Accessing external domain from inside

johnpoz

^ exactly.. But I would think your internal dns/server going down would/should be your #1 priority. I would look to stabilize this server. Is it just over taxed? Why does it go down? You can for sure bring up multiple dns in side your AD, etc.

But sure pointing clients to pfsense, and then setting a domain override to allow pfsense to resolve your internal stuff works as well if that server goes down you would still resolve internet, etc.

nich17

@kpa said in Accessing external domain from inside:

Why can't you just point your clients to pfSense for DNS and then let pfSense query your internal server for your own domain names (domain overrides in the options)? This way pfSense would keep your clients on the internet even if your own DNS server goes down and it would have cached records of your own domain at least for a while.

I already tried it, everything was good, but accessing our external domain from the internal was still a "DNS rebind". I'm going to retry it, It's almost impossible cause I've written only our internal domain in the override section.

@johnpoz said in Accessing external domain from inside:

^ exactly.. But I would think your internal dns/server going down would/should be your #1 priority. I would look to stabilize this server. Is it just over taxed? Why does it go down? You can for sure bring up multiple dns in side your AD, etc.

But sure pointing clients to pfsense, and then setting a domain override to allow pfsense to resolve your internal stuff works as well if that server goes down you would still resolve internet, etc.

We already have a backup server ready to be configured but there's no time to configure it.... (bah...), anyway I'm going to try again the pfsense as dns alternative.

nich17

@johnpoz @kpa @viragomann

I enabled the dns forwarder, now the dns server on the clients points to pfsense (192.168.0.254). I've written our internal domain on the domain override.
Internet works well, our internal domain works well, our external domain works well if you access it from outside our network, but when I access the external domain from inside the network, it's always the same thing, it points me to pfsense.
It points me to pfsense (192.168.0.254) and it's giving me the dns rebind error. I disabled the rebinding and, as I said, it points me to pfsense.

Can someone help me?

viragomann

Clear the browser cache and also the DNS cache on the client.

johnpoz

Be happy to help you figure out what is wrong. But your going to have to give some details of what exactly your doing a query for and what it should resolve too.

If pfsense looks upstream for a dns record, ie a domain override and it comes back as rfc1918 then yes that would be a rebind and you would have to set whatever domain that is as private or turn off rebind completely. I would suggest set specific domain(s) as private vs disable rebind completely.

You mention external? Did you set pfsense to use your external domain as its own domain? So you have publicdomain.tld that resolves on the interent and you put pfsense in this publicdomain.tld ie pfsense.publicdomain.tld is its fqdn?

Is your AD domain also using your public domain? This sort of setup is always going to be problematic.

nich17

@viragomann said in Accessing external domain from inside:

Clear the browser cache and also the DNS cache on the client.

I can try it.

@johnpoz said in Accessing external domain from inside:

Be happy to help you figure out what is wrong. But your going to have to give some details of what exactly your doing a query for and what it should resolve too.

If pfsense looks upstream for a dns record, ie a domain override and it comes back as rfc1918 then yes that would be a rebind and you would have to set whatever domain that is as private or turn off rebind completely. I would suggest set specific domain(s) as private vs disable rebind completely.

You mention external? Did you set pfsense to use your external domain as its own domain? So you have publicdomain.tld that resolves on the interent and you put pfsense in this publicdomain.tld ie pfsense.publicdomain.tld is its fqdn?

Is your AD domain also using your public domain? This sort of setup is always going to be problematic.

Currently we have our publicadomain.tdl that points to our public ip, the pfsense takes every wan request on the 80/443 and sends it to our server 192.168.0.1 (via NAT+rules), and it works since from another network I can reach the websites.
And then we have our internaldomain.tdl (on general setup i set this to pfsense domain also). Our server 192.168.0.1 serves also our internaldomain.tdl websites.
So we have a single server (192.168.0.1) that serve both the websites, external and internal. We are all connected to a switch connected to the firewall.

My dns configuration now is all about dns forwarder. I removed all the dns servers from the DHCP server, the firewall automatically gives its ip address as the dns server to the clients, and on the dns forwarder I set an override of internaldomain.tdl to the server 192.168.0.1. From inside our network internet works, internaldomain.tdl works, but publicadomain.tdl goes direct to pfsense, and pfsense only (if i disable dns rebind I get the pfsense login).

I also tried to add publicadomain.tdl in the override section (to 192.168.0.1) but it was pointing me to pfsense anyway!

johnpoz

So if you query host.publicdomain.tld who should resolve this?

