Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: ks98330q on March 16, 2024, 09:39:24 PM

Title: DNS Rebind
Post by: ks98330q on March 16, 2024, 09:39:24 PM
Sooooo...
I must no understand DNS Rebind protection too well.
Its supposed to block access from the private address clients (LAN) to the DNS servers via hostname/IP?

I would really like to access my OPN via name (router.domain.com) WITHOUT the annoying untrusted cert warning.
Code Select

I have an actual SSL cert for my domain.com
When I install this cert, and setup OPN to use it, then I get an error about router.domain.com doesnt match the cert which is for domain.com.
I have my system configured thusly:
The hostname of OPN is router.  I have an Unbound override for router.domain.com pointing to 192.168.1.1.  I also have an override for domain.com to point to 192.168.1.1 as well.  Furthermore I have a firewall rule to allow my computer only to access the router via domain.com or router.domain.com.  Thus no intrepid employees *should* be able to access it.

IF I try to access the domain.com I get a potential DNS rebind error.  When this happens, I dont have the SSL mismatch error, but I cant login either.  When I disable DNS rebind prophylactic, I can access the login page using domain.com

Maybe I need another actual cert for router.domain.com?  And another for mail, SAN, etc, etc?  I thought we could apply these subdomains to the cert when its generated as alternate names in the cert?  Then we can use one cert for these subdomains.  Or am I flawed in my logic today?
Or am I better to sliver the DNS off OPN and make a standalone DNS server?



Title: Re: DNS Rebind
Post by: Maurice on March 17, 2024, 02:06:35 AM
A certificate for domain.com is not valid for router.domain.com. That's why your browser generates a certificate mismatch error when using router.domain.com.
When using domain.com instead, OPNsense prevents access to the WebGUI because of the hostname mismatch - it knows its FQDN is actually router.domain.com.

If you want to use domain.com:
- Add domain.com to the Alternate Hostnames in System: Settings: Administration.

If you want to use router.domain.com:
- Create a certificate specifically for the OPNsense WebGUI (CN=router.domain.com) or
- add router.domain.com as an alt name to your domain.com certificate or
- create a wildcard certificate for *.domain.com.

Cheers
Maurice
Title: Re: DNS Rebind
Post by: ks98330q on March 17, 2024, 11:30:18 PM
Thanks Mr Maurice. 
I did add the domain.com to the alt hostnames, and all is well in Denmark now. 
I obviously didnt think to try that. 

Thanks again!
:beer
Text only | Text with Images