[Solved] DNS Rebinding Attack. No access to Server inside DMZ from LAN.
-
Hey Guys,
we are currently rebuilding our network infrastructure to a more secure environment. So far it went pretty good. I am in the last steps.
I'm posting this in the General area because right now I don't know what exactly seems to be the problem.
Let me give you a bit more information. Right now the network looks something like this.
PfSense itself is 2.2 BETA-amd64-20141029-1442. The 2.1.5 couldn't handle my network cards, so yeah, thats why beta ;).
IPFire is v2.15 (i586) - Core Update 85. It acts as a regular (not transparent) Proxy and for now, Firewallrules are "Allow All".PfSense handles 3 WAN interfaces. The two red ones are dynamic (VDSL 50Mbit and Cable 100Mbit). Configured in PfSense to work as a Multi-WAN Failover.
The purple one is a static 10Mbit leased line where we have 15 public IPs.The remaining devices are configured like this.
PfS DMZ Interf.: 192.168.10.1
S1 - MailServer: 192.168.10.4
S2 - WebServer: 192.168.10.5
S3 - WebServer: 192.168.10.6
S4 - WebServer: 192.168.10.7IPF DMZ Interf.: 192.168.10.254
IPF LAN Interf.: 172.16.1.1
IPF WLAN Interf.: 172.17.1.1
PfSense is configured to use 1:1 NAT Mapping to forward the public IP address to the internal IP address.
So if open mail.mydomainname.com from WAN I get access to my mailserver. This works without a problem.But if I try the same thing from the LAN I get a DNS Rebinding Warning.
From my understanding the warning appears due to the fact that the domain name is resolved to the outside WAN and then reenters the local network.
So the packets go trough the PfSense two times which leads to the message.What I've done until now.
-
Unchecked to [X] Checked.
(which gives me the PfSense login screen instead of the rebinding error message) -
Tried to setup Split-DNS like it is mentioned in the docs.
Didnt work. But tbh I'm not quiet sure if I've done that correctly or if the settings are in correlation to some others.
I also changed
Firewall -> NAT -> 1:1 -> Edit MailServer interface -> NAT reflection
to enable
wich was a suggestion from serverfault.Unfortunately no luck :(
So any tips for me on how to get the LAN Clients to the server in the DMZ without looping trough the internet?
Additionel Question.
When working with the DNS Forwarder. Does it make any difference if I check (or uncheck)
Register DHCP leases in DNS forwarder
Resolve DHCP mappings first
since in the DMZ I dont have a DHCP server.Thanks in advance
Ulf
-
-
I wonder if having a DNS override put in to translate mail.mydomainname.com to a local IP might help so that it never goes towards the WAN?
-
I wonder if having a DNS override put in to translate mail.mydomainname.com to a local IP might help so that it never goes towards the WAN?
Yeah. Isn't that what Split-DNS is for? I've already done that.
No Luck
-
Same thing was happening to me actually when I used VPN. My genius answer was to waste an IP. Very annoying.
Another answer is to just use the IP directly, but that has annoying Cert warning issues.
No help here I guess.I even went so far as to turn off the rebind warnings but kept getting the pfsense gui login instead of the mail server.
-
Same thing was happening to me actually when I used VPN. My genius answer was to waste an IP. Very annoying.
Could you please be a bit more clear on that.
In my case the provider of the 10Mbit leased line gave me a box with a static public IP. Ends of .1. That is out of my hands. No configuration here. From there I have a pool of 14 more IPs (.2 - .15). Which I put into PfSense as Virtual IP for 1:1 NAT mapping etc.Another answer is to just use the IP directly, but that has annoying Cert warning issues.
No help here I guess.If i open the Mailserver directly via 192.168.10.4 from inside the LAN, I've got no trouble. Works like a charme.
I even went so far as to turn off the rebind warnings but kept getting the pfsense gui login instead of the mail server.
Yep. Like I said in the OP. Same for me.
