A simple question... maybe: about resolving to a VIP of pfSense itself

andrewK

I'm new to setting up DNS in my local network.

I'm using BIND (although this seems not to be a BIND issue) to resolve other network appliances on my private net.

I configured records for resolving the 2 pfSense IP's I have in an HA cluster. I also have a name resolving to the VIP for the HA cluster.

When using the name for each node in the URL I can get to the login page of each, like expected. However when I use the name I have for the VIP I get a message regarding "Potential DNS Rebind attack detected".

Does anyone have insight as to why is happening?

Thanks all,
A

chpalmer

@andrewK

Go to System/Admin Access under Webconfigurator..

Go down to the "DNS Rebind Check" and check the box.

You would have to use the name of your pfsense box that is set on "General Settings" as your DNS name to keep this from happening.

jimp

You shouldn't disable that option if you can avoid it. You should set your domain as being private: https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html

Also, you should never manage an HA pair by accessing the CARP VIP address. It's OK for clients to access services like DNS and so on from it, but don't use the GUI by the CARP VIP -- you can't be sure which one you're connecting to.

andrewK

Ah, OK. Thank you both.

jimp, what if I have the secondary node's login page color and GUI theme are set differently from the primary node. Are there any other potential problems with using the CARP VIP for administration?

jimp

It doesn't matter... If the VIP status changed while you were in the GUI you'd end up on the "wrong" box. Don't do it. Just access the individual hostnames.

Also make sure the other hostname(s) are listed on System > Advanced under "Alternate Hostnames"

andrewK

I will definitely heed your "best practice" advice, thanks.

The link you provided spoke of steps using Unbound. I'm using BIND. I don't see any rebind handles in the BIND settings. Any thoughs?

jimp

I don't think that feature is supported in BIND so it's probably not relevant. Just make the GUI change I mentioned above (to add the alternate hostname(s)) and you should be OK

andrewK

OK. Great. that works.

Thanks again.