Accessing external domain from inside

nich17

Hi,
I have a DHCP server that serve 1 dns server (192.168.0.1), I don't know what happens inside it, there's an apache server where we host websites as virtualhosts configured in webmin, but it works. From a computer connected to the firewall, I can reach both our internal websites (example: k.ourinternaldomain.com) and the internet. The problem is with our external domain (example: k.ourexternaldomain.com), our server (192.168.0.1) serve not only ourinternaldomain websites, but also ourexternaldomain websites. I can reach them from the internet, but when I try to reach it from a pc connected to the firewall, it automatically goes to https and tell me "DNS rebind". From what I've understood, it points me to the gateway (pfsense).

If I set the dhcp to give (for example) 1.1.1.1 and 8.8.8.8 as dns servers, enable DNS forwarder and override our internal domain in order to redirect it to 192.168.0.1? Will it work?

My boss is giving me limited time (so much limited you can't imagine). Can someone help me?

viragomann

Keep on using your internal DNS server and add overrides for your public host names to it so that it delivers the internal host IPs.
You also may to switch to pfSense DNS forwarder and add the overrides there.

nich17

@viragomann

Ok, but there's another problem. If the server goes down, we can't access internet anymore. Then I added another DNS server (1.1.1.1) in the DHCP's dns server list (under the 192.168.0.1), but I don't know why, it stops me from access our internal domain.

viragomann

A plublic DNS server cannot resolve your internal host names, of course.
So if you want to resolve internal host names and override public names you have to use an internal DNS server and configure the server to use public servers for resolving public domains.

nich17

@viragomann So, an alternative to mantain the internet while the internal dns server is down, is set the dns server as the public dns server, and override my internal domain in the dns forwarder to point to our internal dns server, right?

viragomann

If you set your clients to use a public DNS they don't get internal names resolved.

Why is you DNS server down?
Use the pfSense DNS resolver or the forwarder (resolver is recommended). The pfSense should never get down. If it does, you have no internet, anyway.

Alternatively you may activate DNS reflection if you want to keep on using public DNS.

nich17

@viragomann Because our dns server is 192.168.0.1, pfsense is 192.168.0.254. If the dns server goes down (since it is the only server we have here, it is used for almost everything), we will not have any internet until we manually set a public dns server on every pc

kpa

Why can't you just point your clients to pfSense for DNS and then let pfSense query your internal server for your own domain names (domain overrides in the options)? This way pfSense would keep your clients on the internet even if your own DNS server goes down and it would have cached records of your own domain at least for a while.

johnpoz

^ exactly.. But I would think your internal dns/server going down would/should be your #1 priority. I would look to stabilize this server. Is it just over taxed? Why does it go down? You can for sure bring up multiple dns in side your AD, etc.

But sure pointing clients to pfsense, and then setting a domain override to allow pfsense to resolve your internal stuff works as well if that server goes down you would still resolve internet, etc.

nich17

@kpa said in Accessing external domain from inside:

Why can't you just point your clients to pfSense for DNS and then let pfSense query your internal server for your own domain names (domain overrides in the options)? This way pfSense would keep your clients on the internet even if your own DNS server goes down and it would have cached records of your own domain at least for a while.

I already tried it, everything was good, but accessing our external domain from the internal was still a "DNS rebind". I'm going to retry it, It's almost impossible cause I've written only our internal domain in the override section.

@johnpoz said in Accessing external domain from inside:

^ exactly.. But I would think your internal dns/server going down would/should be your #1 priority. I would look to stabilize this server. Is it just over taxed? Why does it go down? You can for sure bring up multiple dns in side your AD, etc.

But sure pointing clients to pfsense, and then setting a domain override to allow pfsense to resolve your internal stuff works as well if that server goes down you would still resolve internet, etc.

We already have a backup server ready to be configured but there's no time to configure it.... (bah...), anyway I'm going to try again the pfsense as dns alternative.

nich17

@johnpoz @kpa @viragomann

I enabled the dns forwarder, now the dns server on the clients points to pfsense (192.168.0.254). I've written our internal domain on the domain override.
Internet works well, our internal domain works well, our external domain works well if you access it from outside our network, but when I access the external domain from inside the network, it's always the same thing, it points me to pfsense.
It points me to pfsense (192.168.0.254) and it's giving me the dns rebind error. I disabled the rebinding and, as I said, it points me to pfsense.

