Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Internal DNS Server problem with DNS-rebind attack detected

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 5 Posters 10.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DonnyD
      Donny
      last edited by

      Hello all,
      I have DNS problem. If someone can help. Here under is my detail.

      I have tested between Squid3 with LDAP (Windows Server 2008). I can use domain users to authentication login to web browser and successes.

      pfSense configuration detail
      System > General setup > DNS Servers :
      172.31.21.10       (Internal DNS, DHCP Windows Sever 2008 )
      208.67.222.222    (OpenDNS)
      208.67.220.220    (OpenDNS)

      Sevices > DNS forwarders : Enable DNS forwarders has checked.

      On Windows Server 2008

      At DNS forwarder tab I forward to
      172.31.21.1        pfSense
      208.67.222.222   OpenDNS
      208.67.220.220   OpenDNS
      also I have made pfsense record name on DNS server.

      After domain users  successes login with web browser (Firefox, IE,Opera and Chrome). At system log I got DNS-rebind attack as the detail below.

      Code:
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: ForestDnsZones.xxxx.dsns
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: ForestDnsZones.xxxx.dsns
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: DomainDnsZones.xxxx.dsns
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: DomainDnsZones.xxxx.dsns
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: xxxx.dsns
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: xxxx.dsns
      
      

      I tried to find another solution by google search and some pfsense forum but can not solve this problem. Also I tried to "disable DNS Rebinding Checks" or "Alternate Hostnames" or
      "Browser HTTP_REFERER enforcement" at System > Advanced and domain overrides but when I do this I can not login with domain users to web browser. finally reboot pfSense and it does not solve this problem.
      It look like OpenDNS could not work very well together with Squid3 and LDAP (Windows 2008)for authentication.

      Any suggestion !

      Thank you

      1 Reply Last reply Reply Quote 0
      • G
        Gradius
        last edited by

        OpenDNS was compromised around a week ago, I wouldn't trust them!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          That just means you're getting back a private IP response from the DNS server. If that is normal, you can disable DNS rebinding protection under System > Advanced.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • DonnyD
            Donny
            last edited by

            @jimp:

            That just means you're getting back a private IP response from the DNS server. If that is normal, you can disable DNS rebinding protection under System > Advanced.

            Hello Jimp,

            " I use SARG and Squid proxy authentication with Ldap Windows 2008."

            I tried to disable DNS rebinding protection under System > Advanced, when I do this I can't use domain username from Win2008 login to web browser. I  already read some wiki document on pfSense web site and search over "DNS-rebind attack detected" on this forum a lot (DHCP and DNS) but it just only reference to DHCP and DNS. I could not find how to configuration internal DNS server work on pfSense with SARG and Squid proxy authentication with Ldap Windows 2008 (correctly)

            I use sarg and squid proxy authentication with Ldap Windows 2008. I always have "DNS-rebind attack detected: xxxxter.dsns" problem only I put internal DNS server IP address on System > General Setup> DNS Servers, when I use domain username login on Chrome or Firefox web browser.  I spend a lot of time to find out to solve this problem but never success.

            For Squid authentication with LDAP Windows 2008, when I only use OpenDNS 208.67.222.222 and 208.67.220.220 at pfSense : System > General Setup > DNS Servers, and I try to login via web browser with domain username, the web browser still hang up only "loading" and take too long before the web page is coming up.

            If I use this way here under I do not get any DNS-rebind attack detected.

            1. Use DNS Server from ISP : 67.xx.xxx.xx and 203.xx.xxx.xx or Use DNS Server from google : 8.8.8.8 and 8.8.4.4
            2. At System > General Setup > DNS Servers. I take off IP address from internal DNS Server Windows 2008 because it will cause "DNS-rebind attack detected" If I still use internal dns ip address.

            So, at System > General Setup > DNS Servers, I only use DNS Server from my ISP (67.xx.xxx.xx and 203.xx.xxx.xx) or use Google DNS Server 8.8.8.8 and 8.8.4.4.
            Now I can use domain users to authenticate login via web browser and I don't get any DNS-rebind attack detected anymore. Every users from the domain that I tested, it's succeses.

            Any suggestion.

            Thank u very much Jimp

            Donny

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              @Gradius:

              OpenDNS was compromised around a week ago, I wouldn't trust them!

              Proof? Haven't heard anything about that, that'd be big news. I've heard such claims previously but they never checked out to be anything other than someone else's NS's getting compromised.

              1 Reply Last reply Reply Quote 0
              • J
                jhoche
                last edited by

                I'm having the same problem! When I Disable "DNS Rebinding Checks", stop squid authentication on AD. I'm studing any solution.  ;D

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.