OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: SoCold on October 14, 2021, 02:46:56 am

Title: Confused with DNS Rebinding
Post by: SoCold on October 14, 2021, 02:46:56 am

I have an Unraid server and I was trying to provision an SSL certificate and I would get the following error

Quote

Your router or DNS server has DNS rebinding protection enabled preventing [a bunch of letters and numbers].unraid.net [local server IP] resolution

The included help provides the following

Quote

Provision may be used to allocate a free SSL Certficiate from Let's Encrypt and then upload to your server. Note: We highly recommend using a static IP address in this case.

Update DNS may be used to manually initiate updating the DNS A-record of your server FQDN on unraid.net. Note that DNS propagation change could take anywhere from 1 minute to several hours (we set TTL to 60 seconds).

Note: Provision may fail if your router or upstream DNS server has DNS rebinding protection enabled. DNS rebinding protection prevents DNS from resolving a private IP network range. DNS rebinding protection is meant as a security feature on a local LAN which includes legacy devices with buggy/insecure "web" interfaces.

One source of DNS rebinding protection could be your ISP DNS server. In this case the problem may be solved by switching to a different DNS server such as Google's public DNS.

More commonly, DNS rebinding protection could be enabled in your router. Most consumer routers do not implement DNS rebinding protection; but, if they do, a configuration setting should be available to turn it off.

Higher end routers usually do enable DNS rebinding protection however. Typically there are ways of turning it off entirely or selectively based on domain. Examples:

DD-WRT: If you are using "dnsmasq" with DNS rebinding protection enabled, you can add this line to your router configuration file:

rebind-domain-ok=/unraid.net/

pfSense: If you are using pfSense internal DNS resolver service, you can add these Custom Option lines:

server:
private-domain: "unraid.net"

Ubiquiti USG router: you can add this configuration line:

set service dns forwarding options rebind-domain-ok=/unraid.net/

OpenDNS: Go to Settings -> Security and remove the checkbox next to "Suspicious Responses - Block internal IP addresses". It is an all-or-nothing setting.

When all else fails, you can create an entry in your PC's hosts file to override external DNS and directly resolve your servers unraid.net FQDN to its local IP address.

From searching around my understanding was that the fix for this is adding unraid.net to the Alternate Hostnames in Settings/Administration but this didn't work. I was able to get it working by checking Disable DNS Rebinding Checks but now I'm stuck with that having to be checked or I'm unable to connect to the server gui.

I feel like I'm missing something obvious or I've got some setting wrong somewhere... Any help is appreciated and I can provide any additional relevant info that's needed. Thanks!

Title: Re: Confused with DNS Rebinding
Post by: SoCold on October 16, 2021, 08:10:08 pm

Bump

Title: Re: Confused with DNS Rebinding
Post by: Fright on October 16, 2021, 09:39:54 pm

what dns-resolver do you use?
Alternate Hostnames in Settings/Administration is used in GUI authentication (gui protection if someone tries to access by a name other than the name in the System: Settings: General)

to exclude a domain from rebinding protection, the resolver settings are used

Title: Re: Confused with DNS Rebinding
Post by: SoCold on October 18, 2021, 05:54:07 pm

Quote from: Fright on October 16, 2021, 09:39:54 pm

what dns-resolver do you use?
Alternate Hostnames in Settings/Administration is used in GUI authentication (gui protection if someone tries to access by a name other than the name in the System: Settings: General)

to exclude a domain from rebinding protection, the resolver settings are used

Hi Fright,

Thank you for the reply. I use Unbound DNS and PiHole. In my DHCP settings I have the PiHole for DNS Server and then in PiHole I have the firewall listed for DNS. So my DNS should go as follows:

PiHole - Unbound - 8.8.8.8 (DNS server in System/Settings/General/Networking/DNS servers)

Based off your comment and doing a little reading my understanding is I need to add a Host Override with the following settings?

Host: *
Domain: unraid.net
Type: A
Value: [local IP]

Thank you again for the help, I knew I was approaching this wrong but just wasn't sure what to try next.

Edit: Host: [a bunch of letters and numbers], with just a wildcard anytime I go to anything.unraid.net it doesn't like it and that makes sense

Title: Re: Confused with DNS Rebinding
Post by: Fright on October 18, 2021, 07:44:25 pm

Hi!

Quote

Host: *

if you decide to do this through the Host Override, imho more correct to specify the hash from the " [a bunch of letters and numbers]" here  ;)

Title: Re: Confused with DNS Rebinding
Post by: SoCold on October 18, 2021, 07:46:17 pm

Quote from: Fright on October 18, 2021, 07:44:25 pm

Hi!

Quote

Host: *

if you decide to do this through the Host Override, imho more correct to specify the hash from the " [a bunch of letters and numbers]" here  ;)

Thanks Fright, I just edited my post at the same time you replied.