DNS Rebind Check seems to be inverted

[Okami]

Hello to all the community, I just found myself trying to solve an issue after upgrading to 25.1.6, and wanted to post it here in case someone else suffers it. I don't discard that I can have something odd in my OPNSense, but here I go.

Before the upgrade I changed from Unbound DNS to dnsmasq in order to forward the DNS queries to a local DNS server (PiHole). I set the DNS in the DHCP options for every VLAN the gateway (the OPNsense itself), and then the DNS query is forwarded to the PiHole before going outside, in order to make all easier in my local network I configured local DNS records in the DNS server (pihole) to almost every service I have deployed locally.

To the local DNS records in pihole be able to work properly the option "Disable DNS Rebinding Checks" under System > Settings > Administration has to be checked, for dnsmasq not to block those queries.

Then I upgraded to 25.1.6, and those local urls were not working anymore. First I checked the DNS server, that was responding correctly to those queries. Then after looking into dnsmasq options and checking .conf files I found that the "stop-dns-rebind" and "rebind-localhost-ok" options were enabled in the autogenerated config file. Dnsmasq log files throw that a potential rebind attack was being stopped. After unchecking the option "Disable DNS Rebinding Checks" in system settings, all went to normal.

Is like the option has been reversed somehow, so now if I don't want rebind check, I have to uncheck the option instead of checking it.

[netotter]

Hello, I can also confirm your findings that this setting behavior is inverted after 25.1.6 update.

[Monviech (Cedrik)]

We will check if there is an issue or not:

https://github.com/opnsense/core/issues/8687