Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS queries for records whose answer is "127.0.0.1" blocked in 2.4.5 (not a bug)

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 3 Posters 509 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pdnx
      last edited by

      So I had a unique problem pop up after upgrading a client office to 2.4.5. Apparently, one of their software packages, (RepairCenter by Mitchell) requires that it is able to resolve "ihost.mymitchell.com", which resolves as "127.0.0.1". (wonky, I know)

      This was working fine until I upgraded them to 2.4.5. I didn't make the connection at first, until finding a diagnostic log on the client indicating that it had failed to resolve that hostname. A few NSLOOKUPs later, and I realized that while I could query 1.1.1.1 for the hostname successfully, the Unbound resolver was coming back empty handed. I tried turning on some more verbose logging, but wasn't seeing the query in the logs. So I decided to check the patch notes, and saw this:

      "Added 127.0.0.0/8 to the DNS Resolver private-address list for DNS rebinding protection #9708"

      Ok, so that's definitely what's going on. I created a HOST OVERRIDE to solve the problem in the immediate term, while I ponder if I should try to remedy it any better than this.

      Clearly there was a good reason for implementing this new feature. But if I wanted to turn it back off, how would I do that? I think I am just going to stick with the host override as the solution, as this feature seems like a good idea. But I'd still like to know how to change that setting should it end up being necessary for any reason.

      NOTE: I've purposely included product names and hostnames here so that anyone else googling for this might find their answer here.

      jimpJ 1 Reply Last reply Reply Quote 1
      • jimpJ
        jimp Rebel Alliance Developer Netgate @pdnx
        last edited by

        @pdnx said in DNS queries for records whose answer is "127.0.0.1" blocked in 2.4.5 (not a bug):

        But if I wanted to turn it back off, how would I do that?

        As the changelog entry implies, it's tied to DNS rebinding protection. So to turn that off, disable DNS rebinding checks under System > Advanced

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire
          last edited by

          Would adding the DNS Resolver custom option:

          server:
          private-domain: "mymitchell.com"

          ...override this?

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          1 Reply Last reply Reply Quote 1
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            That would bypass the protection for that domain, so yes.

            https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html#dns-resolver-unbound

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            S 1 Reply Last reply Reply Quote 2
            • S
              SteveITS Galactic Empire @jimp
              last edited by

              @jimp Well there you go. I remembered the setting from years ago for some RFC1918 IPs we had to use, just didn't look up the docs for rebinding... :)

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              1 Reply Last reply Reply Quote 1
              • P
                pdnx
                last edited by

                Thanks folks, that was exactly what I was looking for. Much obliged!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.