DNS rebinding breaks local DNS names

madbrain

I run several Plex servers. When using the Plex native app for Windows, and try to download the logs, it opens a browser with a URL in "plex.direct" domain that doesn't resolve. I found a support page for Plex at
https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/
It covers pfSense and recommends enabling this DNS Resolver option :

server:
private-domain: "plex.direct"

I did so. And it indeed solved the problem with Plex.
But another problem was created : my local DNS hostnames, about 170 of them, could no longer resolve !

So, I edited the DNS Rsolver options, and removed the statement above. I applied the changes. I still couldn't resolve the local hostnames. I rebooted. Still no go. The only thing that fixed it was restoring the configuration from a backup in the configuration history taken just before this option change.

That seems like a bug. I tried to diff those configs, and see nothing obvious.

This is what the initial change did - addition of the the rebinding option.

Configuration Difference from 6/6/24 01:03:36 to 6/2/24 17:33:00
--- /cf/conf/backup/config-1717661016.xml	2024-06-06 01:11:40.402763000 -0700
+++ /cf/conf/backup/config-1717374780.xml	2024-06-06 01:03:36.024669000 -0700
@@ -195,8 +195,7 @@
 			<if>ovpns3</if>
 		</opt5>
 	</interfaces>
-	<staticroutes>
-	</staticroutes>
+	<staticroutes></staticroutes>
 	<dhcpd>
 		<lan>
 			<enable></enable>
@@ -4834,20 +4833,22 @@
 		<dnssec></dnssec>
 		<active_interface>all</active_interface>
 		<outgoing_interface>all</outgoing_interface>
-		<custom_options>c2VydmVyOgpwcml2YXRlLWRvbWFpbjogInBsZXguZGlyZWN0Ig==</custom_options>
+		<custom_options></custom_options>
 		<hideidentity></hideidentity>
 		<hideversion></hideversion>
 		<dnssecstripped></dnssecstripped>
 		<port></port>
 		<tlsport></tlsport>
 		<sslcertref>643762881b4a1</sslcertref>
+		<regdhcp></regdhcp>
 		<system_domain_local_zone_type>transparent</system_domain_local_zone_type>
+		<regdhcpstatic></regdhcpstatic>
 	</unbound>
 	<vlans></vlans>
 	<qinqs></qinqs>
 	<revision>
-		<time>1717661016</time>
-		<description><![CDATA[admin@192.168.100.3 (Local Database): DNS Resolver configured.]]></description>
+		<time>1717374780</time>
+		<description><![CDATA[admin@192.168.100.3 (Local Database): DHCP Server settings saved]]></description>
 		<username><![CDATA[admin@192.168.100.3 (Local Database)]]></username>
 	</revision>
 	<gateways>

Then its undoing :

Configuration Difference from 6/6/24 01:11:40 to 6/6/24 01:03:36
--- /cf/conf/backup/config-1717661500.xml	2024-06-06 01:13:53.032610000 -0700
+++ /cf/conf/backup/config-1717661016.xml	2024-06-06 01:11:40.402763000 -0700
@@ -4834,7 +4834,7 @@
 		<dnssec></dnssec>
 		<active_interface>all</active_interface>
 		<outgoing_interface>all</outgoing_interface>
-		<custom_options></custom_options>
+		<custom_options>c2VydmVyOgpwcml2YXRlLWRvbWFpbjogInBsZXguZGlyZWN0Ig==</custom_options>
 		<hideidentity></hideidentity>
 		<hideversion></hideversion>
 		<dnssecstripped></dnssecstripped>
@@ -4846,7 +4846,7 @@
 	<vlans></vlans>
 	<qinqs></qinqs>
 	<revision>
-		<time>1717661500</time>
+		<time>1717661016</time>
 		<description><![CDATA[admin@192.168.100.3 (Local Database): DNS Resolver configured.]]></description>
 		<username><![CDATA[admin@192.168.100.3 (Local Database)]]></username>
 	</revision>

