I am running my Plex Media Server on my Synology NAS. I noticed that the remote access keeps going back and forth being disabled and secure… I found this post Cannot access server remotely... due to verizon fios DNS? , but I wanted to check that I actually have the same problem before I attempt their solution.
This is not my router, I have my NAS at someone else’s house, and I would rather do the minimum needed to solve this problem securely and safely! I found that in the g3100 router system log:
dnsmasq warning [SYS.4][SYS] possible DNS-rebind attack detected: <dashed-LAN-ip-address-of-NAS>.<some hash value>.plex.direct
I noticed that this pops up every time Plex retries the connection. After a few retries, Plex shows that it’s unable to connect securely. I am on a local computer. https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/ tells me to add
rebind-domain-ok=/plex.direct/
somewhere, but I cannot find any place to do this on the router’s settings webpage. I tried manually setting up port forwarding, but that did not seem to help. Here is the user manual for the g3100 router: https://www.verizon.com/cs/groups/public/documents/onecmsresource/home-router-usermanual_new.pdf
Any advice would be greatly appreciated, I have been trying to figure this out for a while!!!
1 Like
It appears this device doesn’t have a setting to manage exceptions for DNS rebinding.
I found a post in the Verizon forum where a user fixed this error message by entering a different DNS server (e.g. Google’s public DNS -> IP addresses 8.8.4.4 or 8.8.8.8)
Thanks, @tom80H! So, that means going to the “Broadband Connection (Ethernet/Coax) Properties” (g3100 manual , page 75 or search for the text in quotes), and changing from “Obtain IPv4 DNS Address Automatically” to “Use the Following IPv4 DNS Addresses”, and inputting 8.8.8.8 and 8.8.4.4 ?
How would this impact the current network? I don’t want to change too much, as it is not my home 
That would cause devices on the network to use Google’s servers for DNS instead of Verizon’s. If someone has privacy concerns with Google specifically, they may not appreciate it, but otherwise I can’t see any issue at all.
Sounds good. I’ll implement this tonight and will update on whether it solved the problem!
@tom80H I tried setting the DNS server to 8.8…8.8 and 8.8.4.4, and it seems to be the same, that didn’t seem to help… Could you link that verizon forum?
I’ll bet it’s this: https://forums.verizon.com/t5/Fios-Internet/G3100-VPN-DNS-rebind-issue/td-p/893823
Only we got stuff wrong. I think you are saying you switched the DNS on the router, but this poster changed it on the server machine. So put the router back as it was and set the DNS manually on the Synology to replicate.
When you get this error, is the hash value always the same?
If so, I’d try to “add DNS entry.” Page 151 of the Verizon manual that you linked. Use the IP of the Synology and in the hostname field, the address from the log (unredacted).
I have no idea what I’m doing, but I’d try it. lol
If that value changes, maybe you could use a wildcard there. dashed-LAN-ip-address-of-NAS.*.plex.direct
I’m having same issue after upgrading to G3100 router and can’t find any solution anywhere how to fix this rebind attack warning.
That seems to have worked! I had set the DNS server to 8.8.8.8/8.8.4.4, and then set the same DNS servers on my Synology NAS, and it didn’t work well. After reading your comment, I changed the router’s DNS server back to automatic, and kept my Synology NAS on 8.8.8.8/8.8.4.4 and it seems to be working! It’s the most stable I’ve seen it. I’ll ask some clients to connect to it and see how it goes.
I tried refreshing the page a couple times, going to Settings–>General, and then back to Settings–>Network. This makes the dnsmasq warnings pop up again, but it still says remote access is enabled. However, sometimes when I refreshed that page, the line in Plex that says " <-- <-- internet would show red X’s, but the main part at the top still says remote access enabled in green!
@charliemurphy I spoke too soon 
. I waited a few minutes and then looged into plex.tv, and it had an indirect connection and wouldn’t connect. I went to :32400/web, and got in, and had to refresh that page until finally it was online again… It’s showing “fully accessible outside your network” in green with the red X’s for the Private IP ← Public IP ← internet part…
Refreshing it sometimes makes it work…
I’m not sure what adding a DNS entry does… I tried adding this as the hostname, but it did not allow an *, and the whole “dashed-IP..plex.direct” was too long for that field. So that must be for something else.
Also, there is already an entry there with the name of my Synology NAS as the hostname and it’s IP address.
An update: I got the My Fios app, and disabled the “Home Network Protection” as is the solution here: Cannot access server remotely... due to verizon fios DNS?
So that is not the problem here…
1 Like
Just to share what I know of this issue, the ..plex.direct address is used instead of IP because Plex is using their certificate to secure our connection to the server. The certificates requires a domain name, and can’t be used by IP. On the other hand, Emby requires users to make and renew our own certificates, and domain name with dynamic updates for the IP.
I’m not expert enough to explain it well, but Plex is using the DNS rebind so that we can use their certificate for encrypted connections to our own servers which usually do not have static WAN IPs. Some routers mistake this method as an attack and the firewall blocks/drops the requests. So we need to turn off the feature or, ideally, make an exception for Plex. It seems Verizon stripped out the capability from that router, or we haven’t figured it out yet.
Someone else said that changing the DNS servers would help with the DNS rebinding… I tried changing the router’s DNS servers to Google’s 8.8.8.8/8.8.4.4, and that didn’t help. Do you know about that?
Nope…
PleX keeps trying to establish the remote access, and the g3100 router keeps saying it’s a dnsmasq warning, and a possible DNS-rebind attack, and keeps blocking it, so it works on and off…
Actually, I just tried this: Verizon G3100 Router
and it seems stable for me, for now. I know I tried this before and it wasn’t as stable as it is now…
1 Like
I’ve got mine set up that way already, but I still get the same error showing that the server is “indirect” when logging in from somewhere other than the server itself. Meanwhile, it’s saying I’m secure connected and remote accessible on the server. It’s infuriating. My plex server used to be so reliable, but then I got Fios and this happens. I just want to watch my movies and play lossless music without all the transcoding again.
As soon as I send that message, I’m back to fully remote and secure. I feel like a maniac.
