No access to webinterface "Potential DNS Rebind attack detected" since July/3
-
We already thought of just that scenario. :-)
Go to System > Advanced, on the admin tab. Put your custom hostname in the "Alternate Hostnames" box.
-
Hahaha great!
Thank you :)
All the best,
Max
Edit: works like a charm
-
Request: could you disable the feature by default or disable it until the first successful web login?
The way it is now it was a bit complicated to install pfsense on a VM only accessible by dnat through another router.Thanks!
-
I doubt that's going to be possible because it would defeat the purpose.
If you have a VM, usually you can stick another VM on its LAN. The only "official" way to get into the web interface to start with is from the LAN.
If it doesn't work when accessing it via IP address, then that could probably be addressed, but we'd need a lot more info.
-
Yes I can stick its lan interface into another vswitch to set it up, but this is just one possible scenario where it's quite easy.
I had a linux box in the lan accessible by its lan ip with one interface in a vswitch. Pfsense's lan if was connected to the same vswitch.
Pfsense LAN IP: 192.168.20.1 -> vswitch
Linux LAN IP: 192.168.0.30 -> LAN, 192.168.20.20 -> vswitch
I set it up to dnat incoming requests on port 443 from the lan side, to 192.168.20.1 and to SNAT to 192.168.20.20When trying to connect via the linux box' lan ip from the lan side, I was greeted by dns rebind warning.. I edited config.xml and rebooted..
-
I'm going to commit a patch here in a while that will work if accessing by any IP, since the DNS rebinding issue only matters for hostnames.
Though I'm considering adding a warning to the login screen if the IP isn't a local IP.
-
Thanks!
-
It should be patched now, though I made it display an error if you are accessing it by an IP that is not configured locally on the system, since that could still be a potential man-in-the-middle attack even if it is a valid configuration.
-
I get no error using the July 8 build accessing via DynDNS hostname on WAN, which is the one scenario that was causing the error for me previously.
-
I get no error using the July 8 build accessing via DynDNS hostname on WAN, which is the one scenario that was causing the error for me previously.
That was one of the first exceptions that was added, so it's good to know it's working :-)
-
No errors here with July 10 snapshot.
It is Fixed. -
I experienced and solved a very similar problem on 2.0-BETA4 (amd64) built on Thu Oct 7 18:57:45 UTC 2010 FreeBSD 8.1-RELEASE-p1.
I had two unused interfaces, DMZ and OPT2. I had DMZ set to something like 192.168.252.254/24. Then I disabled that. Then I enabled OPT2 and set it to the same IP address. After that, every time I used the web interface to access OPT2 I would get a completely different page, with the simple error message of "Potential DNS Rebind attack detected." I tried several different things, but nothing would allow me to change the IP address.
Finally, I logged in via SSH. I selected the menu option to change the interface IP address. I did so, to something unused like 192.168.251.6 or whatever. After that, I could get back into the web configuration menu for OPT2.
In the course of troubleshooting it, I came across this thread, and thought I would leave a solution in case others have the problem.
-
I'm not sure how that would have triggered the check, since the rebinding checks are skipped if you access it by IP address.
-
I still get this message when trying to access on "https://pub.SomeDomain.eu:TCPport". No issues when using "https://publicIP:TCPport".
I tested on two installs different locations. Both on:
2.0-BETA5 (i386)
built on Sun Feb 6 13:03:57 EST 2011Not an issue for me, a bit of feedback if it may help.
-
I still get this message when trying to access on "https://pub.SomeDomain.eu:TCPport".
Then you should, there aren't any issues with it anymore. See info here:
http://doc.pfsense.org/index.php/DNS_Rebinding_Protections
