Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS rebinding Attack Msg on clients

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nasa_ITELIOS
      last edited by

      Hello Team,

      I am an huge fan of pfsense and all the work you guys are putting on this awesome project. So first of all thank you! :) :)

      My context:
      I have two pfsense boxes on CARP. The DNS, AD, DHCP services are provided by a Windows 2008 R2 Virtual machine Servers.
      DNS forwader is enabled. I only have one DNS server. I've just added a port forwarding all internal DNS request to my DNS server. Below is the settings selected in System –> General Setup:
      **- Checked : Allow DNS server list to be overridden by DHCP/PPP on WAN

      • Checked: Dot not use the DNS forwarder as a DNS server for the firewall**
        In DNS Forwarder:
        -Register DNS leases in DNS forwarder
        -Register DNS static mappings in DNS forwarder

      An increasing number of users, and now myself, are getting the message "Potential DNS attack detected" when trying to access any of our websites hosted internally with the suffix *.mydomain.com. I have added in the DNS forwarder HOST override options www.mydomain.com – myintranetsiteip(10.1.1.1) but this did not help, so i removed it(after flushing DNS).

      At the top of that, Some of my VPN users are having name resolution issues and have to get the ip of the resource they're trying to access to be able to access it from outside. The message they're getting is that the machine is not found but it's working just fine with the machine's IP.

      I went to a great deal of pages in the forum or typeinyourfavoritesearchengine to find a solution with no luck, that's why i took the liberty to request your advice(s) on this.

      I know you guys are very busy, but please point me to the right direction, if you may!!

      Best regards,
      Nasa

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        1/ All AD clients should ONLY point to Windows AD DNS servers.
        2/ The DNS servers should point to local IPs, not the public ones (split DNS).

        1 Reply Last reply Reply Quote 0
        • N
          Nasa_ITELIOS
          last edited by

          Hello doktornotor thanks for you reply.
          Sorry if i was not really clear on that. Users on my domain are pointing either via DHCP or Static IP addressing to the windows AD/DNS server. The DNS server itself has 127.0.0.1 as primary DNS server.

          The problem does not lie in the Windows server box AD/DNS/DHCP configuration but in the pfsense i believe (the error message when trying to access internal websites is a pfsense "potential DNS rebinding attack" message).

          To get you further info on that: Every time we're trying to access an internal HTTP site (*.mydomain.com) it redirect to "HTTPS://myinternalsite.mydomain.com:4443" even if this particular site doesn't have a HTTPS binding enabled!

          Thanks for taking the time to review this with me.

          Regards,
          Nasa

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            @Nasa_ITELIOS:

            Sorry if i was not really clear on that. Users on my domain are pointing either via DHCP or Static IP addressing to the windows AD/DNS server. The DNS server itself has 127.0.0.1 as primary DNS server.

            So what's the point of this messing?

            @Nasa_ITELIOS:

            In DNS Forwarder:
            -Register DNS leases in DNS forwarder
            -Register DNS static mappings in DNS forwarder

            Will not ever register anything and the clients will never hit the forwarder. Dunno really what are you trying to do there. And again, internal websites should resolve to internal IPs, not the public ones (or you need NAT reflection enabled on pfSense).

            @Nasa_ITELIOS:

            To get you further info on that: Every time we're trying to access an internal HTTP site (*.mydomain.com) it redirect to "HTTPS://myinternalsite.mydomain.com:4443" even if this particular site doesn't have a HTTPS binding enabled!

            Seriously cannot see how's DNS involved here.

            1 Reply Last reply Reply Quote 0
            • N
              Nasa_ITELIOS
              last edited by

              So what's the point of this messing?

              That's why i seek your help  :)

              Will not ever register anything and the clients will never hit the forwarder. Dunno really what are you trying to do there.

              Why pfSense won't register/save anything with this option checked?

              And again, internal websites should resolve to internal IPs, not the public ones (or you need NAT reflection enabled on pfSense).

              That's what I'm trying to achieve by tweaking pfsense's parameters. all clients on my network rely on the windows server DNS box for name resolution. SO if a request is made for a particular internal website, the DNS respond with the records he's got. All internal website are on a IIS web-server which has a internal IP address.
              I know this message comes when pfsense detect that a request is made from a client to an internal website but with the public ip address. But i wonder why it detects that???

              Seriously cannot see how's DNS involved here.

              Exactly my point! That's why I'm focusing on pfsense configuration which might not be adequate.

              Here's my pfsense General Set-up configuration (1) and my DNS forwarder configuration (2). Could you take a look at it? Is there something on these parameters that I should not have enabled which might have led me to that problem?

              Again, thank you!

              pfsense_gle_setup.jpg
              pfsense_gle_setup.jpg_thumb
              services_dns_forwarder.jpg
              services_dns_forwarder.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                @Nasa_ITELIOS:

                Will not ever register anything and the clients will never hit the forwarder. Dunno really what are you trying to do there.

                Why pfSense won't register/save anything with this option checked?

                Did you really read the hint below that option?

                If this option is set, then machines that specify their hostname when requesting a DHCP lease will be registered in the DNS forwarder,

                These machines do NOT get their DHCP leases from pfSense. They won't register anything. This is absolutely not a pfSense issue, fix your Windows AD DNS.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.