Reverse Binding Attack message when trying to use Synology Reverse Proxy



  • Setting up reverse proxy functionality on a Synology NAS (NAS4), but calls are being blocked as a possible reverse bind attack. On 2.4. Here's what I've done:

    -Forwarded port 443 to NAS4.
    -Created a subdomain DNS entry of S1.NAS4.MYDOMAIN.NET.
    -Configured the reverse proxy on the NAS to route calls to S1.NAS4.MYDOMAIN.NET to the appropriate service port on the nas.

    Trying https://S1.NAS4.MYDOMAIN.NET gives me the possible DNS reverse bind attack detected message.

    Thoughts on how to fix? Can I whitelist host names for passthrough? I know you can do it for the webgui. There has to be a way to tell pfsense when a call like this is legitmate, no?

    Thanks in advance.


  • LAYER 8 Global Moderator

    So your trying to hit your wan IP to get reflected back in?

    I take it you hiding your actual fqdn?  since that resolves on the public internet to

    ;; QUESTION SECTION:
    ;S1.NAS4.MYDOMAIN.NET.          IN      A

    ;; ANSWER SECTION:
    S1.NAS4.MYDOMAIN.NET.  3600    IN      A      63.251.171.80
    S1.NAS4.MYDOMAIN.NET.  3600    IN      A      66.150.161.140
    S1.NAS4.MYDOMAIN.NET.  3600    IN      A      66.150.161.141
    S1.NAS4.MYDOMAIN.NET.  3600    IN      A      63.251.171.81
    S1.NAS4.MYDOMAIN.NET.  3600    IN      A      69.25.27.173
    S1.NAS4.MYDOMAIN.NET.  3600    IN      A      69.25.27.170

    Where exactly did you create this dns entry?  Are you wanting to hit your public IP from the outside?

    Rebind is when pfsense dns looks up a public domain, ie it was forwarded or resolved and it comes back with a rfc1918 address.  You can
    https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

    Use that info to remove specific domains from rebind protection.  But if your on your local network you should just create a host override on pfsense to point whatever fqdn you want to use to resolve to your NAS local IP..



  • @johnpoz-

    Yes, I'm hiding the actual fqdn. I'm using Dyndns.com DDNS service to setup the sub domains.

    I read the link you sent. Since I am using DNS Resolver Unbound, I went to System>Advanced per the follolwing:

    _Unbound has similar protections to dnsmasq, using its "Private Address support" option. With that option enabled RFC1918 addresses are stripped away from DNS answers. Additionally, the DNSSEC validator may mark the answers bogus.

    In the package on 2.1 and earlier this option is located in the main "Unbound DNS Settings" tab. On 2.2 where Unbound is integrated into the base system, it is active by default and controlled by the DNS Rebinding option under System > Advanced.

    Individual domains can be excluded from DNS rebinding protection using the Advanced box. Enter one domain per line in the following format, preceded by the "server:" line.

    server:
    private-domain: "example.com"_

    But I don't see the advanced box in 2.4 under System>Advanced.

    Is there a 2.4 version of this guide?


  • LAYER 8 Global Moderator

    The  Custom options box.. Under

    Services / DNS Resolver / General Settings

    edit:  The wording is correct for where to turn off rebinding protection all together.  But I edited the wording on the wiki page to reflect the custom options vs it saying advanced options.

    If your your public fqdn returns rfc1918 then its borked…. Your dynamic dns should return your public IP, not some rfc1918 address that would yes be a rebind..  Setting unbound to be ok with rfc1918 be returned by public dns domain record is not the correct solution to your problem.

    Where you would want to exclude domains from rebind protection is when pfsense is forwarding to an upstream dns that returns local domains - which would be fine with returning rfc1918 addresses..




  • Oof, I'm a bit confused. Apologies…

    When I ping the FQDN, the ping response is the WAN ip address of my router, which is what I would expect. So if we are not dealing with an rfc1918 address, but a reall ip address, what do I need to do? I'm a bit lost on how to progress this forward.

    To help clarify the use case in more specific terms, the NAS host several app including PLEX, Mylar, NZBDGet, Sonarr, etc. I currently can access the admin app externally (from the internet) via both port forwarding or VPN. I would like to replace port forwarding with reverse proxy so port 443 is the only port exposed outside my network rather than exposing each of the apps' ports. e.g., 8090, 8091, etc.

    Does that help?


  • LAYER 8 Global Moderator

    So this address returned when you ping the FQDN does not start with 10.x.x.x, 192.168.x.x or 172.16-31.x.x

    Just to be clear many people say their wan IP is public - when really its rfc1918.. they didn't understand what rfc1918 and just nod their heads, etc.. So lets be clear on this.. If your not getting back rfc1918 then it would not be a rebind attack..

    Where are you seeing this exactly? "possible reverse bind attack"

    You need to setup the reverse proxy then for your different fqdn your going to use for the different pages/sites you want to serve up..  say app.domain.tld, plex.domain.tld, mylar.domain.tld



  • It's definitely not a private address. It's DHCP address assigned by Verizon to the WAN port of my router:108.48.x.x.

    Using your example, I have mylar.nas1.domain.tld setup with dyndns.com pointing to my the DDNS client on my router. The above address is what I get when I ping this host address.

    The bind attack message appears with a pfsense banner when I try to access https://mylar.nas1.domain.tld:

    "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
    Try accessing the router by IP address instead of by hostname."


  • LAYER 8 Global Moderator

    So your trying to hit that from behind pfsense. and it gets forwarded to loopback via the reverse proxy?  Without seeing your actual config no sure what the issue is.



  • Actually, I'm not trying to hit it from behind pfsense (not from my LAN), but from outside–from the internet.  Behind pfsense, I would not use the FQDN. I would just go directly to the host/service on the LAN: https://nas1:port.

    Does that help?


  • LAYER 8 Global Moderator

    Well that makes zero sense then since of your just going to its HOSTNAME and port you would never touch pfsense at all so how would you get a rebinding attack anything.. Other than your client/browser doing something odd..

    Unless your browser is pointed at a proxy (pfsense?)



  • How doe it not touch pfsense?  Looks to me it's the first hop from WAN to LAN:

    https://s1.nas1.domain.net => pfsense internet wan port => local lan port => reverse proxy server => https://nas1:service port


  • LAYER 8 Global Moderator

    Oh my Gawd dude…  You stated you were going here

    I would just go directly to the host/service on the LAN: https://nas1:port.

    That is not a FQDN so how could you be going to your wan IP…  And you stated your were just directly going to the host..

    Yes if your going to your WAN your going to get reflected back in via your proxy or your nat... Dont DO THAT....  Just setup a host override so s1.nas1.domain.net or whatever fqdn you want to hit resturns the correct rfc1918 address..

    What are you putting in your browser when your on your PC behind pfsense??  What does it return for an an IP...

    In your reverse proxy setup your putting in what??  Some other fqdn or hostname - how is pfsense resolve that, some other dns that you have setup??  If pfsense forwards or resolves a FQDN somewhere and it returns rfc1918 then that is a rebind..


Log in to reply