Potential DNS Rebind attack detected
-
HI!
today I changed provider, before I used a router with DMZ on the pfsense wan port example:
WAN: 192.168.179.1 (ROUTER ISP)
LAN: 192.168.1.1the new configuration is now:
WAN: 185.58.xxx.xxx (PPOE on ONT FTTH)
LAN: 192.168.1.1the problem is that I use nextcloud and other web services with reverse proxy, example:
https://nexcloud.mydomain.ltd --> 192.168.1.250
https://myservice.mydomain.ltd --> 192.168.1.250
https://www.mydomain.ltd --> 192.168.1.251Since I have a public IP on the WAN via PPOE I receive this error if I access one of my domains from the LAN network:
(if i access from another external network it works..)Potential DNS Rebind attack detected, see https://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname.how can I solve it?
-
@jordanet said in Potential DNS Rebind attack detected:
how can I solve it?
Here is the official pfSense documentation on the topic: https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html.
The Google search term I used to find this was:
pfsense disable dns rebinding checks
The pfSense docs link was the second returned search result from Google .
-
@jordanet Also, simply adding the IP Address to System > Advanced, Admin Access, Alternate Hostnames should clear that one error without disabling all the other DNS rebinding protections.
I say should because I have never seen that done with an IP address. Can't think of a reason it won't work though.
-
@jordanet said in Potential DNS Rebind attack detected:
Since I have a public IP on the WAN via PPOE I receive this error if I access one of my domains from the LAN network
Note this means you're connecting to pfSense and not your internal web server. You may want this:
https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html -
@Derelict I tried but it didn't work.
Thanks for the reply -
@SteveITS I solved it with split dns thanks, I was looking at nat 1:1 but I'm new to this sector and I was afraid to enable this function, I don't understand if it compromises security
thanks for reply -
@bmeeks
Obviously I had searched in Google, I asked here in the forum because (as happened) someone could "recommend" different solutions to me.I understand that many users don't google or look at the pfsense guide, I was just afraid of compromising security by enabling the wrong function.
I'm new to the firewall industry, I have a home environment and I want to learn and understand and sometimes in the forums they recommend multiple solutions. Thank you for your answer
-
@SteveITS I understand that nat reflection proposed as the 1st solution is more convenient, I don't have to set the IP and host manually. If I were to opt for this solution, would anything change in the NAT settings, rules, etc.?
-
@jordanet you placed rfc1918 in public dns? Not ideal sort of setup and frowned upon by dns people.. Like myself.. Your doing it wrong putting IP space that has no place on the public network, in public dns.
https://www.ietf.org/proceedings/52/I-D/draft-ietf-dnsop-dontpublish-unreachable-01.txt
And you open yourself up for rebind, when you do it, etc. Or can..
https://unit42.paloaltonetworks.com/dns-rebinding/If you have something that uses outside dns that you can not alter - then resolve the public, and nat reflect, etc. While not a fan of that solution either.. But it is a work around for devices that force using external dns.
Technically you can put rfc1918 in public - they don't stop you from doing it normally.. But its not a good idea IMPO..
-
@jordanet said in Potential DNS Rebind attack detected:
@SteveITS I understand that nat reflection proposed as the 1st solution is more convenient, I don't have to set the IP and host manually. If I were to opt for this solution, would anything change in the NAT settings, rules, etc.?
I think usually split DNS is preferred (so internal traffic doesn't go through the router) but both work. pfSense can do that with host overrides but not all routers can. If it's not actually forwarding though and it's a port pfSense listens on then you end up connecting to pfSense.
1:1 NAT forwards all ports for the selected public IP address to one private IP, and then access is controlled by firewall rules. NAT port forwards create a rule by default but 1:1 NAT does not so you need to create rules on WAN. https://docs.netgate.com/pfsense/en/latest/nat/1-1.html
-
@johnpoz said in Potential DNS Rebind attack detected:
rfc1918
i set for my domain in the dns nextcloud.mydomain.ltd -> ip 185.23.xxx.xxx
Now I'm using split dns and everything works
-
@jordanet ah that is fine - not sure why it seemed like you were pointing to rfc1918, my bad.. But resvoing a 185.x. wouldn't be a rebind.