DNS Rebind issue, possibly need split DNS

jeffboyce

Greetings –

I am going to start here with trying to get a resolution to my issue, but if someone thinks there is a better forum or mailing list to help me please let me know.

I am currently running pfSense 2.1.2-RELEASE (i386).  Although I don’t see that this is a pfSense issue where updating would fix the problem, but possibly an issue with my implementation.  The pfSense box is scheduled to be updated in the near future, so I don’t really need the recommendations to update the pfSense installation now.

Issue:
I am hosting an instance of OwnCloud on a company server located within our local lan.  Internal clients access it by name using “cloud.local.lan”.  External clients access it by name using “cloud.companydomain.com”.  One of the features of OwnCloud is being able to provide direct links to documents within the OwnCloud server to other users.  OwnCloud provides internal clients with a link referencing “cloud.local.lan”; however, if this link is provided to an external client it will not work because it is referencing our internal lan name.  When the internal clients try to use our external domain name (cloud.companydomain.com) to access the OwnCloud server they receive the pfSense 501 page referencing Potential DNS Rebind attack detected.

My Objective:
I would like to have our internal clients use the external domain name (cloud.companydomain.com) to access our OwnCloud instance.  Then the document links that OwnCloud generates would work for anyone we provide them to.

What I have tried:
I have read through the pfSense documentation regarding “DNS Rebinding Protections”, the “Why can't I access forwarded ports on my WAN IP from my LAN/OPTx networks”, and numerous other descriptions about similar issues via Google searches.  I am beginning to understand more of the issue, but don’t understand enough to identify the right solution for my situation.

I am not using the pfSense box on my lan for the DNS server.  The DNS server is on a separate box running DNSmasq.  Also the pfSense logs do not show that it is receiving private DNS queries from external sources.  So I don’t think adding the rebind-domain-ok=/mydomain.com/ to the pfSense box would resolve my issue.

I read through the NAT Reflection documentation and tried enabling PureNAT, with the appropriate check boxes identified in the example.  That did not resolve the issue.

So I researched what Split DNS does.  Since I am not using the pfSense box as my DNS server I did not implement what is described in the pfSense document.  However if Split DNS is what I need, then I am assuming that I would have to implement it on my DNSmasq server, or in the zone file where my external domain is hosted (third party off-site location).  If so, I am looking for some guidance for doing that.

My network configuration:
If you have read this far, you are probably wondering about my network configuration.  It may help identify where I need to implement a solution to this issue.

pfSense box (192.168.112.11)
  External IP xx.yy.zz.18
  Network gateway and firewall
  1:1 NAT providing 4 public IPs to internal servers
  Uses ISP DNS server aa.bb.cc.1
      ISP DNS server aa.bb.cc.2
      Google DNS server 8.8.8.8

OwnCloud box (192.168.112.53)
  External IP xx.yy.zz.21

DNSmasq box (192.168.112.51)
  No external IP
  DNS and DHCP server for lan
  Gives LAN clients
      DNS server 192.168.112.51
      Default Gateway 192.168.112.11

companydomain.com
  Hosted by outside provider
  www.companydomain.com physical webserver location
  zone file for companydomain.com

I am not sure what additional information might help in identifying a solution for this issue.  I can provide any logs that might be helpful, or the zone file information for my domain if that would help, just let me know what additional information would be good to see.  Thanks.

Jeff

NOYB

Here.  Let me condense that for you.

Sorry I'm not reading all that.

@jeffboyce:

