Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Domains redirect to A potential DNS Rebind attack
« previous
next »
Print
Pages: [
1
]
Author
Topic: Domains redirect to A potential DNS Rebind attack (Read 3136 times)
Halfhidden
Newbie
Posts: 3
Karma: 0
Domains redirect to A potential DNS Rebind attack
«
on:
September 16, 2023, 03:49:25 pm »
I've been going nuts trying to figure out what I've done wrong.
I've moved over from Pfsense to Opnsense as I believe that Opnsense software is far more superiour, but I still have a lot to learn.
In short my domains seem to be redirected back to the Opnsense ip giving me a potential DNS Rebind attack.
This is how I've set up my home lab:
Opnsense as a vm on the same server as all the apps running on Proxmox 8.
I created a dhcp pool within Opnsense for all the apps, containers and vms and static mapped the servers I wished to reverse proxy.
As I have 4 physical network cards, so I have LAN, WAN and DMZ. I setup a DMZ with a dhcp outside of the Opnsense scope and added one app (Nginx Proxy Manager) and static mapped that from the DMZ pool.
So Proxmox node is on a static ip outside of any dhcp scope.
Opnsense is set with a dhcp and starts with 192.168.1.1 and has a scope of 192.168.1.15 >100
NPM (Nginx Proxy Manager) is set to 192.168.1.5 as a static map so is sat in a DMZ
DMZ is 192.168.1.2 with a dhcp scope of 192.168.1.5>10
I created an alia to allow ports for NPM and firewall rules to allow access to NGP from the internal network.
Option Value
Action Pass
Interface LAN
TCP/IP Version IPv4+IPv6 (IPv6 is optional)
Protocol TCP
Source LAN net
Source Port any
Destination 192.168.1.5
Destination Port (an alias for port 80, 81, and 443)
I then created a rule to allow access to the servers from NPM
Action Pass
Interface DMZ
TCP/IP Version IPv4+IPv6 (IPv6 is optional)
Protocol TCP
Source 192.168.1.5 (or use an alias which may include the IPv6 address)
Source Port any
Destination 192.168.1.111, 192.168.112, 192.168.113, 192.168.113, 192.168.114
Destination Port WebServerPorts (an alias for port 80 and 443)
I then created a NAT port forwarding rule to allow external network access
Interface WAN
TCP/IP Version IPv4+IPv6 (IPv6 is optional)
Protocol TCP
Source any
Source Port any
Destination WAN address
Destination Port WebServerPorts (an alias for port 80 and 443)
Redirect target IP 192.168.1.5
Redirect target port WebServerPorts (an alias for port 80 and 443)
Filter rule association Add associated filter rule
Any idea what I've done wrong as the domains should be redirected to the internal network but clearly don't.
EDIT****
I've since moved Opnsense from port 443 to 10443 but now the website cannot be reached. It looks like port forwarding isn't working
«
Last Edit: September 16, 2023, 04:20:09 pm by Halfhidden
»
Logged
Halfhidden
Newbie
Posts: 3
Karma: 0
Re: Domains redirect to A potential DNS Rebind attack
«
Reply #1 on:
September 16, 2023, 05:52:15 pm »
Edit***
It seems that I have set this up correctly (all but the wrong ip address for the reverse proxy (should be 192.168.1.5 not 192.168.1.2)) and quite by accident I actually tested he domains from my phone wich is connected to a different network. Most of the domains are actually working.
So my local pc (on the same network) is blocking any domain that is originating from the same network.
A firewall thing I guess... Anyone know what this is?
Logged
Halfhidden
Newbie
Posts: 3
Karma: 0
Re: Domains redirect to A potential DNS Rebind attack
«
Reply #2 on:
September 18, 2023, 09:27:15 pm »
Solved***
This was solved when I looked further into the way I set up the network.
I setup a DMZ and placed nginx in it and then placed everything else behind the Opnsense firewall.
Seemed like a good practice except in my configuration I had two dhcp servers. One for DMZ and the other for Opnsense. Although they were set up for different segments of the same subnet, that was my fatal error.
Unknown to me the DHCP server for the DMZ gave my local pc an address. Stupid me, I didn't check that and obviously I was on the wrong side of the firewall Duh!!
I've resolved this now and everything works as it should.
I can't see how to mark this as solved... anyone know?
«
Last Edit: September 18, 2023, 09:28:51 pm by Halfhidden
»
Logged
Amr
Jr. Member
Posts: 78
Karma: 4
Re: Domains redirect to A potential DNS Rebind attack
«
Reply #3 on:
November 01, 2023, 09:12:02 am »
Quote
I can't see how to mark this as solved... anyone know?
just edit your post and add [Solved] before the post's subjet.
With that said, I advise you to consider changing your network topology, your setup is really confusing and not recommended (I don't think you would be able to find a single professional who's willing to support your setup) having everything in the same subnet (DMZ included) and using firewall rules to control traffic between them by ip is a horror story for future upgrades\expansion you might get away with it since everything is virtualized and it works kinda of like a managed switch and the fact that this is a home lab, but I recommend you learn good practices and deploy them to get a feeling for them.
Here's a couple of ideas to start from:
- since your host has 4 physical NIC, I would leave 1 for proxmox (management port in case something horrible happens and you need emergency access to the hypervisor for example opnsense is down and you can't reach proxmox from LAN)
- pass the rest to the firewall (opnsense) and create WAN, LAN and DMZ with a separate subnet each on a separate port -since this a virtual environment you can even create virtual interfaces to use for DMZ, or any other service that's virtualized on the same host- (ex: 192.168.1.0/24, 192.168.2.0/24, 192168.3.0/24) open the required ports between LAN and DMZ host, then attach your other VM\application to the specific physical\virtual interface, I did a similar setup in my homelab once but I no longer use proxmox so can't help you right now with config examples.
Logged
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Domains redirect to A potential DNS Rebind attack