And finally the diff between initial config and final, after removal of the option :

Configuration Difference from 6/6/24 01:11:40 to 6/2/24 17:33:00
--- /cf/conf/backup/config-1717661500.xml	2024-06-06 01:13:53.032610000 -0700
+++ /cf/conf/backup/config-1717374780.xml	2024-06-06 01:03:36.024669000 -0700
@@ -195,8 +195,7 @@
 			<if>ovpns3</if>
 		</opt5>
 	</interfaces>
-	<staticroutes>
-	</staticroutes>
+	<staticroutes></staticroutes>
 	<dhcpd>
 		<lan>
 			<enable></enable>
@@ -4841,13 +4840,15 @@
 		<port></port>
 		<tlsport></tlsport>
 		<sslcertref>643762881b4a1</sslcertref>
+		<regdhcp></regdhcp>
 		<system_domain_local_zone_type>transparent</system_domain_local_zone_type>
+		<regdhcpstatic></regdhcpstatic>
 	</unbound>
 	<vlans></vlans>
 	<qinqs></qinqs>
 	<revision>
-		<time>1717661500</time>
-		<description><![CDATA[admin@192.168.100.3 (Local Database): DNS Resolver configured.]]></description>
+		<time>1717374780</time>
+		<description><![CDATA[admin@192.168.100.3 (Local Database): DHCP Server settings saved]]></description>
 		<username><![CDATA[admin@192.168.100.3 (Local Database)]]></username>
 	</revision>
 	<gateways>

The <regdhcpstatic></regdhcpstatic> element is likely the difference that breaks the local DNS.

Questions :

1. is it intended behavior to disable local DNS hostnames when enabling DNS rebinding ?

2. regardless of the answer to 1), shouldn't the removal of the option revert to the previous state, ie. working local DNS ?

3. if the answer to 2) is no, how would I manually fix that issue through the GUI without restoring from backup ?

johnpoz

@madbrain said in DNS rebinding breaks local DNS names:

The <regdhcpstatic></regdhcpstatic> element is likely the difference that breaks the local DNS.

If you do not register your dhcp static - what would you resolve? Only host overrides, and pfsense own name.

I use rebinding protection and have that plex.direct set as private.. And I don't have any issues resolving local resources.

What version of pfsense are you using?

Are you using isc or kea for dhcp - kea is not yet ready for prime time, it is preview and I know there is something about static reservations in the warnings about what features it does not support.

Your resources are actually local to pfsense, if you do any sort of domain override or forwarding that answers back with rfc1918, that would be a rebind and not presented to the client unless the domain being forwarded was set as private.

madbrain

@johnpoz

Thanks for your reply. More inline.

If you do not register your dhcp static - what would you resolve? Only host overrides, and pfsense own name.

Indeed, there is no question about the effect of this XML element. The question is why it was added by pfSense in the first place when I changed the DNS option.

I use rebinding protection and have that plex.direct set as private.. And I don't have any issues resolving local resources.

Can you list the specific DNS resolver option you are using ?

What version of pfsense are you using?

pfSense + 24.03-RELEASE

Are you using isc or kea for dhcp - kea is not yet ready for prime time, it is preview and I know there is something about static reservations in the warnings about what features it does not support.

I'm using KEA. All my DHCP reservations were working fine with it, until I added the DNS Resolver option for Plex.

Your resources are actually local to pfsense, if you do any sort of domain override or forwarding that answers back with rfc1918, that would be a rebind and not presented to the client unless the domain being forwarded was set as private.

Sure, but why would that interfere with the resolution of hostnames from DHCP reservations ?

johnpoz

@madbrain said in DNS rebinding breaks local DNS names:

I'm using KEA.

Go back to ISC...

https://docs.netgate.com/pfsense/en/latest/releases/23-09.html#rn-23-09-kea

madbrain

@johnpoz
Thanks. Going back to ISC fixed it.