4. DNS Rebind Check Breaks Local/Private DNS Zones

DNS Rebind Check Breaks Local/Private DNS Zones

  • T

    With DNS Rebind Check enabled, go to General Setup, use private IP address that point to local name servers then turn on the DNS Forwarder.  If your clients use pFsense as the DNS resolver the result is that it's no longer possible to resolve local DNS zones that return private IP addresses.

    You will see in the error log:

    dnsmasq possible DNS-rebind attack detected

    This default behavior seems wrong to me.  Many businesses would have this type of setup where they have a local DNS zone that should only resolve to private IP addresses.

    0
  • LAYER 8 Global Moderator

    that is exactly what rebind protection does.. To the forwarder getting back a rfc1918 from something it forwarded to (normal public domain) would be a rebind attack.  If you want to forward to an internal dns that will return rfc1918 then either turn off rebind protection or set the domain your doing to query for as private.

    https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

    If your using forwarder
    rebind-domain-ok=/mydomain.com/

    Using resolver unbound
    server:
    private-domain: "example.com"

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy