DNS Rebinding and Plex

Hi, I am having problems accessing my Plex server from my local network.
The problem seems to be related to “DNS Rebinding Protection”

I’ve searched this forum, and people report that it just works, but there are several references to other DNS servers or routers where DNS rebinding configuration is required.
See:
https://support.plex.tv/hc/en-us/articles/206225077-How-to-Use-Secure-Server-Connections
https://forums.plex.tv/discussion/201174/accessing-plex-server-on-local-network-securly-after-installing-a-google-onhub-router#latest

Example error:

Example nslookup, Google DNS works, Mikrotik DNS fails:

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> 192-168-1-47.d3628f4938a748af9a3e90f5ef365efa.plex.direct
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    192-168-1-47.d3628f4938a748af9a3e90f5ef365efa.plex.direct
Address:  192.168.1.47

> server 192.168.1.1
Default Server:  [192.168.1.1]
Address:  192.168.1.1

> 192-168-1-47.d3628f4938a748af9a3e90f5ef365efa.plex.direct
Server:  [192.168.1.1]
Address:  192.168.1.1

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for 192-168-1-47.d3628f4938a748af9a3e90f5ef365efa.plex.direct
>

Ho do I allow DNS rebinding on the Mikrotik DNS server?

Try to put the address: 192-168-1-47.d3628f4938a748af9a3e90f5ef365efa.plex.direct in the static DNS list of the Mikrotik with IP 192.168.1.47

The address is dynamic, the GUID looking part of the name is a dynamically generated security token, so adding a static entry will not work, or will work for a short time, until the token is regenerated.

In dnsmasq the equivalent option is “rebind-domain-ok=/plex.direct/”
In pfSense the equivalent option is “private-domain: “plex.direct””

I’m looking for an equivalent configuration option?

Do you have port 32400 forwarded to your Plex server? Or have upnp setup?

This is for local LAN access, not external access.

I don’t think it’s the router, I’ve never encountered any kind of such filtering in RouterOS. It’s most likely filtered by parent resolvers, i.e. those set in IP->DNS.

OK my answer stays the same but then you have to use the regexp field

*\.plex\.direct

I can’t test it for you because I don’t use this, but DNSmasq.

That’s it, thank you.
I tested local vs. Google, but I am using OpenDNS as DNS.

> server 208.67.222.222
Default Server:  resolver1.opendns.com
Address:  208.67.222.222

> 192-168-1-47.d3628f4938a748af9a3e90f5ef365efa.plex.direct
Server:  resolver1.opendns.com
Address:  208.67.222.222

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for 192-168-1-47.d3628f4938a748af9a3e90f5ef365efa.plex.direct
> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> 192-168-1-47.d3628f4938a748af9a3e90f5ef365efa.plex.direct
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    192-168-1-47.d3628f4938a748af9a3e90f5ef365efa.plex.direct
Address:  192.168.1.47

>

If you want to keep OpenDNS, you can do this:

/ip firewall layer7-protocol
add name=plex.direct regexp="\\x04plex\\x06direct.\\x01\$"
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 in-interface=<LAN> \
    layer7-protocol=plex.direct protocol=udp to-addresses=8.8.8.8

It’s far from perfect, but as long as your devices will use only udp dns (most do), it will work.

I found a setting in OpenDNS that turns of “Suspicious Responses” / “Block internal IP addresses”, and that solved the problem.
Unfortunately there is no support in OpenDNS (at least in my home plan) that allows per domain exclusions.

Thank you all for the help.

You could filter that out in your Mikrotik and you have two solutions mentioned above.

In case it helps anyone else, I found I had to use the following regex to make the static dns entry work. (I had to add the leading .)

.*.plex.direct