Accessing external domain from inside



  • Hi,
    I have a DHCP server that serve 1 dns server (192.168.0.1), I don't know what happens inside it, there's an apache server where we host websites as virtualhosts configured in webmin, but it works. From a computer connected to the firewall, I can reach both our internal websites (example: k.ourinternaldomain.com) and the internet. The problem is with our external domain (example: k.ourexternaldomain.com), our server (192.168.0.1) serve not only ourinternaldomain websites, but also ourexternaldomain websites. I can reach them from the internet, but when I try to reach it from a pc connected to the firewall, it automatically goes to https and tell me "DNS rebind". From what I've understood, it points me to the gateway (pfsense).

    If I set the dhcp to give (for example) 1.1.1.1 and 8.8.8.8 as dns servers, enable DNS forwarder and override our internal domain in order to redirect it to 192.168.0.1? Will it work?

    My boss is giving me limited time (so much limited you can't imagine). Can someone help me?



  • Keep on using your internal DNS server and add overrides for your public host names to it so that it delivers the internal host IPs.
    You also may to switch to pfSense DNS forwarder and add the overrides there.



  • @viragomann

    Ok, but there's another problem. If the server goes down, we can't access internet anymore. Then I added another DNS server (1.1.1.1) in the DHCP's dns server list (under the 192.168.0.1), but I don't know why, it stops me from access our internal domain.



  • A plublic DNS server cannot resolve your internal host names, of course.
    So if you want to resolve internal host names and override public names you have to use an internal DNS server and configure the server to use public servers for resolving public domains.



  • @viragomann So, an alternative to mantain the internet while the internal dns server is down, is set the dns server as the public dns server, and override my internal domain in the dns forwarder to point to our internal dns server, right?



  • If you set your clients to use a public DNS they don't get internal names resolved.

    Why is you DNS server down?
    Use the pfSense DNS resolver or the forwarder (resolver is recommended). The pfSense should never get down. If it does, you have no internet, anyway.

    Alternatively you may activate DNS reflection if you want to keep on using public DNS.



  • @viragomann Because our dns server is 192.168.0.1, pfsense is 192.168.0.254. If the dns server goes down (since it is the only server we have here, it is used for almost everything), we will not have any internet until we manually set a public dns server on every pc



  • Why can't you just point your clients to pfSense for DNS and then let pfSense query your internal server for your own domain names (domain overrides in the options)? This way pfSense would keep your clients on the internet even if your own DNS server goes down and it would have cached records of your own domain at least for a while.


  • Rebel Alliance Global Moderator

    ^ exactly.. But I would think your internal dns/server going down would/should be your #1 priority. I would look to stabilize this server. Is it just over taxed? Why does it go down? You can for sure bring up multiple dns in side your AD, etc.

    But sure pointing clients to pfsense, and then setting a domain override to allow pfsense to resolve your internal stuff works as well if that server goes down you would still resolve internet, etc.



  • @kpa said in Accessing external domain from inside:

    Why can't you just point your clients to pfSense for DNS and then let pfSense query your internal server for your own domain names (domain overrides in the options)? This way pfSense would keep your clients on the internet even if your own DNS server goes down and it would have cached records of your own domain at least for a while.

    I already tried it, everything was good, but accessing our external domain from the internal was still a "DNS rebind". I'm going to retry it, It's almost impossible cause I've written only our internal domain in the override section.

    @johnpoz said in Accessing external domain from inside:

    ^ exactly.. But I would think your internal dns/server going down would/should be your #1 priority. I would look to stabilize this server. Is it just over taxed? Why does it go down? You can for sure bring up multiple dns in side your AD, etc.

    But sure pointing clients to pfsense, and then setting a domain override to allow pfsense to resolve your internal stuff works as well if that server goes down you would still resolve internet, etc.

    We already have a backup server ready to be configured but there's no time to configure it.... (bah...), anyway I'm going to try again the pfsense as dns alternative.



  • @johnpoz @kpa @viragomann

    I enabled the dns forwarder, now the dns server on the clients points to pfsense (192.168.0.254). I've written our internal domain on the domain override.
    Internet works well, our internal domain works well, our external domain works well if you access it from outside our network, but when I access the external domain from inside the network, it's always the same thing, it points me to pfsense.
    It points me to pfsense (192.168.0.254) and it's giving me the dns rebind error. I disabled the rebinding and, as I said, it points me to pfsense.

    Can someone help me?



  • Clear the browser cache and also the DNS cache on the client.


  • Rebel Alliance Global Moderator

    Be happy to help you figure out what is wrong. But your going to have to give some details of what exactly your doing a query for and what it should resolve too.

