[SOLVED] A potential DNS Rebind attack has been detected

Started by giovanit, September 03, 2019, 02:45:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 03, 2019, 02:45:32 PM Last Edit: September 03, 2019, 03:27:43 PM by giovanit
Hello people.

I created a port forwarding NAT for an internal server to access port 80. Access is via a DNS address example.test.com.
When access outside my local network works perfectly, but when access the same DNS the following message is displayed:
A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname.

I tried numerous NAT settings and also looked for some solutions on google, none worked. Can someone help me?
September 03, 2019, 04:01:28 PM #1
Just wondering: you mark this issue solved, but don't add the solution. For my curiousity and future readers reference: what was the solution?
September 04, 2019, 01:36:53 PM #2
Firewall -> Settings -> Advanced
Enable:
- Reflection for port forwarding
- 1: 1 reflection
- Automatic outbound NAT for reflection NAT

Firewall -> NAT -> Port Forwarding
WAN    TCP    *    *    WAN address    80 (HTTP)    192.168.1.50    80 (HTTP)    Name
December 28, 2020, 02:57:24 PM #3
Hi,

I solved this only making a change in:

System / Settings / Administration
- Alternate Hostname: my.host.on.ddns.service

Thanks!
November 15, 2021, 10:50:35 AM #4
Hi,

can you say wich info i need to introduce in"alternative hostname"
my.host.on.ddns.service is your opnsens hostname  ?
January 06, 2024, 04:26:03 AM #5
I also just bump into the same issue. some of my redirect works but when the redirect is path to firewall itself I get this same warning. I don't want to turn off rebinding as it seems it will be bypassing my dns rebinding for all request. Any more updates or answer here?
January 26, 2024, 04:35:42 PM #6 Last Edit: January 26, 2024, 05:03:31 PM by conan
The following explanation from the official Docs is pretty detailed about this Situation and the possible fix.

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

Follow the instructions and choose your Situation to create the correct Port Forward Rule for NAT Reflection.
Additionally, for me it was necessary to create also a NAT Outbound Rule, because I had my Service in a separated DMZ.

Okay I thought it worked, but it seems I am to dumb to do the right NAT Rules. If someone got the right config, I would appreciate the shared rules.
September 24, 2024, 12:24:25 PM #7

check mysqld  !!
--> systemctl status mysqld
if myslqd is down
--> systemctl start mysqld
then connect zabbix web
if it's ok
--> systemctl enable mysqld
this will be running automatical after rebooting
April 14, 2025, 03:41:24 AM #8
Confirming that the method described, System -> Settings -> Administration worked where I was using Pangolin to create tunnels to access OPNSense host in my network for testing purposes. I just wanted to note you can in fact add multiple hostnames that the OPNSense server will be willing to accept as a space delimited list in the Alternate Hostnames text box.

The info box if you click it on this setting says as much:

QuoteAlternate Hostnames for DNS Rebinding and HTTP_REFERER Checks
Here you can specify alternate hostnames by which the router may be queried, to bypass the DNS Rebinding Attack checks. Separate hostnames with spaces.
April 14, 2025, 12:58:21 PM #9
Quote from: giovanit on September 04, 2019, 01:36:53 PMFirewall -> Settings -> Advanced
Enable:
- Reflection for port forwarding
- 1: 1 reflection
- Automatic outbound NAT for reflection NAT

Firewall -> NAT -> Port Forwarding
WAN    TCP    *    *    WAN address    80 (HTTP)    192.168.1.50    80 (HTTP)    Name

This is not best practice and should be not used at all.
https://docs.opnsense.org/manual/firewall_settings.html
https://docs.opnsense.org/manual/how-tos/nat_reflection.html
Print
Go Up Pages1
User actions