Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Rebind attack conditions doesn't make sense

    Scheduled Pinned Locked Moved General pfSense Questions
    21 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bshpire @stephenw10
      last edited by

      @stephenw10 This happens both when the translated IP is internal or even if try to set it to the outside IP.
      The only logs i see for it is the from the webgui nginx accepting the traffic.

      1 Reply Last reply Reply Quote 0
      • B
        bshpire @johnpoz
        last edited by

        @johnpoz This is not pointing to pfsense itself

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @bshpire
          last edited by johnpoz

          @bshpire if the IP is not pointing to pfsense then there is no way you could end up on pfsense. Unless pfsense thinks that his IP as well.

          When you want to go to IP on a different network you send the traffic to the mac of your gateway but to your destination IP.. If pfsense has no portward to itself then it must think that IP is his.

          192.168.100.31 ---> 192.168.100.1 pfsense 172.16.12.1 ---> 172.16.12.250

          So .31 says oh that 172.16 address is not on my network, send it to the mac of my gateway 100.1 (pfsense) with destination IP 12.250

          So either you have a port forward that intercepts that, or pfsense thinks 12.250 is his address.. Do you have VIP setup on pfsense?

          You sure that fqdn resolve to 12.250 address and not 12.1 ?

          Is pfsense a VM? Is this all on VM host?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Yup that^. Somehow it's hitting the pfSense webgui so it must be hitting an IP address on pfSense.

            B 1 Reply Last reply Reply Quote 0
            • B
              bshpire @stephenw10
              last edited by

              @stephenw10 Happy to screen share ;)

              pfsense running on specialized HW but everything else is either RPi or VMs (vSphere).
              Not happening when using mydomain.local

              Again, not pfsense, it's gitlab, Jenkins, vscode hosts

              I'm very curious myself to how this is happening
              Happy to pay netgate for a single ticket or TAC lite to get this resolved and understand the "how"

              johnpozJ 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Check the states when this is happening. If there is some translations being applied you would see it there.

                B 1 Reply Last reply Reply Quote 1
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @bshpire
                  last edited by johnpoz

                  @bshpire well first thing I would do is do a quick look if you have a vip setup.. just look at the output of ifconfig on pfsense

                  example - here my wan has a vip

                  igb1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN
        options=4e100bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 00:08:a2:0c:e6:25
        inet 209.snipped netmask 0xfffff000 broadcast 255.255.255.255
        inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
        inet6 fe80::208:a2ff:fe0c:e625%igb1 prefixlen 64 scopeid 0x2
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

                  unless you intercept traffic - nothing on pfsense could even answer unless it thinks the IP your going to is one of its IPs.. See the 192.168.100.2 IP that is a vip I have on my wan interface to use to talk to my modems 192.168.100.1 IP..

                  See if I go to that I can see my pfsense gui

                  vip.jpg

                  But going back to where you say ssh works to the correct host.. That screams interception then for the port your hitting vs ssh.. Or proxy.. So you have no port forwards? You are not running a proxy on pfsense?

                  You say it works when you use a different domain >Not happening when using mydomain.local

                  So when you ssh to the host, are you using a fqdn or a IP.. Maybe your dns is just pointing to a pfsense IP? vs the actual IP of what your wanting to talk to.

                  Are you using .local really? That is a mdns domain, not something that would normally resolve across subnets with out avahi or something responding.. Unless you were on the same L2 and the device answered itself.

                  I would double check you have no interceptions setup on pfsense, that your fqdn your using actually resolves to the correct IP your talking to.. And that pfsense does not have this IP as one of its own. So you can't access vscode.mydomain.com when you use fqdn, what about via IP..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    bshpire @stephenw10
                    last edited by

                    @stephenw10 I disabled all port forward rules, only nat to outside is there per VLAN.

                    1 Reply Last reply Reply Quote 0
                    • B
                      bshpire @johnpoz
                      last edited by

                      @johnpoz

                      Ssh host1.mydomain.local works
                      Browse host1.mydomain.local (http/https) works
                      Ssh host1.mydomain.com works
                      Browse host1.mydomain.com - weird redirection and DNS binding error

                      DNS is bind9 running on RPi running general cache DNS and local zones transfered from AD (my domain.local/com)

                      I will get screenshots to show resolution and scenarios above once back home

                      stephenw10S 1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator @bshpire
                        last edited by

                        @bshpire said in DNS Rebind attack conditions doesn't make sense:

                        Ssh host1.mydomain.com works
                        Browse host1.mydomain.com - weird redirection and DNS binding error

                        Check the states created by these connections.

                        B 1 Reply Last reply Reply Quote 0
                        • B
                          bshpire @stephenw10
                          last edited by

                          @stephenw10 made too many changes in the last 48h ;)

                          now direct and reverse proxy nginx works, just complains about ltm vips

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.