No access to webinterface "Potential DNS Rebind attack detected" since July/3
-
Hi,
http://redmine.pfsense.org/issues/708 ?
I can't access the webinterface anymore..
Thank you!
Edit: Is it safe to downgrade to the last snapshot before? The one from 30th June? Or was there anything changed inside config.xml?
-
Same here.
Edit: I reinstalled June 30 snapshot and reloaded a saved configuration and all all is back to normal. Before resorting to this solution I reset the system to factory default 3 times and set everything as a first time setting to no avail. After setting it back to https the "Potential DNS Rebind…" appeared.
-
using HTTPS.)Note: Access vi internal IP works (still using HTTPS). This access is via the OpenVPN Server running on this same system.
System info:
Host: VMWare ESXi 4.x
Guest: Initial Install: pfSense-2.0-BETA3-20100630-1444
Update: pfSense-Full-Update-2.0-BETA3-20100703-0057 via AutoUpdate w/signing check disabled"Hardware":
2 CPU
2 NICs (Only 1 in use, running as OpenVPN Server Only)
256MB RAM
1GB HD -
This happens to me also when accessing it from lan
Edit: same problem with today's snaphot
-
I've been accessing my VMs from their LAN side and WAN side both, haven't had any issues. Have you tried with a snapshot from the 5th or preferably the 6th?
-
I'm getting this message when accessing pfsense via its DynDNS FQDN on WAN (https). No problem using the WAN IP address, nor using https://pfsense or 192.168.1.1 from LAN. Chrome and Firefox affected.
July 4 and 5 snapshots affected. Will try the latest tonight.
-
ok, that's a new bit of information. I've only been accessing it by IP address.
-
This commit just went in which should help with dyndns hostnames, as long as the dyndns hostname is configured in pfSense (which it should be in most cases).
Can you try to gitsync and try again?
-
And I committed a fix after that which fixed another issue with that.
It works for me from dyndns hostnames now.
-
Sorry, I tried everything on the git page you linked and got nothing but errors. I also made my filesystem writable first but no dice.
-
ah, on nanobsd that doesn't work so well.
You'll have to wait for the next new image. I stopped a build in progress since it didn't have these changes, and started it again. It will probably be late this evening when it uploads the nanobsd images.
Or you can download an updated copy of /etc/inc/auth.inc:
# /etc/rc.conf_mount_rw # fetch -o /etc/inc/auth.inc http://redmine.pfsense.org/projects/pfsense/repository/revisions/master/raw/etc/inc/auth.inc # /etc/rc.conf_mount_ro -
I'll try the next snapshot then. Is there some cleanup I need to do in my filesystem after attempting to install git? I don't see anything glaringly out of place in /root or /tmp.
-
I'll try the next snapshot then. Is there some cleanup I need to do in my filesystem after attempting to install git? I don't see anything glaringly out of place in /root or /tmp.
Not really, it might leave some files in /root/pfSense/ you can safely remove.
-
Hi again,
tried the 6th June Snapshot, still the same issue.
Cannot access the webinterface from wan by its ipaddress nor hostname. DNS Rebind…
I'll try next snapshot when it comes available. -
Jim made the change around 3.5 hours ago; not long enough to be in the latest build. The next snapshot will be the true test.
-
Yes, I'm excited already ;)
BTW: was just referring to "Have you tried with a snapshot from the 5th or preferably the 6th?"
-
Especially since I had to stop the builder and restart it again, we found several more bugs and cases to test for in that code.
If you need the fixes, pull in the code with the fetch command I mentioned above and it should be OK.
-
Hey, thnx very much.
I for myself will stick to 30th June Snapshot in the meanwhile.Thnx for all the hard work!
-
This may be a Potential DNS Rebind attack not an issue with pfsense. Do an nslookup or dig of google.com or twitter.com Use multiple DNS servers other than your own as well as the router.
-
This may be a Potential DNS Rebind attack not an issue with pfsense. Do an nslookup or dig of google.com or twitter.com Use multiple DNS servers other than your own as well as the router.
No, we actually added a bunch of code to protect against DNS rebind attacks that would affect the web interface, but the checks needed some work. They should be OK in the next snapshot that comes out.
