DNS Rebind Check Breaks Local/Private DNS Zones



  • With DNS Rebind Check enabled, go to General Setup, use private IP address that point to local name servers then turn on the DNS Forwarder.  If your clients use pFsense as the DNS resolver the result is that it's no longer possible to resolve local DNS zones that return private IP addresses.

    You will see in the error log:

    dnsmasq possible DNS-rebind attack detected
    

    This default behavior seems wrong to me.  Many businesses would have this type of setup where they have a local DNS zone that should only resolve to private IP addresses.


  • Rebel Alliance Global Moderator

    that is exactly what rebind protection does.. To the forwarder getting back a rfc1918 from something it forwarded to (normal public domain) would be a rebind attack.  If you want to forward to an internal dns that will return rfc1918 then either turn off rebind protection or set the domain your doing to query for as private.

    https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

    If your using forwarder
    rebind-domain-ok=/mydomain.com/

    Using resolver unbound
    server:
    private-domain: "example.com"