm trying to set it up. The A20 still needs to be assigned DNS information, and as far as I can tell, there is no way to configure the A20 to perform a DHCP request on the LAN. There is only a field to manually specify the LAN IP.

  0  
  0  
#6
Options
Re:DNS rebind protection
2019-11-14 19:56:02

@bifkit 

 

I will look into this further, and see what I can find for you.

  0  
  0  
#7
Options
Re:DNS rebind protection
2019-11-14 21:00:43

@Tony Thank you for your help.

  0  
  0  
#8
Options
Re:DNS rebind protection
2019-11-25 18:47:23

@Tony Have you had any luck?

  0  
  0  
#9
Options
Re:DNS rebind protection
2019-11-25 22:57:16

@bifkit 

 

Apologize about the delay.

 

Here is what I was able to find.

 

With respect to the restriction of the LAN IP there is no way around that within the router.

 

As a workaround, using another router is what was suggested.

 

You would connect the DNS server (DC) to that router, changne the DNS servers IP address to be in the same subnet with the WAN IP of the Archer A20.

 

Internet > other router > Archer A20 > PC                  

                                |

                (Domain Controller)

  0  
  0  
#10
Options
Re:DNS rebind protection
2019-11-26 18:13:39

@Tony Why wouldn't I just use that router instead of the A20?

  2  
  2  
#11
Options