External clients - Potential DNS Rebind attack detected - Reverse Proxy



  • My apologies up front for being a noob…

    Here is my issue, updated to version 2.2 latest version. Now just my external clients are unable to see the external websites I host.

    Simple base installation, configured for Email (MS Exchange), Squid (Reverse Proxy) and that should be it.

    Under Services > Reverse Proxy | Web Servers tab I have 3 websites that resolve to 3 different internal IP addresses.

    Before update these functions worked, after update I can access them internally but from an external source get the following message:

    "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
    Try accessing the router by IP address instead of by hostname"

    When I access by IP instead of hostname, I will get the Pfsense admin interface.

    I have reviewed the following articles and tried them with no success.

    1. https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
      - Tried both Methods no luck...

    2. https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

    3. https://forum.pfsense.org/index.php?topic=40430.0

    Let me know if I left something out, would appreciate any assistance you can provide.

    Regards,
    Brian



  • My answer to this problem was to put a vpn on a separate IP with a interface to the first vpn also that so that when someone needed to update their website or whatever, that traffic would go across that second interface but when they tried to go to our domains it would use the public ip of the second vpn.  I got tired of trying other ways.  Cost me an IP.



  • ? Why would I put a VPN in, when your on the external side of the network you can't see the website at all, it just comes up with the DNS Rebind error. My guess is that it has something to do with a combination of DNS Forwarder and the Squid Reverse proxy.



  • I did it my way because a second pfsense VM on a second IP can access both the internal switch / lan the 1st one is attached to and also the public IP of the first firewall without throwing the error thats nagging you.  Why else would I bother with doing it this way than to get around the rebind thing.

    Even if you turned off rebind protection, you would probably just end up looking at the pfsense gui instead of the site you want.



  • A VPN did not resolve the issue.

    So single IP address and hosting multiple websites, since the update to 2.2 the reverse proxy setup to view the sites do not work and I get the "Potential DNS Rebind attack detected"

    So I might just try to go back to version 2.1, with the same documented setup and get them back to normal.



  • Thats because the vpn was NOT on a 2nd pfsense with a seperate public IP with a network interface to the same switch that the 1st pfsense is attached to.

    It works, for me anyway.  Your problem used to be my problem also.



  • Dear All,

    The solution is actually just a setting that will bail you out of this,
    All you need to do while accessing the WebGUI is; go to System> Advanced> Admin Access tab, Scroll down to the option that has Alternate Hostnames and enter the hostname your trying to reach your webconfigurator. For example you can type example.domain.com in the text field and Save.

    This solved my problem and am pretty sure it will solve yours too.

    Regards,
    Luzinda Roland



  • Adding the alternate hostname to access the configurator pages does not help.

    One of my websites is working from the outside, and so is the configurator…

    root.ca works at rProxying to 10.0.0.1:443
    pfsense.root.ca works at either my public IP, or it is going through the rProxy to 10.0.0.254:443...not sure.
    dsm.root.ca gives the rebind issue...If I disable rebind checks, it shows the configurator page. Though I want it to go to 10.0.0.1:5001

    Any advice on this issue would be appreciated.


Log in to reply