Greetings–Iamgoingtostartherewithtryingtogetaresolutiontomyissue,butifsomeonethinksthereisabetterforumormailinglisttohelpmepleaseletmeknow.IamcurrentlyrunningpfSense2.1.2-RELEASE(i386).AlthoughIdon’tseethatthisisapfSenseissuewhereupdatingwouldfixtheproblem,butpossiblyanissuewithmyimplementation.ThepfSenseboxisscheduledtobeupdatedinthenearfuture,soIdon’treallyneedtherecommendationstoupdatethepfSenseinstallationnow.**Issue:**IamhostinganinstanceofOwnCloudonacompanyserverlocatedwithinourlocallan.Internalclientsaccessitbynameusing“cloud.local.lan”.Externalclientsaccessitbynameusing“cloud.companydomain.com”.OneofthefeaturesofOwnCloudisbeingabletoprovidedirectlinkstodocumentswithintheOwnCloudservertootherusers.OwnCloudprovidesinternalclientswithalinkreferencing“cloud.local.lan”;however,ifthislinkisprovidedtoanexternalclientitwillnotworkbecauseitisreferencingourinternallanname.Whentheinternalclientstrytouseourexternaldomainname(cloud.companydomain.com)toaccesstheOwnCloudservertheyreceivethepfSense501pagereferencingPotentialDNSRebindattackdetected.**MyObjective:**Iwouldliketohaveourinternalclientsusetheexternaldomainname(cloud.companydomain.com)toaccessourOwnCloudinstance.ThenthedocumentlinksthatOwnCloudgenerateswouldworkforanyoneweprovidethemto.**WhatIhavetried:**IhavereadthroughthepfSensedocumentationregarding“DNSRebindingProtections”,the“Whycan'tIaccessforwardedportsonmyWANIPfrommyLAN/OPTxnetworks”,andnumerousotherdescriptionsaboutsimilarissuesviaGooglesearches.Iambeginningtounderstandmoreoftheissue,butdon’tunderstandenoughtoidentifytherightsolutionformysituation.IamnotusingthepfSenseboxonmylanfortheDNSserver.TheDNSserverisonaseparateboxrunningDNSmasq.AlsothepfSenselogsdonotshowthatitisreceivingprivateDNSqueriesfromexternalsources.SoIdon’tthinkaddingtherebind-domain-ok=/mydomain.com/tothepfSenseboxwouldresolvemyissue.IreadthroughtheNATReflectiondocumentationandtriedenablingPureNAT,withtheappropriatecheckboxesidentifiedintheexample.Thatdidnotresolvetheissue.SoIresearchedwhatSplitDNSdoes.SinceIamnotusingthepfSenseboxasmyDNSserverIdidnotimplementwhatisdescribedinthepfSensedocument.HoweverifSplitDNSiswhatIneed,thenIamassumingthatIwouldhavetoimplementitonmyDNSmasqserver,orinthezonefilewheremyexternaldomainishosted(thirdpartyoff-sitelocation).Ifso,Iamlookingforsomeguidancefordoingthat.**Mynetworkconfiguration:**Ifyouhavereadthisfar,youareprobablywonderingaboutmynetworkconfiguration.ItmayhelpidentifywhereIneedtoimplementasolutiontothisissue.pfSensebox(192.168.112.11)ExternalIPxx.yy.zz.18Networkgatewayandfirewall1:1NATproviding4publicIPstointernalserversUsesISPDNSserveraa.bb.cc.1ISPDNSserveraa.bb.cc.2GoogleDNSserver8.8.8.8OwnCloudbox(192.168.112.53)ExternalIPxx.yy.zz.21DNSmasqbox(192.168.112.51)NoexternalIPDNSandDHCPserverforlanGivesLANclientsDNSserver192.168.112.51DefaultGateway192.168.112.11companydomain.comHostedbyoutsideproviderwww.companydomain.comphysicalwebserverlocationzonefileforcompanydomain.comIamnotsurewhatadditionalinformationmighthelpinidentifyingasolutionforthisissue.Icanprovideanylogsthatmightbehelpful,orthezonefileinformationformydomainifthatwouldhelp,justletmeknowwhatadditionalinformationwouldbegoodtosee.Thanks.Jeff

muswellhillbilly

Sounds simple enough. Set up the companydomain.com zone on your internal DNS server and create an A record for cloud.companydomain.com pointing to your OwnCloud server's internal IP address. Your external clients will still resolve the cloud.companydomain.com name via external DNS, so they won't be affected by the change you make internally, but your internal clients will be able to resolve the same domain name via the internal IP.

johnpoz

^ exactly

Whatever your clients are using to resolve internally, dnsmasq on another box sure ok.. Just create record in that setup to resolve your cloud.companydomain.com to 192.168.112.53

Split dns is nothing specific to pfsense..

jeffboyce

Set up the companydomain.com zone on your internal DNS server and create an A record for cloud.companydomain.com pointing to your OwnCloud server's internal IP address.

Just create record in that setup to resolve your cloud.companydomain.com to 192.168.112.53

Ok, that gives me some direction.  And it seems to make logical sense.  All name queries are directed to our dnsmasq box for resolution before they would be sent out the gateway.  If cloud.companydomain.com is resolved internally before going to the external name server then it would never hit the pfSense firewall box; and therefore not return with the DNS rebind error page.  So the key is to make a configuration change in dnsmasq to resolve cloud.companydomain.com immediately to the internal lan ip 192.168.112.53 before the name would be queried externally.  Now I have to figure out how to do that.  I am assuming then that I need to somehow put an A record or equivalent setting into the dnsmasq configuration.  Anyone here know dnsmasq well enough to offer some advice.

So to make sure I am clear, what you are describing is not split DNS at all.  I just need to have a fixed DNS record for cloud.companydomain.com pointing back to my internal box.

Jeff

muswellhillbilly

@jeffboyce:

So to make sure I am clear, what you are describing is not split DNS at all.  I just need to have a fixed DNS record for cloud.companydomain.com pointing back to my internal box.

No, it is split DNS. An internally defined DNS zone which resolves internal addresses against hosts which also have external addresses defined externally is split DNS.