Hello people.
I created a port forwarding NAT for an internal server to access port 80. Access is via a DNS address example.test.com.
When access outside my local network works perfectly, but when access the same DNS the following message is displayed:
A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname.
I tried numerous NAT settings and also looked for some solutions on google, none worked. Can someone help me?
Just wondering: you mark this issue solved, but don't add the solution. For my curiousity and future readers reference: what was the solution?
Firewall -> Settings -> Advanced
Enable:
- Reflection for port forwarding
- 1: 1 reflection
- Automatic outbound NAT for reflection NAT
Firewall -> NAT -> Port Forwarding
WAN TCP * * WAN address 80 (HTTP) 192.168.1.50 80 (HTTP) Name
Hi,
I solved this only making a change in:
System / Settings / Administration
- Alternate Hostname: my.host.on.ddns.service
Thanks!
Hi,
can you say wich info i need to introduce in"alternative hostname"
my.host.on.ddns.service is your opnsens hostname ?
I also just bump into the same issue. some of my redirect works but when the redirect is path to firewall itself I get this same warning. I don't want to turn off rebinding as it seems it will be bypassing my dns rebinding for all request. Any more updates or answer here?
The following explanation from the official Docs is pretty detailed about this Situation and the possible fix.
https://docs.opnsense.org/manual/how-tos/nat_reflection.html (https://docs.opnsense.org/manual/how-tos/nat_reflection.html)
Follow the instructions and choose your Situation to create the correct Port Forward Rule for NAT Reflection.
Additionally, for me it was necessary to create also a NAT Outbound Rule, because I had my Service in a separated DMZ.
Okay I thought it worked, but it seems I am to dumb to do the right NAT Rules. If someone got the right config, I would appreciate the shared rules.
check mysqld !!
--> systemctl status mysqld
if myslqd is down
--> systemctl start mysqld
then connect zabbix web
if it's ok
--> systemctl enable mysqld
this will be running automatical after rebooting
Confirming that the method described, System -> Settings -> Administration worked where I was using Pangolin to create tunnels to access OPNSense host in my network for testing purposes. I just wanted to note you can in fact add multiple hostnames that the OPNSense server will be willing to accept as a space delimited list in the Alternate Hostnames text box.
The info box if you click it on this setting says as much:
QuoteAlternate Hostnames for DNS Rebinding and HTTP_REFERER Checks
Here you can specify alternate hostnames by which the router may be queried, to bypass the DNS Rebinding Attack checks. Separate hostnames with spaces.
Quote from: giovanit on September 04, 2019, 01:36:53 PMFirewall -> Settings -> Advanced
Enable:
- Reflection for port forwarding
- 1: 1 reflection
- Automatic outbound NAT for reflection NAT
Firewall -> NAT -> Port Forwarding
WAN TCP * * WAN address 80 (HTTP) 192.168.1.50 80 (HTTP) Name
This is not best practice and should be not used at all.
https://docs.opnsense.org/manual/firewall_settings.html
https://docs.opnsense.org/manual/how-tos/nat_reflection.html