DNS queries for records whose answer is "127.0.0.1" blocked in 2.4.5 (not a bug)
-
So I had a unique problem pop up after upgrading a client office to 2.4.5. Apparently, one of their software packages, (RepairCenter by Mitchell) requires that it is able to resolve "ihost.mymitchell.com", which resolves as "127.0.0.1". (wonky, I know)
This was working fine until I upgraded them to 2.4.5. I didn't make the connection at first, until finding a diagnostic log on the client indicating that it had failed to resolve that hostname. A few NSLOOKUPs later, and I realized that while I could query 1.1.1.1 for the hostname successfully, the Unbound resolver was coming back empty handed. I tried turning on some more verbose logging, but wasn't seeing the query in the logs. So I decided to check the patch notes, and saw this:
"Added 127.0.0.0/8 to the DNS Resolver private-address list for DNS rebinding protection #9708"
Ok, so that's definitely what's going on. I created a HOST OVERRIDE to solve the problem in the immediate term, while I ponder if I should try to remedy it any better than this.
Clearly there was a good reason for implementing this new feature. But if I wanted to turn it back off, how would I do that? I think I am just going to stick with the host override as the solution, as this feature seems like a good idea. But I'd still like to know how to change that setting should it end up being necessary for any reason.
NOTE: I've purposely included product names and hostnames here so that anyone else googling for this might find their answer here.
-
@pdnx said in DNS queries for records whose answer is "127.0.0.1" blocked in 2.4.5 (not a bug):
But if I wanted to turn it back off, how would I do that?
As the changelog entry implies, it's tied to DNS rebinding protection. So to turn that off, disable DNS rebinding checks under System > Advanced
-
Would adding the DNS Resolver custom option:
server:
private-domain: "mymitchell.com"...override this?
-
That would bypass the protection for that domain, so yes.
https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html#dns-resolver-unbound
-
@jimp Well there you go. I remembered the setting from years ago for some RFC1918 IPs we had to use, just didn't look up the docs for rebinding... :)
-
Thanks folks, that was exactly what I was looking for. Much obliged!
