• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS - Bind Redirect Error - Rebinding settings

Scheduled Pinned Locked Moved DHCP and DNS
3 Posts 2 Posters 353 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    penguinpages
    last edited by May 17, 2025, 4:00 PM

    I have a zone for internet

    acme.com

    I have a zone for intranet

    core.acme.com

    I have a PI hosting an internal only website:

    web01.core.acme.com 172.16.100.120

    also listening on

    www.web01.core.acme.com 172.16.100.120

    Bind in pfsense is hosting zone core.acme.com

    In that zone I have A/PTR record for host:

    pi.core.acme.com 172.16.100.120

    I then setup two CNAME records
    web01.core.acme.com and www.web01.core.acme.com to 172.16.100.120

    web server works and responds fine if I go to IP.

    But if I got web01.core.acme.com or www. web01.core.acme.com I get redirected: http://www.web01.core.acme.net:500

    Page: Potential DNS Rebind attack detected, see https://en.wikipedia.org/wiki/DNS_rebinding
    Try accessing the router by IP address instead of by hostname.

    I looked up rebind error and understand logic but not how to fix this in pfsense. I can't enable both BIND and something like DNS Resolver service as both are on port 53.

    this seems like a simple task but not seeing examples or my google foo is not so good.

    Thanks

    T 1 Reply Last reply 28 days ago Reply Quote 0
    • T
      tinfoilmatt @penguinpages
      last edited by 28 days ago

      @penguinpages said in DNS - Bind Redirect Error - Rebinding settings:

      web01.core.acme.com and www.web01.core.acme.com to 172.16.100.120

      Should these CNAME answers be pi.core.acme.com?

      P 1 Reply Last reply 18 days ago Reply Quote 0
      • P
        penguinpages @tinfoilmatt
        last edited by penguinpages 18 days ago 18 days ago

        @tinfoilmatt

        Thanks for response but no.

        The issue is that pfsense was redirecting URLs and proxing them to some form of page it managed vs resolving the hostname provided and redirecting what is a CNAME in the public cloud as a form of resolution for "internet" sessions (such as ACME validation) but also an intranet IP/host. Within a SOA zone it manages

        Ex:

        Intranet test correct:

        dig +short traefik.core.acme.net shuffleboard01.core.acme.net
172.16.100.120
172.16.100.120

curl -k https://shuffleboard01.core.acme.net/index.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Shuffleboard Game</title>

        Internet test

        dig +short traefik.core.acme.net shuffleboard01.core.acme.net
penguinpages.net.
18.234.137.234
penguinpages.net.
18.234.137.234
curl -k https://shuffleboard01.core.acme.net/index.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Shuffleboard Game</title>

        What I am stuggling with now is that along the way I was root causing acme HTTP-01 Cert setup with letsencrypt, and the current "fix" is to disable my enhanced firewalling "pfBlockerNG"

        c32d5c46-3018-4a6d-80a7-4aec67f1c313-image.png

        but this is not sustainable. And I need to figure out means to ??? Whitelist" any letsencypt server, world wide. Then I assume I will have to return back to this URL redirect issue.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received