DNS Rebinding Protections¶

pfSense® software includes built in methods of protection against DNS rebinding attacks.

DNS rebinding attack protection is active by default. This behavior is controlled by the DNS Rebind Check option under System > Advanced, Admin Access tab.

DNS protection¶

When active, this protection causes the DNS resolver and forwarder to strip RFC 1918 private addresses from DNS responses.

Tip

This is the safest and best practice as responses to DNS queries made through public DNS servers should never include private IP addresses.

There are some cases when public DNS servers have private IP address replies, though it is not a recommended practice. This may be the case for private internal hostnames under domains owned by an organization that does not use split DNS. In those cases overrides can be set for individual domains. The exact method depends on which DNS service is active.

DNS Resolver¶

When DNS rebinding attack protection is active the DNS Resolver strips RFC 1918 addresses from DNS responses. Additionally, the DNSSEC validator may mark the answers as bogus.

Individual domains can be excluded from DNS rebinding protection using the Custom Options box in the DNS resolver settings. Enter one domain per line in the following format, preceded by the server: line.

server:
private-domain: "example.com"

DNS forwarder¶

The DNS Forwarder uses the option --stop-dns-rebind by default, which rejects and logs addresses from upstream name servers which are in RFC 1918 private IP address ranges.

Individual domains can be excluded from DNS rebinding protection using the DNS forwarder Advanced Settings box as follows:

rebind-domain-ok=/example.com/

Note this is automatically overridden for domains in the DNS forwarder domain override list as the most common usage of that functionality is to resolve internal DNS hostnames.

GUI protection¶

For those not using the DNS resolver or forwarder, and as an additional layer of checks, the GUI will block access attempts using unknown hostnames. In this case the GUI will deny access and display “Potential DNS Rebind Attack Detected”.

By default the GUI only accepts the hostname and domain configured under System > General Setup. For instance if firewall.example.com is configured as the firewall hostname, and the GUI is loaded in a browser using fw1.example.com, the GUI will reject that attempt. Define additional hostnames under System > Advanced, Admin Access tab in the Alternate Hostnames field.

Tip

If a user encounters this error they can log into the GUI using the IP address of the firewall rather than the hostname.

If a client encounters this message when attempting to access a forwarded service (Port forward, 1:1 NAT, etc) it indicates that the request did not match any NAT rules. From the inside of the network, this would require NAT reflection or split DNS to accomplish.