-
My solution was not efficient. Everything is VM inside ESXI, including pfsense.
In the case I had similar to yours, I ended up separating all the services, like email and put it behind a separate pfsense with seperate virtual interface and seperate IPs.
So when I go to "mail" it really does exit the WAN of one pfsense and go to the public IP of the one right next door to it.I'm sure there is a better way.
-
My solution was not efficient. Everything is VM inside ESXI, including pfsense.
In the case I had similar to yours, I ended up separating all the services, like email and put it behind a separate pfsense with seperate virtual interface and seperate IPs.
So when I go to "mail" it really does exit the WAN of one pfsense and go to the public IP of the one right next door to it.I'm sure there is a better way.
Hmm.. yeah. Thats not exactly what I want ;)
-
I wonder if having a DNS override put in to translate mail.mydomainname.com to a local IP might help so that it never goes towards the WAN?
Yeah. Isn't that what Split-DNS is for? I've already done that.
No Luck
I think there was a problem with Host Overrides in 2.2-BETA and I think it was fixed with: https://github.com/pfsense/pfsense/commit/cbc6a13fa3a7fd5790558d5526ba9cb6d2c74aad
It would be worth going to a current snapshot, because the Hoost Override split DNS thing is the easiest (and best?) way to make your scenario work.
-
Is it a 2.1.5 problem also? Thats what those pfsense I was talking about are on.
If 2.2 fixes that for me, it would be great. -
It works on 2.1.5, I just tried putting a host override for something like www.mydomain.com then:
nslookup www.mydomain.com
and got back the IP address in the Hot Override
Removed the Host Override and nslookup starts returning real public IP. -
I think there was a problem with Host Overrides in 2.2-BETA and I think it was fixed with: https://github.com/pfsense/pfsense/commit/cbc6a13fa3a7fd5790558d5526ba9cb6d2c74aad
It would be worth going to a current snapshot, because the Hoost Override split DNS thing is the easiest (and best?) way to make your scenario work.
My build is Wed Oct 29 23:25:52 CDT 2014. Your link dates the 4th of November. So yeah, that could work. I'm eager to try it.
PfSense says it has found an upgrade. Thu Nov 06 03:59:39 CST 2014.I'll save my config and do the upgrade tomorrow (about 12h from now).
We will see how it goes. ;)
-
Is it a 2.1.5 problem also? Thats what those pfsense I was talking about are on.
No, that problem never existed in 2.1.x, that was a regression in 2.2 only that I fixed a couple days ago. Guessing it is the cause of OP's issue if that's on a snapshot that's more than 1-2 days old.
-
@cmb:
Is it a 2.1.5 problem also? Thats what those pfsense I was talking about are on.
No, that problem never existed in 2.1.x, that was a regression in 2.2 only that I fixed a couple days ago. Guessing it is the cause of OP's issue if that's on a snapshot that's more than 1-2 days old.
It worked! :D
Current build is Fri Nov 07 00:00:15 CST 2014, FreeBSD 10.1-RC4-p1.
UncheckedFirewall -> NAT -> 1:1 -> Edit -> NAT reflection = use system default
Services -> DNS forwarder ->
Register DHCP leases in DNS forwarder
and
Register DHCP static mappings in DNS forwarderUnchecked.And of course the settings for DNS Split in Services -> DNS forwarder -> Host Override.
Only thing is. When having multiple websites on one machine that you can access via different subdomaines like
site1.mydomain.com
site2.mydomain.com
etc.
Host Overrides only gives you the default website since I can not assign a specific directory to a subdomain.But I guess we will figure something out. It is not as important as the mailserver was.
So thank you very much!
–---------------------------------------
//Edit: Just a little update for all the googlers that might come here later. To solve the website issue, we setup our own bind DNS on an extra machine.
This DNS handles all requests from IPFire. Directs requests to sub.domain.com to the internal IP of that server.
And in case that IP is a Webserver, Apache with Vhosts handles it and forward that to the specific directory.
So thats it :)