    If pfsense looks upstream for a dns record, ie a domain override and it comes back as rfc1918 then yes that would be a rebind and you would have to set whatever domain that is as private or turn off rebind completely. I would suggest set specific domain(s) as private vs disable rebind completely.

    You mention external? Did you set pfsense to use your external domain as its own domain? So you have publicdomain.tld that resolves on the interent and you put pfsense in this publicdomain.tld ie pfsense.publicdomain.tld is its fqdn?

    Is your AD domain also using your public domain? This sort of setup is always going to be problematic.



  • @viragomann said in Accessing external domain from inside:

    Clear the browser cache and also the DNS cache on the client.

    I can try it.

    @johnpoz said in Accessing external domain from inside:

    Be happy to help you figure out what is wrong. But your going to have to give some details of what exactly your doing a query for and what it should resolve too.

    If pfsense looks upstream for a dns record, ie a domain override and it comes back as rfc1918 then yes that would be a rebind and you would have to set whatever domain that is as private or turn off rebind completely. I would suggest set specific domain(s) as private vs disable rebind completely.

    You mention external? Did you set pfsense to use your external domain as its own domain? So you have publicdomain.tld that resolves on the interent and you put pfsense in this publicdomain.tld ie pfsense.publicdomain.tld is its fqdn?

    Is your AD domain also using your public domain? This sort of setup is always going to be problematic.

    Currently we have our publicadomain.tdl that points to our public ip, the pfsense takes every wan request on the 80/443 and sends it to our server 192.168.0.1 (via NAT+rules), and it works since from another network I can reach the websites.
    And then we have our internaldomain.tdl (on general setup i set this to pfsense domain also). Our server 192.168.0.1 serves also our internaldomain.tdl websites.
    So we have a single server (192.168.0.1) that serve both the websites, external and internal. We are all connected to a switch connected to the firewall.

    My dns configuration now is all about dns forwarder. I removed all the dns servers from the DHCP server, the firewall automatically gives its ip address as the dns server to the clients, and on the dns forwarder I set an override of internaldomain.tdl to the server 192.168.0.1. From inside our network internet works, internaldomain.tdl works, but publicadomain.tdl goes direct to pfsense, and pfsense only (if i disable dns rebind I get the pfsense login).

    I also tried to add publicadomain.tdl in the override section (to 192.168.0.1) but it was pointing me to pfsense anyway!


  • Rebel Alliance Global Moderator

    So if you query host.publicdomain.tld who should resolve this?

    Externally, say me for example wanting to hit www.publicdomain.tld gets returned your public IP 1.2.3.4, this hits your wan, and gets forwarded to 192.168.0.1

    Internally someone sitting on this 192.168.0/24 network or another one of your internal networks should get returned 192.168.0.1..

    So setup a host override in your pfsense dns so that www.publicdomain.tld returns 192.168.0.1

    If you let it resolve via the public dns and it gets back your public 1.2.3.4 and you want that to go to 192.168.0.1 you would have to setup nat "reflection" which is not the optimal setup. Internal clients should just hit the internal IP directly since they are internal as well. So setup your local dns to return the local IP for this fqdn.

    This is generally referred to as split dns.



  • @johnpoz I tried it, I tried to override publicdomain.tld with 192.168.0.1 but it was pointing me to this dns rebind error anyway. I'll try it again tomorrow.



  • From your PC dosbox/CMD/powershell do this:

    nslookup internaldomain.tld
    &
    nslookup publicdomain.tld

    Post the results. (they should be the same)



  • Can i use my videos on this platform ? actually i want to creat my own post so i can get more ideas about this channel ?


  • Rebel Alliance Global Moderator

    @maryjohnston said in Accessing external domain from inside:

    Can i use my videos on this platform ? actually i want to creat my own post so i can get more ideas about this channel ?

    Huh?? I think you posted that in the wrong thread to be honest.



  • @heper Thanks I'm going to try it tomorrow since I can't do it right now.



  • @johnpoz @heper @viragomann @kpa
    Thank you all, I finally found the solution. The override to 192.168.0.1 for my public domain wasn't working, so I searched again. I found the NAT reflection (as you said, johnpoz) and it works!

    For newbies like me, if you are struggling with this, go here and follow the method 1:
    https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.html

    Again, thank you all for all the time you spent for help me.


  • Rebel Alliance Global Moderator

    NO NO NO... Method 1 should be the last freaking option... And only used when there is some crap application that has your public IP hard coded or something.. Nat reflection is pure evil and an abomination...

