Use Different DNS Server depending on Destination Address

  • Good Day,

    In our case, we have a public wifi network, DMZ, and our internal network. The internal network is querying the DNS Server of pfSense which has web filtering implemented through OpenDNS. Our public wifi network shouldn't have any web filtering applied, the public Wifi Network is using other external DNS. But, when the devices in the public wifi network are accessing the hosts under our DMZ, DNS rebind attack is being generated. If I am using the local DNS server in our public wifi network, we can access the hosts under DMZ, however, web filtering is applied.

    Is it possible to redirect all DNS queries to pfSense's local DNS Server when public wifi devices are accessing our devices under DMZ and use external DNS servers when accessing websites? If it's possible, how can this be done?

    Thank You!

  • If I understand your question, why not have your DNS records for your DMZ servers hosted locally (with their internal DMZ addresses) and route the traffic from your public wifi network to the internal network of your DMZ (selectively firewalled, of course)? You can still use the PFS as a forwarder to resolve external addresses the same way as now, but you simply have a host override for each of the DMZ servers you need your wifi people to access. It's called split DNS.

  • LAYER 8 Global Moderator

    "DNS rebind attack is being generated."

    So your hosting rfc1918 addresses in the public dns?  That is so broken.. Unless your running a blacklist you should never do that.. As pointed out use split dns where if using local dns you resolve rfci181 if using public you get the public IP if needed.

  • Some people do use RFC1918 addresses in public DNS for VPN because it allows the VPN clients to connect to the internal hosts without changing anything in DNS settings. Lazy but it works.

  • LAYER 8 Global Moderator

    lazy and broken!  There is no reason to do that other than lack of understanding imho.

    Comes down to the priorities in what your wanting to resolve.  I would think a road warrior priority in resolving stuff would be what is on the other end of the vpn.  If a site to site vpn very easy to setup what domains resolve from what.

    If the road warrior needs to resolve stuff locally while attached to the vpn, then he should make sure he has method of doing that - either direct queries to the local dns of the location he is at, host entries.  Shoot most of the time in a vpn road warrior connection they do not even allow for split tunnel so you wouldn't even be able to access local resources be it you could resolve them or not when connected to the vpn.

    Comes down to what your resolving as well.. There are many ways to skin the resolving cat, if services are webbased simple proxy can solve the problem of needing to resolve stuff local or vpn connecting via proxy settings in your browser since when using a proxy the proxy does the resolving.

    If really something you do all the time you could run a name server on your box that has conditional forwarding to which ns to hit for specific domains, etc.

  • Thank you for all your feedbacks.

    Just to clarify, I am not hosting private IP Addresses in the Public DNS, and there is also a split DNS in place pointing to the private IP of my DMZ host. I've been using this Split DNS for a long time now to let my internal network access the DMZ host using its private IP, without this Split DNS setup, DNS rebind attack also happens in my Internal Network.  That's why I want to know if it's possible to query my pfSense's DNS if the destination is going to DMZ Network so I could avoid this DNS Rebind Attack, and external public DNS if the destination is going to external network.

    For additional information, the only difference in the network setup of my Public Wifi is I do not have transit network in place, the public wifi devices are directly connected to my pfSense's interface. My DMZ and Internal network have a /30 transit network between the firewall and L3 switches. You may refer to the attachment.

    Thank You!  ;D

  • LAYER 8 Global Moderator

    "DNS rebind attack also happens in my Internal Network"

    So your forwarding to an upstream ns, dnsmasq nor unbound don't know that is not public.  So just set those domains as private so they don't fall under rebind protection.

  • Yes, I'm just using dnsmasq to forward queries to upstream servers.

    "So just set those domains as private so they don't fall under rebind protection."

    Mind if I ask, how do I do that? Lol. :D

    Thank You!

  • Rebel Alliance

  • It seems like my issue has been resolved. I didn't do anything about my DNS Config, what I did was I enabled the NAT Reflection of my 1:1 NAT entry for our mail server. Then, when I re-tested, I can now access our mail server on our Public Wifi network without DNS Rebind Attack message.

    I would like to thank everyone for offering their help! ;D

Log in to reply