Internal DNS Server problem with DNS-rebind attack detected

Donny

Hello all,
I have DNS problem. If someone can help. Here under is my detail.

I have tested between Squid3 with LDAP (Windows Server 2008). I can use domain users to authentication login to web browser and successes.

pfSense configuration detail
System > General setup > DNS Servers :
172.31.21.10       (Internal DNS, DHCP Windows Sever 2008 )
208.67.222.222    (OpenDNS)
208.67.220.220    (OpenDNS)

Sevices > DNS forwarders : Enable DNS forwarders has checked.

On Windows Server 2008

At DNS forwarder tab I forward to
172.31.21.1        pfSense
208.67.222.222   OpenDNS
208.67.220.220   OpenDNS
also I have made pfsense record name on DNS server.

After domain users  successes login with web browser (Firefox, IE,Opera and Chrome). At system log I got DNS-rebind attack as the detail below.

Code:
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: ForestDnsZones.xxxx.dsns
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: ForestDnsZones.xxxx.dsns
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: DomainDnsZones.xxxx.dsns
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: DomainDnsZones.xxxx.dsns
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: xxxx.dsns
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: xxxx.dsns

I tried to find another solution by google search and some pfsense forum but can not solve this problem. Also I tried to "disable DNS Rebinding Checks" or "Alternate Hostnames" or
"Browser HTTP_REFERER enforcement" at System > Advanced and domain overrides but when I do this I can not login with domain users to web browser. finally reboot pfSense and it does not solve this problem.
It look like OpenDNS could not work very well together with Squid3 and LDAP (Windows 2008)for authentication.

Any suggestion !

Thank you

Gradius

OpenDNS was compromised around a week ago, I wouldn't trust them!

jimp

That just means you're getting back a private IP response from the DNS server. If that is normal, you can disable DNS rebinding protection under System > Advanced.

Donny

@jimp:

That just means you're getting back a private IP response from the DNS server. If that is normal, you can disable DNS rebinding protection under System > Advanced.

Hello Jimp,

" I use SARG and Squid proxy authentication with Ldap Windows 2008."

I tried to disable DNS rebinding protection under System > Advanced, when I do this I can't use domain username from Win2008 login to web browser. I  already read some wiki document on pfSense web site and search over "DNS-rebind attack detected" on this forum a lot (DHCP and DNS) but it just only reference to DHCP and DNS. I could not find how to configuration internal DNS server work on pfSense with SARG and Squid proxy authentication with Ldap Windows 2008 (correctly)

I use sarg and squid proxy authentication with Ldap Windows 2008. I always have "DNS-rebind attack detected: xxxxter.dsns" problem only I put internal DNS server IP address on System > General Setup> DNS Servers, when I use domain username login on Chrome or Firefox web browser.  I spend a lot of time to find out to solve this problem but never success.

For Squid authentication with LDAP Windows 2008, when I only use OpenDNS 208.67.222.222 and 208.67.220.220 at pfSense : System > General Setup > DNS Servers, and I try to login via web browser with domain username, the web browser still hang up only "loading" and take too long before the web page is coming up.

If I use this way here under I do not get any DNS-rebind attack detected.

1. Use DNS Server from ISP : 67.xx.xxx.xx and 203.xx.xxx.xx or Use DNS Server from google : 8.8.8.8 and 8.8.4.4
2. At System > General Setup > DNS Servers. I take off IP address from internal DNS Server Windows 2008 because it will cause "DNS-rebind attack detected" If I still use internal dns ip address.

So, at System > General Setup > DNS Servers, I only use DNS Server from my ISP (67.xx.xxx.xx and 203.xx.xxx.xx) or use Google DNS Server 8.8.8.8 and 8.8.4.4.
Now I can use domain users to authenticate login via web browser and I don't get any DNS-rebind attack detected anymore. Every users from the domain that I tested, it's succeses.

Any suggestion.

Thank u very much Jimp

Donny

cmb

@Gradius:

OpenDNS was compromised around a week ago, I wouldn't trust them!

Proof? Haven't heard anything about that, that'd be big news. I've heard such claims previously but they never checked out to be anything other than someone else's NS's getting compromised.

jhoche

I'm having the same problem! When I Disable "DNS Rebinding Checks", stop squid authentication on AD. I'm studing any solution.  ;D