    It takes two seconds to do a host override... I would suggest you take the time to figure out what you were doing wrong with your override.. You put in the forwarder when your using the resolver - have seen that a few times ;) Your client not using pfsense as dns for sure would be an issue.

    Client using both pfsense and some external dns also common mistake since you can never be sure what dns a client will use when you have more than 1 listed.

    You would only get a rebind error if pfsense is looking elsewhere for the record. A host override would be served up from it and rfc1918 is fine.. Only when it forwards/resolves or you have set a domain override pointing to some other ns and it gets back rfc1918 for a query is that a rebind. Which you solve by setting the domain to private if you some local dns is you are query for this record via domain override, etc.



  • @johnpoz
    I can assure you that the dns resolver is disabled and every client is using pfsense as the only dns server.
    But even if I set 192.168.0.1 as the only dns server in my pc, it still gives dns rebind if NAT reflection is not enabled.


  • Netgate

    If you are going to do this stuff you should:

    1. Disable the port 80 to HTTPS redirect in System > Advanced, Admin Access, WebGUI redirect (Check the box)
    2. Change the webgui HTTPS port to something other than 443. Say 8443. Protocol: HTTPS and TCP Port on the same System > Advanced, Admin Access page.

    You will then have to access your webgui on https://firewallnameoraddress:8443/ so be sure you adjust any firewall rules prior to making the change (the auto-lockout rule on LAN will be adjusted to pass the new HTTPS port automatically)

    That will prevent the firewall from thinking ANY connections to port 80 or 443 on ANY of its addresses is a webgui request.

    When you start dealing in NAT reflection, which is far inferior to proper split DNS, things can get squirrelley if you don't know exactly what you are doing. If you are getting a pfSense DNS rebind error when you think you should be getting redirected to an internal web server, these steps should fix it.

    (ETA: Sorry - completely confusing DNS Rebind with HTTP Referrer errors.)


  • Rebel Alliance Global Moderator

    @nich17 said in Accessing external domain from inside:

    But even if I set 192.168.0.1 as the only dns server in my pc, it still gives dns rebind if NAT reflection is not enabled

    What does your browser? All pfsense is doing in this case is resolving www.domain.tld to 192.168.0.x

    Your browser thinking www.domain.tld should be public IP would be on your browser. All pfsense does in this case is return the IP you put in you host override. Lets see your dns query.. Simple nslookup, did, host showing what IP gets returned from you host override. And then going to that fqdn in your browser.

    If you put this rfc1918 address in your public dns!!! That would be a rebind..



  • @derelict @johnpoz
    I'll try it as soon as I can


  • Netgate

    If you really must have it:

    Advanced options:

    server:
    private-domain: domain.tld
    

  • Rebel Alliance Global Moderator

    ^ yup that would turn off rebind protection for something upstream of pfsense resolver, ie a domain override.



  • @nich17 said in Accessing external domain from inside:

    @johnpoz @kpa @viragomann

    I enabled the dns forwarder, now the dns server on the clients points to pfsense (192.168.0.254). I've written our internal domain on the domain override.
    Internet works well, our internal domain works well, our external domain works well if you access it from outside our network, but when I access the external domain from inside the network, it's always the same thing, it points me to pfsense.
    It points me to pfsense (192.168.0.254) and it's giving me the dns rebind error. I disabled the rebinding and, as I said, it points me to pfsense.

    Can someone help me?

    Hang on a second, how is your external domain resolving to an internal IP if you have only added your internal domain to the Domain Overrides?

    I think you might be confusing terminology here.

    Domain Overrides tells the DNS forwarder to use a different upstream DNS server for that specific domain.
    Host Overrides tells the DNS forwarder to IGNORE all other DNS servers and send back the IP address specified for those hostnames. As such, I believe you don't even need an internal DNS server beyond pfSense, its much easier to manage all your internal DNS from within pfSense itself.

    If you are wanting the external domain to resolve to internal IPs then you should be putting THAT into Host Overrides.

    eg My public IP resolves to server.my.domain at my domains DNS host, in pfSense I have a Host Override for server.my.domain that points to its internal IP address. So when inside the LAN it resolves to the internal IP. I rarely ever use the internal domain for that server as its not necessary.

    If you want to wildcard the whole domain (so that server1.my.domain, server2.my.domain, etc all point to the same IP address without having to add each one manually), you have to use custom options and add:

    address=/my.domain/<SERVER ADDDRESS>

    Replacing my.domain with your external domain and <SERVER ADDRESS> with your servers IP.

    If you use DNS Resolver it works exactly the same except the custom option is:

    server:
    local-zone: "my.domain" redirect
    local-data: "my.domain 86400 IN A <SERVER ADDRESS>"