DNS Rebind Check Breaks Local/Private DNS Zones

tuaris

With DNS Rebind Check enabled, go to General Setup, use private IP address that point to local name servers then turn on the DNS Forwarder.  If your clients use pFsense as the DNS resolver the result is that it's no longer possible to resolve local DNS zones that return private IP addresses.

You will see in the error log:

dnsmasq possible DNS-rebind attack detected

This default behavior seems wrong to me.  Many businesses would have this type of setup where they have a local DNS zone that should only resolve to private IP addresses.

johnpoz

that is exactly what rebind protection does.. To the forwarder getting back a rfc1918 from something it forwarded to (normal public domain) would be a rebind attack.  If you want to forward to an internal dns that will return rfc1918 then either turn off rebind protection or set the domain your doing to query for as private.

https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

If your using forwarder
rebind-domain-ok=/mydomain.com/

Using resolver unbound
server:
private-domain: "example.com"