I'm running OPNsense (version 25.7.7) as the router and firewall for my home network. I have a Nextcloud server behind OPNense and have dynamic DNS through NO-IP managed by OPNsense so that the Nextcloud server can be accessed by its domain name from the public internet. I also have the Nextcloud domain name set as an override in Unbound DNS in OPNsense so that it can be accessed locally on my home network.
This setup has been stable for years, but recently, I upgraded to a new version of Firefox on my Mint laptop, and I started getting a DNS bind error when accessing the Nextcloud home page by its domain name from within my home network. The error in Firefox is "A potential DNS Rebind attack has been detected. Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration." This does not happen when I use Chrome on Windows. It only happens in recent versions of Firefox on Mint.
My understanding is that this is occurring because of stricter DNS bind checking in recent versions of Firefox. I can fix the problem at the local level by turning off DNS bind error checking in the Firefox settings under "privacy & security." However, it's inconvenient to have to do this locally on every device that uses Firefox from now on. My question is this: is there a way to fix this problem server-side from within OPNsense? I already tried adding the Nextcloud domain as a "private domain" under Unbound DNS, Advanced, but that did nothing. Does anyone have any thoughts or advice?
Quote from: patrick3000 on January 25, 2026, 05:48:36 PMThis does not happen when I use Chrome on Windows. It only happens in recent versions of Firefox on Mint.
That's because the first two can benefit from it and the other two don't and never will do anything towards such abuse unlike all those spyware creators in this weird world of ours...
See for example : https://securityboulevard.com/2025/06/dns-rebind-protection-revisited/
This abuse example was discovered not that long ago !! ;)
Don't override but use the public IP address for access from internal networks, too. Either by NAT reflection or by setting up a reverse proxy like Caddy. I prefer the latter.