No access to webinterface "Potential DNS Rebind attack detected" since July/3

jimp

I'm going to commit a patch here in a while that will work if accessing by any IP, since the DNS rebinding issue only matters for hostnames.

Though I'm considering adding a warning to the login screen if the IP isn't a local IP.

mxx

Thanks!

jimp

It should be patched now, though I made it display an error if you are accessing it by an IP that is not configured locally on the system, since that could still be a potential man-in-the-middle attack even if it is a valid configuration.

clarknova

I get no error using the July 8 build accessing via DynDNS hostname on WAN, which is the one scenario that was causing the error for me previously.

jimp

@clarknova:

I get no error using the July 8 build accessing via DynDNS hostname on WAN, which is the one scenario that was causing the error for me previously.

That was one of the first exceptions that was added, so it's good to know it's working :-)

firewold

No errors here with July 10 snapshot.
It is Fixed.

kronso

I experienced and solved a very similar problem on 2.0-BETA4 (amd64) built on Thu Oct 7 18:57:45 UTC 2010 FreeBSD 8.1-RELEASE-p1.

I had two unused interfaces, DMZ and OPT2. I had DMZ set to something like 192.168.252.254/24. Then I disabled that. Then I enabled OPT2 and set it to the same IP address. After that, every time I used the web interface to access OPT2 I would get a completely different page, with the simple error message of "Potential DNS Rebind attack detected." I tried several different things, but nothing would allow me to change the IP address.

Finally, I logged in via SSH. I selected the menu option to change the interface IP address. I did so, to something unused like 192.168.251.6 or whatever. After that, I could get back into the web configuration menu for OPT2.

In the course of troubleshooting it, I came across this thread, and thought I would leave a solution in case others have the problem.

jimp

I'm not sure how that would have triggered the check, since the rebinding checks are skipped if you access it by IP address.

fundutzi

I still get this message when trying to access on "https://pub.SomeDomain.eu:TCPport". No issues when using "https://publicIP:TCPport".

I tested on two installs different locations. Both on:
2.0-BETA5 (i386)
built on Sun Feb 6 13:03:57 EST 2011

Not an issue for me, a bit of feedback if it may help.

cmb

@fundutzi:

I still get this message when trying to access on "https://pub.SomeDomain.eu:TCPport".

Then you should, there aren't any issues with it anymore. See info here:
http://doc.pfsense.org/index.php/DNS_Rebinding_Protections