OPNsense Forum

English Forums => 24.1 Production Series => Topic started by: ks98330q on March 16, 2024, 09:39:24 pm

Title: DNS Rebind
Post by: ks98330q on March 16, 2024, 09:39:24 pm: Sooooo...
I must no understand DNS Rebind protection too well.
Its supposed to block access from the private address clients (LAN) to the DNS servers via hostname/IP?

I would really like to access my OPN via name (router.domain.com) WITHOUT the annoying untrusted cert warning.
Code: [Select]
I have an actual SSL cert for my domain.com When I install this cert, and setup OPN to use it, then I get an error about router.domain.com doesnt match the cert which is for domain.com. I have my system configured thusly: The hostname of OPN is router. I have an Unbound override for router.domain.com pointing to 192.168.1.1. I also have an override for domain.com to point to 192.168.1.1 as well. Furthermore I have a firewall rule to allow my computer only to access the router via domain.com or router.domain.com. Thus no intrepid employees *should* be able to access it. IF I try to access the domain.com I get a potential DNS rebind error. When this happens, I dont have the SSL mismatch error, but I cant login either. When I disable DNS rebind prophylactic, I can access the login page using domain.comMaybe I need another actual cert for router.domain.com? And another for mail, SAN, etc, etc? I thought we could apply these subdomains to the cert when its generated as alternate names in the cert? Then we can use one cert for these subdomains. Or am I flawed in my logic today?
Or am I better to sliver the DNS off OPN and make a standalone DNS server?
Title: Re: DNS Rebind
Post by: Maurice on March 17, 2024, 02:06:35 am: A certificate for domain.com is not valid for router.domain.com. That's why your browser generates a certificate mismatch error when using router.domain.com.
When using domain.com instead, OPNsense prevents access to the WebGUI because of the hostname mismatch - it knows its FQDN is actually router.domain.com.

If you want to use domain.com:
- Add domain.com to the Alternate Hostnames in System: Settings: Administration.

If you want to use router.domain.com:
- Create a certificate specifically for the OPNsense WebGUI (CN=router.domain.com) or
- add router.domain.com as an alt name to your domain.com certificate or
- create a wildcard certificate for *.domain.com.

Cheers
Maurice
Title: Re: DNS Rebind
Post by: ks98330q on March 17, 2024, 11:30:18 pm: Thanks Mr Maurice.
I did add the domain.com to the alt hostnames, and all is well in Denmark now.
I obviously didnt think to try that.

Thanks again!
:beer