DNS rebind attack - internal and external DNS names - selective fix?

NickyDoes · Jan 3, 2024, 12:38 PM

My configuration includes an internal DNS namespace internal.arpa and an external DNS namespace external.com. The firewall IP is exposed to an internal IP and an external IP. As expected, I get a DNS rebind attack warning when attempting access via firewall.external.com.

I read and understand this post on disabling DNS rebind detection.

Is there a good way to allow the external name / namespace without completely disabling the DNS rebind detection mechanism?

ndemarco

stephenw10 · Jan 3, 2024, 1:27 PM

You can add 'Alternate Hostnames' in Sys > Adv > Admin Access.

NickyDoes · Jan 3, 2024, 6:56 PM

@stephenw10 I've been using pfSense for >10 years. You'd think I would have thought to look there...or read.

Thanks.

johnpoz · Jan 3, 2024, 7:19 PM

@ndemarco said in DNS rebind attack - internal and external DNS names - selective fix?:

You'd think I would have thought to look there

Yup you would think ;)

As to internal.arpa - Its been awhile since I read the rfc for the new home.arpa, but I don't think using anyname.arpa is really recommended, home.arpa is what is recommended for your internal domain.

https://www.rfc-editor.org/rfc/rfc8375.html
Special-Use Domain 'home.arpa.'

use of otherdomain.arpa could lead to problems if the global dns is queried..

You prob would want to switch to say yourchoice.home.arpa, if you want to use something in the fqdn other than just home.arpa - I have finally migrated to home.arpa from my local.lan choice of years ago.. It was pretty painless, just had to redo some certs is all. and just in case when I redid the certs I left hostname.local.lan in there as a san.

The reason I was dragging my feet on the move was more to the fact that the old certs I had created had long life of 10 years, vs now browsers like to see less than what 398 days for life of cert. Since the certs were created before the change to that, they still allowed access without the browser complaining about the length of the life of the cert.

NickyDoes · Jan 3, 2024, 7:24 PM

@johnpoz

I haven't discovered a good way to integrate my local domain with my outside domain. Good means minimal compromises. Over the years, I've tried these approaches:

organization.com - just use the external domain internally. This has been my solution for a long time.
organization.local -> we know the issues with that.
int.organization.com -> I did this long ago, and don't recall the issues. I believe some devices don't like subdomains.
and of course, organization.arpa - which I thought was what NG/pf had gone to recommending.

This is a topic I've searched and read a lot on. I'd appreciate a nudge in the 'right' direction.

ndemarco

johnpoz · Jan 3, 2024, 7:32 PM

@ndemarco What sort of devices don't like subdomains.. Devices have zero care if the fqdn is host.domain.tld or host.sub.domain.tld, its still the fqdn..

If you want a nudge I would use home.arpa, if you so desire to have your own flare on that then use host.something.home.arpa, I do this for a few interfaces on pfsense where I setup a host override so if I do a ptr on say my dmz, it comes back sg4860.dmz.home.arpa - now I know hey that 192.168.x IP is my dmz segment.

$ dig -x 192.168.3.253                                                                   
                                                                                         
; <<>> DiG 9.16.45 <<>> -x 192.168.3.253                                                 
;; global options: +cmd                                                                  
;; Got answer:                                                                           
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46845                                
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1                     
                                                                                         
;; OPT PSEUDOSECTION:                                                                    
; EDNS: version: 0, flags:; udp: 1232                                                    
;; QUESTION SECTION:                                                                     
;253.3.168.192.in-addr.arpa.    IN      PTR                                              
                                                                                         
;; ANSWER SECTION:                                                                       
253.3.168.192.in-addr.arpa. 1927 IN     PTR     sg4860.dmz.home.arpa.                    
                                                                                         
;; Query time: 4 msec                                                                    
;; SERVER: 192.168.3.10#53(192.168.3.10)                                                 
;; WHEN: Wed Jan 03 13:27:53 Central Standard Time 2024                                  
;; MSG SIZE  rcvd: 89

and I get the same for my wlan, and wguest, etc. etc..

If devices didn't like subdomains, the internet wouldn't be able to function.

I did the different names for the different networks via host overrides, because sometimes I forget hey what network is my roku network vs my iot networks.. I can just do a simple dig -x for pfsense IP in whatever network 192.168.x.253 and know exactly what network I am on ;)

NickyDoes · Jan 3, 2024, 7:38 PM

@johnpoz I vaguely recall some [dumb] devices that validate the URI looking for only one ..

I'll do some experimenting. Thanks.

johnpoz · Jan 3, 2024, 7:46 PM

@ndemarco I have never ran into such a device, that would be horrible on the makers of whatever device - and they should hopefully have fixed that right after release of such a horrible choice. maybe in your host name section if you were trying to add the host name with a . in it

Normally the thing just either asks for the full fqdn, or it breaks it out to host and domain. In the case with host and domain it would be

name: host
domain: sub.domain.tld or sub.other.domain.tld etc..