4. DNS Rebind Check Breaks Local/Private DNS Zones

DNS Rebind Check Breaks Local/Private DNS Zones

  • T

    With DNS Rebind Check enabled, go to General Setup, use private IP address that point to local name servers then turn on the DNS Forwarder.  If your clients use pFsense as the DNS resolver the result is that it's no longer possible to resolve local DNS zones that return private IP addresses.

    You will see in the error log:

    dnsmasq possible DNS-rebind attack detected

    This default behavior seems wrong to me.  Many businesses would have this type of setup where they have a local DNS zone that should only resolve to private IP addresses.

    0
  • Rebel Alliance Global Moderator

    that is exactly what rebind protection does.. To the forwarder getting back a rfc1918 from something it forwarded to (normal public domain) would be a rebind attack.  If you want to forward to an internal dns that will return rfc1918 then either turn off rebind protection or set the domain your doing to query for as private.

    https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

    If your using forwarder
    rebind-domain-ok=/mydomain.com/

    Using resolver unbound
    server:
    private-domain: "example.com"

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy