Odd DNS Setup and Resolution

Stewart

We recently installed at a Dr's Office that uses Philips equipment. When we installed the pfSense box their 2 packages affected were Resmed and Care Orchestrator. What we found was that each one has a package that resolves to 127.0.0.1:

Non-authoritative answer:
Name:    datacardserver.careorchestrator.com
Address:  127.0.0.1

Non-authoritative answer:
Name:    local.airview.resmed.com
Address:  127.0.0.1

We found this by using the developer tools in the browser and saw the DNS resolution errors. Today I worked with the ResMed tech and explained to her that the software should point to localhost instead of local.airview.resmed.com and that it just doesn't make sense to do it the way they are doing it. They have this problem sporadically so I showed her that it can be fixed by either a hard-code in the DNS server (which we've done this time in the Unbound Resolver) or by editing the hosts file. They had no idea why they kept having this issue and she literally told me that they just tell the local IT to figure it out. Hopefully this info will help other Dr's offices down the road. But, it's Philips, one of the largest Tech companies around. No way I'm able to get them to change their DNS.

My question is, why doesn't Unbound resolve it? I know it's an RFC1918 address so, does it just ignore them? It's resolvable at places like Google, OpenDNS, and Quad so I know it's in there. What's the deal with Unbound on this? Anything to adjust?

johnpoz

@stewart that would be a rebind..

https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html

Stewart

@johnpoz I guess the DNS rebind is more than I thought. Until now the only time I've had to deal with it was for security camera software where you only wanting it pointing to the external IP whether inside the network or outside the network.

I understand that this is implemented as a security measure but I don't understand the threat of a local IP stored inside of public DNS as it is in this fashion. It seems to me to be just a simple resolution. What's the danger here?

johnpoz

@stewart rebind has all kinds of serious issues with it

https://en.wikipedia.org/wiki/DNS_rebinding

It is never a good idea for anything other than a local domain to resolve to rfc1918 space. If you have some fqdn that is going to resolve to rfc1918 space you need to take the appropriate action on unbound config to let it know this is not a rebind issue. Private domain setting for example.

Plex users have to do this for their plex.direct domain since it an external dns that resolves to your local IP of your plex server..

The plex example isn't saying that its a good idea to do that - its just a way they are leveraging ability to do SSL with users different dns, etc. Rebind is not the best way to do that - but it is the way they did it - so you have to make exception for it in your overall rebind protection. If you have something else doing something where it returns rfc1918 you just have to let unbound know, so it it doesn't think its a attempt at rebind.