How to get rid of "Potential DNS Rebind attack detected"



  • Hi,

    referring to this thread: http://forum.pfsense.org/index.php/topic,26434.30.html
    I still get this message ("Potential DNS Rebind attack detected") when trying to access the the web gui if

    • using Port 444 instead of the standard https port (443, which makes no problems if used for the webGUI) and
    • it is accessed by a different hostname (e.g. pfs.myserver.org; works ok with pure IP addresses).
      OR
    • if Port 443 should  be used for other services (i.e. using haproxy as a balancer; port 444 makes no problems in this case) and
    • it is accessed by a different hostname (e.g. pfs.myserver.org; works ok with pure IP addresses).
      Shortly speaking, the webgui makes no problems on 443 if other services are on 444. This changes if the ports are exchanged.

    The hostname has been registered under System: Advanced: Admin Access: Alternate Hostnames (either as pfs.myserver.org and as pfs) and the Disable DNS Rebinding Checks option has been activated. Still, the error occurs given above conditions.

    Are there any other options that could be tried to get rid of this behaviour?
    Thanks
    fatzopilot



  • Forgot to mention: 2.0-RELEASE-pfSense (amd64) on BSD


  • Rebel Alliance Developer Netgate

    You can disable rebinding protection under System > Advanced, on the Admin tab. You can also add alternate hostnames into a box there to allow them to be used as well.

    Are you actually changing the GUI port when you go to 444, or are you using a port forward to go from 444 to localhost:443 or similar? If you used a port forward, remove it, and actually use the new port number.



  • Same problem here.

    On 1.2.3 ran ok.

    I have one WAN NAT of port 443 to an inside webserver.

    pfSense GUI it's on the same port but I think the NAT should fire before the webgui. The pfSense gui should be accessed from the local network.

    Someone could tell us how to have the 443 NAT and the pfSense gui at the same port.

    As a solution we could change the pfSense gui port but if this worked on 1.2.3, I don't know why it's not working on 2.0.

    Regards,



  • It seems there is a problem with the NAT. The rules were imported and they seem to look ok.

    Something to be remarked about changes in the NAT rules related to this ?

    I set the Reflection NAT to false and the auto rule-add to None to do it manually.



  • Fixing the other problems I had after the upgrade to 2.0 I could have the webconfigurator of pfSense on 443 port and a WAN NAT rule on the same port coexisting as it was on 1.2.3.

    How I fix my problems:

    Routes and IP Aliasing
    http://forum.pfsense.org/index.php/topic,43320.msg225823.html#msg225823

    Problems on the boot script of pfSense
    http://forum.pfsense.org/index.php/topic,43766.msg226677.html#msg226677



  • Hi, guys I got this fixed. On internet explorer click Tools - Developer Tools - Click on Script - Click Start debugging. After debug is complete, restart internet explorer and try visiting your webpage again. Good Luck.
    ;)


Log in to reply