501 Potential DNS Rebind Attack after Installing Squid3



  • Hello,

    I installed Squid3 version 3.1.20 pkg 2.1.2 in order to use the caching and reverse proxy capabilities. Currently I have NAT Reflection enabled (Pure NAT) in order for me to connect internally through my LAN interface to my websites residing at my DMZ interface.

    After installing Squid3, I am now receiving a Potential DNS Rebind Attack Detected on my browser when connecting to one of the website. I tried a view different configuration changes but still receive the error. I disabled NAT Reflection, added my 1:1 subnet to the proxy server (Bypass proxy for these destinations IPs) e.g. Public Address 216.xxx.xx.xx;Private Address 172.16.0.2.

    Are there any other configuration changes I can try to not receive the error? Your help would be much appreciated.

    Thanks



  • Anyone out there can help me out. Still not able to view webpages residing on my web server at my DMZ interface.



  • You get that error if you try to access the pfSense box a name other than its hostname.  Did you search these forums and Google for 'pfsense DNS rebind attack'?  From DNS Rebinding Protections:

    _For those not using the DNS forwarder, and as an additional layer of checks, the web interface will block attempts to access it via an unknown hostname. It will display "Potential DNS Rebind Attack Detected" and drop any request. By default, only the hostname and domain configured under System>General Setup are accepted. For instance if firewall.example.com is configured as the system's hostname, and it is loaded in a browser using fw1.example.com, that attempt will be rejected. Additional hostnames can be added under System>Advanced, "Alternate Hostnames".

    Logging in using the IP address of the system rather than the hostname does work if this message is encountered when attempting to load by hostname. Once access has been obtained, configure the hostname(s) accordingly and then it is possible to log in using the desired hostname.

    If this message is encountered when a client attempted to access a forwarded service (Port forward, 1:1 NAT, relayd, etc) it indicates that the request did not match any NAT rules. From the inside of the network, this would require NAT reflection or split DNS to accomplish. See Why can't I access forwarded ports on my WAN IP from my LAN/OPTx networks for more details._



  • Thanks for pointing me in the right direction. I was able to access my website using Host Overrides at the General DNS Forwarder Options.


Log in to reply