Disabling DNS Rebinding Checks does alter domain overrides
-
@Bob-Dig see my edit
A rebind is if you ask a dns for something and it returns a rfc1918, when it shouldn't.. Normally the only time you should get back rfc1918 for a fqdn, is if the resource is local.. If your asking some other dns, like if you forward to some other dns - it shouldn't be a rfc1918..
edit:
Normally with dnssec - if there is no dnssec setup on the domain, then shouldn't matter.. Hmmm example.com is a actual valid domain.. So wonder if its signed with dnssec, and the host override is failing because of that.Are you really using example.com - or some other domain?
Just looked and yeah example.com does have dnssec enabled - so yeah that would explain why its failing unless set the domain to non secure.. What domain are you actually using? Send it to me PM if you don't want to make public.
-
@johnpoz said in Disabling DNS Rebinding Checks does alter domain overrides:
What domain are you actually using? Send it to me PM if you don't want to make public.
Mine should have dnssec too. But I don't see why this matters here, it was working fine, while dns rebind was in check.
PM inbound. -
@Bob-Dig said in Disabling DNS Rebinding Checks does alter domain overrides:
while dns rebind was in check
because when you have rebind enabled, and then add a domain override it auto addess that its not secure and to not worry about dnssec.
When you disable rebind it doesn't add anything because your not doing a rebind, but it would then be doing dnssec.
See the custom option I setup to say hey example.com doesn't have to pass dnssec..
So either leave rebind on, which should be fine. It is a good thing to do rebind checking. Or either completely turn off dnssec (bad to do) or set the specific domain to be ok with not passing dnssec checks.
-
@johnpoz said in Disabling DNS Rebinding Checks does alter domain overrides:
because when you have rebind enabled, and then add a domain override it auto addess that its not secure and to not worry about dnssec.
When you disable rebind it doesn't add anything because your not doing a rebind, but it would then be doing dnssec.
Ok, thanks for clarifying that. But the more ideal outcome would be that if I disable rebind check, that it still doesn't check for dnssec for a domain override, right? Now the question is, is it doable or is unbound not capable to that solution. But your right, the easiest thing to do for me is to enable dns rebind check. I will have to give my email server a different dns server then because of reasons.
-
@Bob-Dig said in Disabling DNS Rebinding Checks does alter domain overrides:
if I disable rebind check, that it still doesn't check for dnssec for a domain override
Yeah guess that could be an option set, that if rebind is disabled completely to still add the non secure setting for domain overrides.. But its easy enough to do with just custom setting.
-
@johnpoz said in Disabling DNS Rebinding Checks does alter domain overrides:
But its easy enough to do with just custom setting.
I am GUI addicted and pfSense is a GUI in the first place. I will leave it up to netgate what to do with my report. Thanks again for looking into it.
-
@Bob-Dig you can set the custom setting in the gui..
To be honest not sure if I like that it auto adds anything, what if I don't want to disable rebind on where I am forwarding too? I think it should require to choose that I want to disable rebind or dnssec.. Maybe they could add some checkboxes when you add the domain override..
-
@johnpoz said in Disabling DNS Rebinding Checks does alter domain overrides:
To be honest not sure if I like that it auto adds anything, what if I don't want to disable rebind on where I am forwarding too? I think it should require to choose that I want to disable rebind or dnssec..
For DNSSEC it is clear. As soon as you use a domain override, you want DNSSEC to be disabled for that, right? And this was the problem here, so the solution seems easy: Do still set private domains in the config even if dns rebind check is disabled.
-
@johnpoz said in Disabling DNS Rebinding Checks does alter domain overrides:
@Bob-Dig you can set the custom setting in the gui..
Na...
-
@Bob-Dig said in Disabling DNS Rebinding Checks does alter domain overrides:
you want DNSSEC to be disabled for that, right?
Not necessarily.. If where you are forwarding does actually do dnssec then no you wouldn't want to disable it.