Externally, say me for example wanting to hit www.publicdomain.tld gets returned your public IP 1.2.3.4, this hits your wan, and gets forwarded to 192.168.0.1

Internally someone sitting on this 192.168.0/24 network or another one of your internal networks should get returned 192.168.0.1..

So setup a host override in your pfsense dns so that www.publicdomain.tld returns 192.168.0.1

If you let it resolve via the public dns and it gets back your public 1.2.3.4 and you want that to go to 192.168.0.1 you would have to setup nat "reflection" which is not the optimal setup. Internal clients should just hit the internal IP directly since they are internal as well. So setup your local dns to return the local IP for this fqdn.

This is generally referred to as split dns.

nich17

@johnpoz I tried it, I tried to override publicdomain.tld with 192.168.0.1 but it was pointing me to this dns rebind error anyway. I'll try it again tomorrow.

heper

From your PC dosbox/CMD/powershell do this:

nslookup internaldomain.tld
&
nslookup publicdomain.tld

Post the results. (they should be the same)

maryjohnston

Can i use my videos on this platform ? actually i want to creat my own post so i can get more ideas about this channel ?

johnpoz

@maryjohnston said in Accessing external domain from inside:

Can i use my videos on this platform ? actually i want to creat my own post so i can get more ideas about this channel ?

Huh?? I think you posted that in the wrong thread to be honest.

nich17

@heper Thanks I'm going to try it tomorrow since I can't do it right now.

nich17

@johnpoz @heper @viragomann @kpa
Thank you all, I finally found the solution. The override to 192.168.0.1 for my public domain wasn't working, so I searched again. I found the NAT reflection (as you said, johnpoz) and it works!

For newbies like me, if you are struggling with this, go here and follow the method 1:
https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.html

Again, thank you all for all the time you spent for help me.

johnpoz

NO NO NO... Method 1 should be the last freaking option... And only used when there is some crap application that has your public IP hard coded or something.. Nat reflection is pure evil and an abomination...

It takes two seconds to do a host override... I would suggest you take the time to figure out what you were doing wrong with your override.. You put in the forwarder when your using the resolver - have seen that a few times ;) Your client not using pfsense as dns for sure would be an issue.

Client using both pfsense and some external dns also common mistake since you can never be sure what dns a client will use when you have more than 1 listed.

You would only get a rebind error if pfsense is looking elsewhere for the record. A host override would be served up from it and rfc1918 is fine.. Only when it forwards/resolves or you have set a domain override pointing to some other ns and it gets back rfc1918 for a query is that a rebind. Which you solve by setting the domain to private if you some local dns is you are query for this record via domain override, etc.

nich17

@johnpoz
I can assure you that the dns resolver is disabled and every client is using pfsense as the only dns server.
But even if I set 192.168.0.1 as the only dns server in my pc, it still gives dns rebind if NAT reflection is not enabled.

Derelict

If you are going to do this stuff you should:

1. Disable the port 80 to HTTPS redirect in System > Advanced, Admin Access, WebGUI redirect (Check the box)
2. Change the webgui HTTPS port to something other than 443. Say 8443. Protocol: HTTPS and TCP Port on the same System > Advanced, Admin Access page.

You will then have to access your webgui on https://firewallnameoraddress:8443/ so be sure you adjust any firewall rules prior to making the change (the auto-lockout rule on LAN will be adjusted to pass the new HTTPS port automatically)

That will prevent the firewall from thinking ANY connections to port 80 or 443 on ANY of its addresses is a webgui request.

When you start dealing in NAT reflection, which is far inferior to proper split DNS, things can get squirrelley if you don't know exactly what you are doing. If you are getting a pfSense DNS rebind error when you think you should be getting redirected to an internal web server, these steps should fix it.

(ETA: Sorry - completely confusing DNS Rebind with HTTP Referrer errors.)

johnpoz

@nich17 said in Accessing external domain from inside:

But even if I set 192.168.0.1 as the only dns server in my pc, it still gives dns rebind if NAT reflection is not enabled

What does your browser? All pfsense is doing in this case is resolving www.domain.tld to 192.168.0.x

Your browser thinking www.domain.tld should be public IP would be on your browser. All pfsense does in this case is return the IP you put in you host override. Lets see your dns query.. Simple nslookup, did, host showing what IP gets returned from you host override. And then going to that fqdn in your browser.

If you put this rfc1918 address in your public dns!!! That would be a rebind..

nich17

@derelict @johnpoz
I'll try it as soon as I can

Derelict

If you really must have it:

Advanced options:

server:
private-domain: domain.tld

johnpoz

^ yup that would turn off rebind protection for something upstream of pfsense resolver, ie a domain override.