Accessing external domain from inside
-
@johnpoz I tried it, I tried to override publicdomain.tld with 192.168.0.1 but it was pointing me to this dns rebind error anyway. I'll try it again tomorrow.
-
From your PC dosbox/CMD/powershell do this:
nslookup internaldomain.tld
&
nslookup publicdomain.tldPost the results. (they should be the same)
-
Can i use my videos on this platform ? actually i want to creat my own post so i can get more ideas about this channel ?
-
@maryjohnston said in Accessing external domain from inside:
Can i use my videos on this platform ? actually i want to creat my own post so i can get more ideas about this channel ?
Huh?? I think you posted that in the wrong thread to be honest.
-
@heper Thanks I'm going to try it tomorrow since I can't do it right now.
-
@johnpoz @heper @viragomann @kpa
Thank you all, I finally found the solution. The override to 192.168.0.1 for my public domain wasn't working, so I searched again. I found the NAT reflection (as you said, johnpoz) and it works!For newbies like me, if you are struggling with this, go here and follow the method 1:
https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.htmlAgain, thank you all for all the time you spent for help me.
-
NO NO NO... Method 1 should be the last freaking option... And only used when there is some crap application that has your public IP hard coded or something.. Nat reflection is pure evil and an abomination...
It takes two seconds to do a host override... I would suggest you take the time to figure out what you were doing wrong with your override.. You put in the forwarder when your using the resolver - have seen that a few times ;) Your client not using pfsense as dns for sure would be an issue.
Client using both pfsense and some external dns also common mistake since you can never be sure what dns a client will use when you have more than 1 listed.
You would only get a rebind error if pfsense is looking elsewhere for the record. A host override would be served up from it and rfc1918 is fine.. Only when it forwards/resolves or you have set a domain override pointing to some other ns and it gets back rfc1918 for a query is that a rebind. Which you solve by setting the domain to private if you some local dns is you are query for this record via domain override, etc.
-
@johnpoz
I can assure you that the dns resolver is disabled and every client is using pfsense as the only dns server.
But even if I set 192.168.0.1 as the only dns server in my pc, it still gives dns rebind if NAT reflection is not enabled. -
If you are going to do this stuff you should:
- Disable the port 80 to HTTPS redirect in System > Advanced, Admin Access, WebGUI redirect (Check the box)
- Change the webgui HTTPS port to something other than 443. Say 8443. Protocol: HTTPS and TCP Port on the same System > Advanced, Admin Access page.
You will then have to access your webgui on https://firewallnameoraddress:8443/ so be sure you adjust any firewall rules prior to making the change (the auto-lockout rule on LAN will be adjusted to pass the new HTTPS port automatically)
That will prevent the firewall from thinking ANY connections to port 80 or 443 on ANY of its addresses is a webgui request.
When you start dealing in NAT reflection, which is far inferior to proper split DNS, things can get squirrelley if you don't know exactly what you are doing. If you are getting a pfSense DNS rebind error when you think you should be getting redirected to an internal web server, these steps should fix it.
(ETA: Sorry - completely confusing DNS Rebind with HTTP Referrer errors.)
-
@nich17 said in Accessing external domain from inside:
But even if I set 192.168.0.1 as the only dns server in my pc, it still gives dns rebind if NAT reflection is not enabled
What does your browser? All pfsense is doing in this case is resolving www.domain.tld to 192.168.0.x
Your browser thinking www.domain.tld should be public IP would be on your browser. All pfsense does in this case is return the IP you put in you host override. Lets see your dns query.. Simple nslookup, did, host showing what IP gets returned from you host override. And then going to that fqdn in your browser.
If you put this rfc1918 address in your public dns!!! That would be a rebind..
-
-
If you really must have it:
Advanced options:
server: private-domain: domain.tld -
^ yup that would turn off rebind protection for something upstream of pfsense resolver, ie a domain override.
-
@nich17 said in Accessing external domain from inside:
I enabled the dns forwarder, now the dns server on the clients points to pfsense (192.168.0.254). I've written our internal domain on the domain override.
Internet works well, our internal domain works well, our external domain works well if you access it from outside our network, but when I access the external domain from inside the network, it's always the same thing, it points me to pfsense.
It points me to pfsense (192.168.0.254) and it's giving me the dns rebind error. I disabled the rebinding and, as I said, it points me to pfsense.Can someone help me?
Hang on a second, how is your external domain resolving to an internal IP if you have only added your internal domain to the Domain Overrides?
I think you might be confusing terminology here.
Domain Overrides tells the DNS forwarder to use a different upstream DNS server for that specific domain.
Host Overrides tells the DNS forwarder to IGNORE all other DNS servers and send back the IP address specified for those hostnames. As such, I believe you don't even need an internal DNS server beyond pfSense, its much easier to manage all your internal DNS from within pfSense itself.If you are wanting the external domain to resolve to internal IPs then you should be putting THAT into Host Overrides.
eg My public IP resolves to server.my.domain at my domains DNS host, in pfSense I have a Host Override for server.my.domain that points to its internal IP address. So when inside the LAN it resolves to the internal IP. I rarely ever use the internal domain for that server as its not necessary.
If you want to wildcard the whole domain (so that server1.my.domain, server2.my.domain, etc all point to the same IP address without having to add each one manually), you have to use custom options and add:
address=/my.domain/<SERVER ADDDRESS>
Replacing my.domain with your external domain and <SERVER ADDRESS> with your servers IP.
If you use DNS Resolver it works exactly the same except the custom option is:
server:
local-zone: "my.domain" redirect
local-data: "my.domain 86400 IN A <SERVER ADDRESS>"
