Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Use Different DNS Server depending on Destination Address

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 5 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jfpamesa
      last edited by

      Good Day,

      In our case, we have a public wifi network, DMZ, and our internal network. The internal network is querying the DNS Server of pfSense which has web filtering implemented through OpenDNS. Our public wifi network shouldn't have any web filtering applied, the public Wifi Network is using other external DNS. But, when the devices in the public wifi network are accessing the hosts under our DMZ, DNS rebind attack is being generated. If I am using the local DNS server in our public wifi network, we can access the hosts under DMZ, however, web filtering is applied.

      Is it possible to redirect all DNS queries to pfSense's local DNS Server when public wifi devices are accessing our devices under DMZ and use external DNS servers when accessing websites? If it's possible, how can this be done?

      Thank You!

      1 Reply Last reply Reply Quote 0
      • M
        muswellhillbilly
        last edited by

        If I understand your question, why not have your DNS records for your DMZ servers hosted locally (with their internal DMZ addresses) and route the traffic from your public wifi network to the internal network of your DMZ (selectively firewalled, of course)? You can still use the PFS as a forwarder to resolve external addresses the same way as now, but you simply have a host override for each of the DMZ servers you need your wifi people to access. It's called split DNS.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "DNS rebind attack is being generated."

          So your hosting rfc1918 addresses in the public dns?  That is so broken.. Unless your running a blacklist you should never do that.. As pointed out use split dns where if using local dns you resolve rfci181 if using public you get the public IP if needed.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            Some people do use RFC1918 addresses in public DNS for VPN because it allows the VPN clients to connect to the internal hosts without changing anything in DNS settings. Lazy but it works.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              lazy and broken!  There is no reason to do that other than lack of understanding imho.

              Comes down to the priorities in what your wanting to resolve.  I would think a road warrior priority in resolving stuff would be what is on the other end of the vpn.  If a site to site vpn very easy to setup what domains resolve from what.

              If the road warrior needs to resolve stuff locally while attached to the vpn, then he should make sure he has method of doing that - either direct queries to the local dns of the location he is at, host entries.  Shoot most of the time in a vpn road warrior connection they do not even allow for split tunnel so you wouldn't even be able to access local resources be it you could resolve them or not when connected to the vpn.

              Comes down to what your resolving as well.. There are many ways to skin the resolving cat, if services are webbased simple proxy can solve the problem of needing to resolve stuff local or vpn connecting via proxy settings in your browser since when using a proxy the proxy does the resolving.

              If really something you do all the time you could run a name server on your box that has conditional forwarding to which ns to hit for specific domains, etc.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • J
                jfpamesa
                last edited by

                Thank you for all your feedbacks.

                Just to clarify, I am not hosting private IP Addresses in the Public DNS, and there is also a split DNS in place pointing to the private IP of my DMZ host. I've been using this Split DNS for a long time now to let my internal network access the DMZ host using its private IP, without this Split DNS setup, DNS rebind attack also happens in my Internal Network.  That's why I want to know if it's possible to query my pfSense's DNS if the destination is going to DMZ Network so I could avoid this DNS Rebind Attack, and external public DNS if the destination is going to external network.

                For additional information, the only difference in the network setup of my Public Wifi is I do not have transit network in place, the public wifi devices are directly connected to my pfSense's interface. My DMZ and Internal network have a /30 transit network between the firewall and L3 switches. You may refer to the attachment.

                Thank You!  ;D

                network-map-rush.JPG
                network-map-rush.JPG_thumb

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "DNS rebind attack also happens in my Internal Network"

                  So your forwarding to an upstream ns, dnsmasq nor unbound don't know that is not public.  So just set those domains as private so they don't fall under rebind protection.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • J
                    jfpamesa
                    last edited by

                    Yes, I'm just using dnsmasq to forward queries to upstream servers.

                    "So just set those domains as private so they don't fall under rebind protection."

                    Mind if I ask, how do I do that? Lol. :D

                    Thank You!

                    1 Reply Last reply Reply Quote 0
                    • pttP
                      ptt Rebel Alliance
                      last edited by

                      https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

                      1 Reply Last reply Reply Quote 0
                      • J
                        jfpamesa
                        last edited by

                        It seems like my issue has been resolved. I didn't do anything about my DNS Config, what I did was I enabled the NAT Reflection of my 1:1 NAT entry for our mail server. Then, when I re-tested, I can now access our mail server on our Public Wifi network without DNS Rebind Attack message.

                        I would like to thank everyone for offering their help! ;D

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.