Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible DNS-rebind attack detected

    General pfSense Questions
    2
    6
    5.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mr_bobo
      last edited by 

      May 26 05:59:30 	dnsmasq[48462]: possible DNS-rebind attack detected: my_laptop.my_LAN.domain

      I'm using the current version of pfSense and noticed about 40 of these entries this morning covering the past 24 hours. When I googled it a post came up from a pfSense retired forum entry a couple years ago:

      You are hitting the WebGUI if you get that error, not your own server.
      Move the WebGUI to an alternate port (Not 80 or 443) and check "Disable webConfigurator redirect rule" under System > Advanced.

      http://forum.pfsense.org/index.php/topic,29612.0.html

      I don't believe I logged onto the GUI more than once during that time and haven't had a problem in doing so then or this morning. I had already changed the default port I use to something different that port 80 or 443 after installing pfSense a few weeks ago.

      I'm not worried and might not have thought anything about it if not for the recent talk about possible DNS problems on the web in the coming next couple of months. Any clue as to what's causing it? Do I need to Disable webConfigurator redirect rule?

      TIA

      I did find a nice article about DSN rebinding attacks and Cross-Site Request Forgery while i was trying to solve the issue myself, but am not saying that's what's going on here:

      DSN rebinding attacks and Cross-Site Request Forgery

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That particular log happens when you do a DNS lookup using your upstream DNS servers that returns a private IP as an answer. In that circumstance in most all networks, that should strictly be Internet FQDNs that you're looking up, which should never resolve to a RFC 1918 private IP. When they do, it can be indicative of someone trying to do something bad to you, or else it's generally an indication of someone's public DNS being broken.

        That log in particular means something on your internal network tried to do a DNS lookup for hostname "my_laptop.my_LAN.domain" and the DNS forwarder's upstream servers returned a private IP for that hostname.

        1 Reply Last reply Reply Quote 0
        • M
          mr_bobo
          last edited by

          @cmb:

          That log in particular means something on your internal network tried to do a DNS lookup for hostname "my_laptop.my_LAN.domain" and the DNS forwarder's upstream servers returned a private IP for that hostname.

          That's strange. I haven't tried using DNS to resolve my own machines and when I do a whois to check log entries usually use a web-tool to do it. My home Ethernet network is like this:

          router -> pfSense box -> switch -> computers

          I have 2 FreeBSD machines on my LAN and am the only one with access to them. When you set them up it asks for your machine name and then assigns it in a  "hostname.gateway.domain" fashion, with the domain name I provide it related to the gateway/router.

          I checked again just now and there were 2 more log entries within 15 minutes of me logging on to the forums just now and there was nobody on either of the computers during the time it happened, as I'm the only one who lives here. Wifi is disabled at the router.

          The firewall logs are pretty bland, with the only entries beside it trying to check Mozilla for Firefox Persona updates being a couple from MarkMonitor.com, which I started noticing a couple days ago. I use the pfBlocker package and block incoming to every country and spammer it lists and run the pf firewall on both my machines.

          I don't use P2P, torrents, download music, movies, or do anything on the net besides check Yahoo email and log onto a few message boards like this, so nobody should even know my hostname.  Pretty boring, aren't I… :p

          Edit:
          I changed my hostname and will see if it happens again. When I rebooted I noticed where sendmail was trying to resolve my hostname from the router with an error for what I take to be something to do with IPv6 and getting a return for IPv4. Sorry I can't be more specfic, something to do with A and AAAA. I've noticed this every time I reboot for a long time but have never noticed the DNS entries in the pfSense system logs till today.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            It's not strange really, most OSes will issue requests like that on occasion. The fact your ISP (or whatever the firewall's DNS servers are) returns a private IP is unusual, but that may be what they do for all NXDOMAIN responses and send you to some landing page that's hosted on a private IP only reachable by their customers.

            1 Reply Last reply Reply Quote 0
            • M
              mr_bobo
              last edited by

              I was editing as you were posting. :D I'll keep an eye on it.

              Thanks.

              1 Reply Last reply Reply Quote 0
              • M
                mr_bobo
                last edited by

                To update, there hasn't been another instance of this since I changed my machine name the other day.

                I love my pfSense firewall. :)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.