Rebind-protection of dnsmasq

LPWAN Industrial Gateways / Concentrators
1

Hi all,
We run multiple RAK7268v2 and RAK7289v2 in our LoRaWAN network together with AWS IoT Core for LoRaWAN as LNS.
We also use AWS DirectConnect to interconnect our enterprise network w/ AWS directly, i.e., the gateways are not supposed to talk to AWS via the public Internet but via the DirectConnect link.
In order to do this, we use DNS forwarding configured on our enterprise DNS servers that forward DNS requests by the gateways to the AWS DNS system that answers with the private IPs (10.0.0.0/8) of the LNS (via DirectConnect). Unfortunately, the rebind-protection of the dnsmasq on the gateways considers this a rebind-attack and does not forward the DNS reply, i.e., the gateways fail to resolve the hostname of the AWS-LNS and lose connection.

We know that we can change this behaviour by editing the dnsmasq configuration. However, that would most probably be overwritten by the next firmware update.
Is there any other solution or any solution to prevent that this configuration change will be overwritten by FW updates?

Thanks in advance.
Best regards
Matthias

2

Hi @MWellens_ZF,

As the OpenWrt documentation regarding sysupgrade states, uci config files under /etc/config will be backed up before firmware updates. So I would like you to try the steps below.

Edit /etc/config/dhcp with vim /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        # ...
        # add option list rebind_domain ...
        list rebind_domain '<domain to be rebound>'
1 Like
3

Hi JaeHwan,
Thanks for the answer.
It means we can edit the dnsmasq settings as you describe and will not lose these settings with the next firmware upgrade. That’s good news.

Best regards,
Matthias

1 Like