Can someone help me?

viragomann

Clear the browser cache and also the DNS cache on the client.

johnpoz

Be happy to help you figure out what is wrong. But your going to have to give some details of what exactly your doing a query for and what it should resolve too.

If pfsense looks upstream for a dns record, ie a domain override and it comes back as rfc1918 then yes that would be a rebind and you would have to set whatever domain that is as private or turn off rebind completely. I would suggest set specific domain(s) as private vs disable rebind completely.

You mention external? Did you set pfsense to use your external domain as its own domain? So you have publicdomain.tld that resolves on the interent and you put pfsense in this publicdomain.tld ie pfsense.publicdomain.tld is its fqdn?

Is your AD domain also using your public domain? This sort of setup is always going to be problematic.

nich17

@viragomann said in Accessing external domain from inside:

Clear the browser cache and also the DNS cache on the client.

I can try it.

@johnpoz said in Accessing external domain from inside:

Be happy to help you figure out what is wrong. But your going to have to give some details of what exactly your doing a query for and what it should resolve too.

If pfsense looks upstream for a dns record, ie a domain override and it comes back as rfc1918 then yes that would be a rebind and you would have to set whatever domain that is as private or turn off rebind completely. I would suggest set specific domain(s) as private vs disable rebind completely.

You mention external? Did you set pfsense to use your external domain as its own domain? So you have publicdomain.tld that resolves on the interent and you put pfsense in this publicdomain.tld ie pfsense.publicdomain.tld is its fqdn?

Is your AD domain also using your public domain? This sort of setup is always going to be problematic.

Currently we have our publicadomain.tdl that points to our public ip, the pfsense takes every wan request on the 80/443 and sends it to our server 192.168.0.1 (via NAT+rules), and it works since from another network I can reach the websites.
And then we have our internaldomain.tdl (on general setup i set this to pfsense domain also). Our server 192.168.0.1 serves also our internaldomain.tdl websites.
So we have a single server (192.168.0.1) that serve both the websites, external and internal. We are all connected to a switch connected to the firewall.

My dns configuration now is all about dns forwarder. I removed all the dns servers from the DHCP server, the firewall automatically gives its ip address as the dns server to the clients, and on the dns forwarder I set an override of internaldomain.tdl to the server 192.168.0.1. From inside our network internet works, internaldomain.tdl works, but publicadomain.tdl goes direct to pfsense, and pfsense only (if i disable dns rebind I get the pfsense login).

I also tried to add publicadomain.tdl in the override section (to 192.168.0.1) but it was pointing me to pfsense anyway!

johnpoz

So if you query host.publicdomain.tld who should resolve this?

Externally, say me for example wanting to hit www.publicdomain.tld gets returned your public IP 1.2.3.4, this hits your wan, and gets forwarded to 192.168.0.1

Internally someone sitting on this 192.168.0/24 network or another one of your internal networks should get returned 192.168.0.1..

So setup a host override in your pfsense dns so that www.publicdomain.tld returns 192.168.0.1

If you let it resolve via the public dns and it gets back your public 1.2.3.4 and you want that to go to 192.168.0.1 you would have to setup nat "reflection" which is not the optimal setup. Internal clients should just hit the internal IP directly since they are internal as well. So setup your local dns to return the local IP for this fqdn.

This is generally referred to as split dns.

nich17

@johnpoz I tried it, I tried to override publicdomain.tld with 192.168.0.1 but it was pointing me to this dns rebind error anyway. I'll try it again tomorrow.

heper

From your PC dosbox/CMD/powershell do this:

nslookup internaldomain.tld
&
nslookup publicdomain.tld

Post the results. (they should be the same)

maryjohnston

Can i use my videos on this platform ? actually i want to creat my own post so i can get more ideas about this channel ?

johnpoz

@maryjohnston said in Accessing external domain from inside:

Can i use my videos on this platform ? actually i want to creat my own post so i can get more ideas about this channel ?

Huh?? I think you posted that in the wrong thread to be honest.

nich17

@heper Thanks I'm going to try it tomorrow since I can't do it right now.