DNS Rebind attack conditions doesn't make sense
-
I'm using a windows machine on vlan A with IP 192.168.100.31 trying to reach a machine in VLAN B with IP 172.16.12.250 (pfsense is .1 for both). When trying to get to vscode.mydomain.com or any other a records pointing to local apps using same or other vlans in RFC1918 space it redirects to pfsense webgui giving me DNS rebind error.
-
172.16.12.250 = vscode.mydomain.com
Ssh to that host works just fine
I'm not even sure how this traffic is intercepted
-
@bshpire it wouldn't be, unless you set some rule on your 192.168.100 interface in pfsense.. You have a port forward that would intercept the traffic....
Pfsense wouldn't do anything with that traffic from client in vlan a to b, unless you were using a proxy that was running on pfsense or some sort of intercept rule.
Do you have any rules in floating? What are your port forwards in pfsense? The only scenario where pfsense would intercept some specific traffic to its self is with a port forward.. Like how you intercept dns and send it to pfsense.
-
@bshpire you would only see a message from pfSense if you are connecting to it, and not the desired web server.
-
Yup you are seeing that from the pfSense gui. Most common cause of that is trying to access a port forward from an internal address using an fqdn that resolves to an external IP address. But my reading of this is that you're using an IP address directly...
-
@johnpoz No rules in floating, no special intercept rule and i tried to disable my port forwarding to my LTM with no special affect, the issue still persists.
I don't disagree about this something that pfsense shouldn't be doing but it's a fact
I have about 4 different a records for that domain all behaving the same way from 4 different laptops/desktops -
@stephenw10 This happens both when the translated IP is internal or even if try to set it to the outside IP.
The only logs i see for it is the from the webgui nginx accepting the traffic. -
@johnpoz This is not pointing to pfsense itself
-
@bshpire if the IP is not pointing to pfsense then there is no way you could end up on pfsense. Unless pfsense thinks that his IP as well.
When you want to go to IP on a different network you send the traffic to the mac of your gateway but to your destination IP.. If pfsense has no portward to itself then it must think that IP is his.
192.168.100.31 ---> 192.168.100.1 pfsense 172.16.12.1 ---> 172.16.12.250
So .31 says oh that 172.16 address is not on my network, send it to the mac of my gateway 100.1 (pfsense) with destination IP 12.250
So either you have a port forward that intercepts that, or pfsense thinks 12.250 is his address.. Do you have VIP setup on pfsense?
You sure that fqdn resolve to 12.250 address and not 12.1 ?
Is pfsense a VM? Is this all on VM host?
-
Yup that^. Somehow it's hitting the pfSense webgui so it must be hitting an IP address on pfSense.
-
@stephenw10 Happy to screen share ;)
pfsense running on specialized HW but everything else is either RPi or VMs (vSphere).
Not happening when using mydomain.localAgain, not pfsense, it's gitlab, Jenkins, vscode hosts
I'm very curious myself to how this is happening
Happy to pay netgate for a single ticket or TAC lite to get this resolved and understand the "how" -
Check the states when this is happening. If there is some translations being applied you would see it there.
-
@bshpire well first thing I would do is do a quick look if you have a vip setup.. just look at the output of ifconfig on pfsense
example - here my wan has a vip
igb1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: WAN options=4e100bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG> ether 00:08:a2:0c:e6:25 inet 209.snipped netmask 0xfffff000 broadcast 255.255.255.255 inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255 inet6 fe80::208:a2ff:fe0c:e625%igb1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>unless you intercept traffic - nothing on pfsense could even answer unless it thinks the IP your going to is one of its IPs.. See the 192.168.100.2 IP that is a vip I have on my wan interface to use to talk to my modems 192.168.100.1 IP..
See if I go to that I can see my pfsense gui
But going back to where you say ssh works to the correct host.. That screams interception then for the port your hitting vs ssh.. Or proxy.. So you have no port forwards? You are not running a proxy on pfsense?
You say it works when you use a different domain >Not happening when using mydomain.local
So when you ssh to the host, are you using a fqdn or a IP.. Maybe your dns is just pointing to a pfsense IP? vs the actual IP of what your wanting to talk to.
Are you using .local really? That is a mdns domain, not something that would normally resolve across subnets with out avahi or something responding.. Unless you were on the same L2 and the device answered itself.
I would double check you have no interceptions setup on pfsense, that your fqdn your using actually resolves to the correct IP your talking to.. And that pfsense does not have this IP as one of its own. So you can't access vscode.mydomain.com when you use fqdn, what about via IP..
-
@stephenw10 I disabled all port forward rules, only nat to outside is there per VLAN.
-
Ssh host1.mydomain.local works
Browse host1.mydomain.local (http/https) works
Ssh host1.mydomain.com works
Browse host1.mydomain.com - weird redirection and DNS binding errorDNS is bind9 running on RPi running general cache DNS and local zones transfered from AD (my domain.local/com)
I will get screenshots to show resolution and scenarios above once back home
-
@bshpire said in DNS Rebind attack conditions doesn't make sense:
Ssh host1.mydomain.com works
Browse host1.mydomain.com - weird redirection and DNS binding errorCheck the states created by these connections.
