OPNsense Forum
English Forums => General Discussion => Topic started by: giovanit on September 03, 2019, 02:45:32 pm
-
Hello people.
I created a port forwarding NAT for an internal server to access port 80. Access is via a DNS address example.test.com.
When access outside my local network works perfectly, but when access the same DNS the following message is displayed:
A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname.
I tried numerous NAT settings and also looked for some solutions on google, none worked. Can someone help me?
-
Just wondering: you mark this issue solved, but don't add the solution. For my curiousity and future readers reference: what was the solution?
-
Firewall -> Settings -> Advanced
Enable:
- Reflection for port forwarding
- 1: 1 reflection
- Automatic outbound NAT for reflection NAT
Firewall -> NAT -> Port Forwarding
WAN TCP * * WAN address 80 (HTTP) 192.168.1.50 80 (HTTP) Name
-
Hi,
I solved this only making a change in:
System / Settings / Administration
- Alternate Hostname: my.host.on.ddns.service
Thanks!
-
Hi,
can you say wich info i need to introduce in"alternative hostname"
my.host.on.ddns.service is your opnsens hostname ?
-
I also just bump into the same issue. some of my redirect works but when the redirect is path to firewall itself I get this same warning. I don't want to turn off rebinding as it seems it will be bypassing my dns rebinding for all request. Any more updates or answer here?
-
The following explanation from the official Docs is pretty detailed about this Situation and the possible fix.
https://docs.opnsense.org/manual/how-tos/nat_reflection.html (https://docs.opnsense.org/manual/how-tos/nat_reflection.html)
Follow the instructions and choose your Situation to create the correct Port Forward Rule for NAT Reflection.
Additionally, for me it was necessary to create also a NAT Outbound Rule, because I had my Service in a separated DMZ.
Okay I thought it worked, but it seems I am to dumb to do the right NAT Rules. If someone got the right config, I would appreciate the shared rules.