Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS - Bind Redirect Error - Rebinding settings

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 128 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • penguinpagesP
      penguinpages
      last edited by

      I have a zone for internet

      acme.com

      I have a zone for intranet

      core.acme.com

      I have a PI hosting an internal only website:

      web01.core.acme.com 172.16.100.120

      also listening on

      www.web01.core.acme.com 172.16.100.120

      Bind in pfsense is hosting zone core.acme.com

      In that zone I have A/PTR record for host:

      pi.core.acme.com 172.16.100.120

      I then setup two CNAME records
      web01.core.acme.com and www.web01.core.acme.com to 172.16.100.120

      web server works and responds fine if I go to IP.

      But if I got web01.core.acme.com or www. web01.core.acme.com I get redirected: http://www.web01.core.acme.net:500

      Page: Potential DNS Rebind attack detected, see https://en.wikipedia.org/wiki/DNS_rebinding
      Try accessing the router by IP address instead of by hostname.

      I looked up rebind error and understand logic but not how to fix this in pfsense. I can't enable both BIND and something like DNS Resolver service as both are on port 53.

      this seems like a simple task but not seeing examples or my google foo is not so good.

      Thanks

      tinfoilmattT 1 Reply Last reply Reply Quote 0
      • tinfoilmattT
        tinfoilmatt @penguinpages
        last edited by

        @penguinpages said in DNS - Bind Redirect Error - Rebinding settings:

        web01.core.acme.com and www.web01.core.acme.com to 172.16.100.120

        Should these CNAME answers be pi.core.acme.com?

        penguinpagesP 1 Reply Last reply Reply Quote 0
        • penguinpagesP
          penguinpages @tinfoilmatt
          last edited by penguinpages

          @tinfoilmatt

          Thanks for response but no.

          The issue is that pfsense was redirecting URLs and proxing them to some form of page it managed vs resolving the hostname provided and redirecting what is a CNAME in the public cloud as a form of resolution for "internet" sessions (such as ACME validation) but also an intranet IP/host. Within a SOA zone it manages

          Ex:

          Intranet test correct:

          dig +short traefik.core.acme.net shuffleboard01.core.acme.net
172.16.100.120
172.16.100.120

curl -k https://shuffleboard01.core.acme.net/index.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Shuffleboard Game</title>

          Internet test

          dig +short traefik.core.acme.net shuffleboard01.core.acme.net
penguinpages.net.
18.234.137.234
penguinpages.net.
18.234.137.234
curl -k https://shuffleboard01.core.acme.net/index.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Shuffleboard Game</title>

          What I am stuggling with now is that along the way I was root causing acme HTTP-01 Cert setup with letsencrypt, and the current "fix" is to disable my enhanced firewalling "pfBlockerNG"

          c32d5c46-3018-4a6d-80a7-4aec67f1c313-image.png

          but this is not sustainable. And I need to figure out means to ??? Whitelist" any letsencypt server, world wide. Then I assume I will have to return back to this URL redirect issue.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.