DNS rebinding Attack Msg on clients

Nasa_ITELIOS

Hello Team,

I am an huge fan of pfsense and all the work you guys are putting on this awesome project. So first of all thank you! :) :)

My context:
I have two pfsense boxes on CARP. The DNS, AD, DHCP services are provided by a Windows 2008 R2 Virtual machine Servers.
DNS forwader is enabled. I only have one DNS server. I've just added a port forwarding all internal DNS request to my DNS server. Below is the settings selected in System –> General Setup:
**- Checked : Allow DNS server list to be overridden by DHCP/PPP on WAN

• Checked: Dot not use the DNS forwarder as a DNS server for the firewall**
  In DNS Forwarder:
  -Register DNS leases in DNS forwarder
  -Register DNS static mappings in DNS forwarder

An increasing number of users, and now myself, are getting the message "Potential DNS attack detected" when trying to access any of our websites hosted internally with the suffix *.mydomain.com. I have added in the DNS forwarder HOST override options www.mydomain.com – myintranetsiteip(10.1.1.1) but this did not help, so i removed it(after flushing DNS).

At the top of that, Some of my VPN users are having name resolution issues and have to get the ip of the resource they're trying to access to be able to access it from outside. The message they're getting is that the machine is not found but it's working just fine with the machine's IP.

I went to a great deal of pages in the forum or typeinyourfavoritesearchengine to find a solution with no luck, that's why i took the liberty to request your advice(s) on this.

I know you guys are very busy, but please point me to the right direction, if you may!!

Best regards,
Nasa

doktornotor

1/ All AD clients should ONLY point to Windows AD DNS servers.
2/ The DNS servers should point to local IPs, not the public ones (split DNS).

Nasa_ITELIOS

Hello doktornotor thanks for you reply.
Sorry if i was not really clear on that. Users on my domain are pointing either via DHCP or Static IP addressing to the windows AD/DNS server. The DNS server itself has 127.0.0.1 as primary DNS server.

The problem does not lie in the Windows server box AD/DNS/DHCP configuration but in the pfsense i believe (the error message when trying to access internal websites is a pfsense "potential DNS rebinding attack" message).

To get you further info on that: Every time we're trying to access an internal HTTP site (*.mydomain.com) it redirect to "HTTPS://myinternalsite.mydomain.com:4443" even if this particular site doesn't have a HTTPS binding enabled!

Thanks for taking the time to review this with me.

Regards,
Nasa

doktornotor

@Nasa_ITELIOS:

Sorry if i was not really clear on that. Users on my domain are pointing either via DHCP or Static IP addressing to the windows AD/DNS server. The DNS server itself has 127.0.0.1 as primary DNS server.

So what's the point of this messing?

@Nasa_ITELIOS:

In DNS Forwarder:
-Register DNS leases in DNS forwarder
-Register DNS static mappings in DNS forwarder

Will not ever register anything and the clients will never hit the forwarder. Dunno really what are you trying to do there. And again, internal websites should resolve to internal IPs, not the public ones (or you need NAT reflection enabled on pfSense).

@Nasa_ITELIOS:

To get you further info on that: Every time we're trying to access an internal HTTP site (*.mydomain.com) it redirect to "HTTPS://myinternalsite.mydomain.com:4443" even if this particular site doesn't have a HTTPS binding enabled!

Seriously cannot see how's DNS involved here.

Nasa_ITELIOS

So what's the point of this messing?

That's why i seek your help  :)

Will not ever register anything and the clients will never hit the forwarder. Dunno really what are you trying to do there.

Why pfSense won't register/save anything with this option checked?

And again, internal websites should resolve to internal IPs, not the public ones (or you need NAT reflection enabled on pfSense).

That's what I'm trying to achieve by tweaking pfsense's parameters. all clients on my network rely on the windows server DNS box for name resolution. SO if a request is made for a particular internal website, the DNS respond with the records he's got. All internal website are on a IIS web-server which has a internal IP address.
I know this message comes when pfsense detect that a request is made from a client to an internal website but with the public ip address. But i wonder why it detects that???

Seriously cannot see how's DNS involved here.

Exactly my point! That's why I'm focusing on pfsense configuration which might not be adequate.

Here's my pfsense General Set-up configuration (1) and my DNS forwarder configuration (2). Could you take a look at it? Is there something on these parameters that I should not have enabled which might have led me to that problem?

Again, thank you!

doktornotor

@Nasa_ITELIOS:

Will not ever register anything and the clients will never hit the forwarder. Dunno really what are you trying to do there.

Why pfSense won't register/save anything with this option checked?

Did you really read the hint below that option?

If this option is set, then machines that specify their hostname when requesting a DHCP lease will be registered in the DNS forwarder,

These machines do NOT get their DHCP leases from pfSense. They won't register anything. This is absolutely not a pfSense issue, fix your Windows AD DNS.