OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: smajor on July 23, 2020, 12:20:51 am

Title: Split DNS & Rebind Attacks
Post by: smajor on July 23, 2020, 12:20:51 am

All, I have an internal DNS server that I want to retire in favor of using the built in UnboundDNS.  Everything works except my web server behind NAT.

Externally www.mysecretdomain.com resolves and works perfectly.

Internally www.mysecretdomain.com throws a rebind error because it tries to go to the admin page of OpnSense instead of www which is on a different system.

Indeed, internally pinging www.mysecretdomain.com resolves to my PUBLIC IP when it should resolve to my INTERNAL IP.

Even going to the Overrides section of Unbound and making sure www.mysecretdomain.com resolves to 10.0.1.201 does nothing.  It insists on resolving to my Public/Opnsense WAN IP.

What the heck am I doing wrong?

Title: Re: Split DNS & Rebind Attacks
Post by: smajor on July 23, 2020, 02:55:24 am

Well, I got things a bit better after I discovered the NAT Reflection options in Advanced.

Ticking the Reflection for Port Forwards and Automatic Outbound Reflection got me to the server.

Unfortunately, Apache's DNS site detection is broken because of this on the LAN.  www.mysecretsite.com resolves as the "first" site, but www.myREALLYsecretsite.com resolves to the first.

What I really need to understand is why Unbound's overrides are not working for this but are for other items.  If my LAN clients are hitting it, shouldn't its overrides be honored?