[Solved] DNS Rebinding Attack. No access to Server inside DMZ from LAN.
-
I wonder if having a DNS override put in to translate mail.mydomainname.com to a local IP might help so that it never goes towards the WAN?
-
I wonder if having a DNS override put in to translate mail.mydomainname.com to a local IP might help so that it never goes towards the WAN?
Yeah. Isn't that what Split-DNS is for? I've already done that.
No Luck
-
Same thing was happening to me actually when I used VPN. My genius answer was to waste an IP. Very annoying.
Another answer is to just use the IP directly, but that has annoying Cert warning issues.
No help here I guess.I even went so far as to turn off the rebind warnings but kept getting the pfsense gui login instead of the mail server.
-
Same thing was happening to me actually when I used VPN. My genius answer was to waste an IP. Very annoying.
Could you please be a bit more clear on that.
In my case the provider of the 10Mbit leased line gave me a box with a static public IP. Ends of .1. That is out of my hands. No configuration here. From there I have a pool of 14 more IPs (.2 - .15). Which I put into PfSense as Virtual IP for 1:1 NAT mapping etc.Another answer is to just use the IP directly, but that has annoying Cert warning issues.
No help here I guess.If i open the Mailserver directly via 192.168.10.4 from inside the LAN, I've got no trouble. Works like a charme.
I even went so far as to turn off the rebind warnings but kept getting the pfsense gui login instead of the mail server.
Yep. Like I said in the OP. Same for me.
-
My solution was not efficient. Everything is VM inside ESXI, including pfsense.
In the case I had similar to yours, I ended up separating all the services, like email and put it behind a separate pfsense with seperate virtual interface and seperate IPs.
So when I go to "mail" it really does exit the WAN of one pfsense and go to the public IP of the one right next door to it.I'm sure there is a better way.
-
My solution was not efficient. Everything is VM inside ESXI, including pfsense.
In the case I had similar to yours, I ended up separating all the services, like email and put it behind a separate pfsense with seperate virtual interface and seperate IPs.
So when I go to "mail" it really does exit the WAN of one pfsense and go to the public IP of the one right next door to it.I'm sure there is a better way.
Hmm.. yeah. Thats not exactly what I want ;)
-
I wonder if having a DNS override put in to translate mail.mydomainname.com to a local IP might help so that it never goes towards the WAN?
Yeah. Isn't that what Split-DNS is for? I've already done that.
No Luck
I think there was a problem with Host Overrides in 2.2-BETA and I think it was fixed with: https://github.com/pfsense/pfsense/commit/cbc6a13fa3a7fd5790558d5526ba9cb6d2c74aad
It would be worth going to a current snapshot, because the Hoost Override split DNS thing is the easiest (and best?) way to make your scenario work.
-
Is it a 2.1.5 problem also? Thats what those pfsense I was talking about are on.
If 2.2 fixes that for me, it would be great. -
It works on 2.1.5, I just tried putting a host override for something like www.mydomain.com then:
nslookup www.mydomain.com
and got back the IP address in the Hot Override
Removed the Host Override and nslookup starts returning real public IP. -
I think there was a problem with Host Overrides in 2.2-BETA and I think it was fixed with: https://github.com/pfsense/pfsense/commit/cbc6a13fa3a7fd5790558d5526ba9cb6d2c74aad
It would be worth going to a current snapshot, because the Hoost Override split DNS thing is the easiest (and best?) way to make your scenario work.
My build is Wed Oct 29 23:25:52 CDT 2014. Your link dates the 4th of November. So yeah, that could work. I'm eager to try it.
PfSense says it has found an upgrade. Thu Nov 06 03:59:39 CST 2014.I'll save my config and do the upgrade tomorrow (about 12h from now).
We will see how it goes. ;)
-
Is it a 2.1.5 problem also? Thats what those pfsense I was talking about are on.
No, that problem never existed in 2.1.x, that was a regression in 2.2 only that I fixed a couple days ago. Guessing it is the cause of OP's issue if that's on a snapshot that's more than 1-2 days old.
-
@cmb:
Is it a 2.1.5 problem also? Thats what those pfsense I was talking about are on.
No, that problem never existed in 2.1.x, that was a regression in 2.2 only that I fixed a couple days ago. Guessing it is the cause of OP's issue if that's on a snapshot that's more than 1-2 days old.
It worked! :D
Current build is Fri Nov 07 00:00:15 CST 2014, FreeBSD 10.1-RC4-p1.
UncheckedFirewall -> NAT -> 1:1 -> Edit -> NAT reflection = use system default
Services -> DNS forwarder ->
Register DHCP leases in DNS forwarder
and
Register DHCP static mappings in DNS forwarderUnchecked.And of course the settings for DNS Split in Services -> DNS forwarder -> Host Override.
Only thing is. When having multiple websites on one machine that you can access via different subdomaines like
site1.mydomain.com
site2.mydomain.com
etc.
Host Overrides only gives you the default website since I can not assign a specific directory to a subdomain.But I guess we will figure something out. It is not as important as the mailserver was.
So thank you very much!
–---------------------------------------
//Edit: Just a little update for all the googlers that might come here later. To solve the website issue, we setup our own bind DNS on an extra machine.
This DNS handles all requests from IPFire. Directs requests to sub.domain.com to the internal IP of that server.
And in case that IP is a Webserver, Apache with Vhosts handles it and forward that to the specific directory.
So thats it :)