Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS Rebind Check Breaks Local/Private DNS Zones

    DHCP and DNS
    2
    2
    381
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tuaris last edited by

      With DNS Rebind Check enabled, go to General Setup, use private IP address that point to local name servers then turn on the DNS Forwarder.  If your clients use pFsense as the DNS resolver the result is that it's no longer possible to resolve local DNS zones that return private IP addresses.

      You will see in the error log:

      dnsmasq possible DNS-rebind attack detected

      This default behavior seems wrong to me.  Many businesses would have this type of setup where they have a local DNS zone that should only resolve to private IP addresses.

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        that is exactly what rebind protection does.. To the forwarder getting back a rfc1918 from something it forwarded to (normal public domain) would be a rebind attack.  If you want to forward to an internal dns that will return rfc1918 then either turn off rebind protection or set the domain your doing to query for as private.

        https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

        If your using forwarder
        rebind-domain-ok=/mydomain.com/

        Using resolver unbound
        server:
        private-domain: "example.com"

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy