Re: [pfSense Support] dns forwarder failing on some hostnames
On Wed, Jan 19, 2011 at 11:54 AM, Chris Buechler wrote: > You get both if you just use domain overrides for domains where you > expect private IP responses. Domains in domain overrides are excluded > since most commonly those return private IPs, generally leaving > Internet DNS only as where private IP responses are blocked. Excellent. I'll do that, as there are only three domain names involved (or two, if kcilink.com implies int.kcilink.com) Thanks a bunch! 2.0 is certainly very very nice looking. I have yet to investigate many of the new features but the basic upgrade of uploading my 1.2.3 config file into 2.0 worked splendidly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dns forwarder failing on some hostnames
On Wed, Jan 19, 2011 at 8:25 AM, Vick Khera wrote: > On Tue, Jan 18, 2011 at 9:38 PM, Chris Buechler wrote: >>> It feels like it is eating up any 192.168.0.0/16 IP address returned >>> for a hostname. >>> >> >> This is by design to protect against DNS rebinding attacks. If you >> have to get private IP responses from your upstream DNS you must >> disable that under System>Advanced. >> > > Thanks. I'll flip that setting when I'm at home. > > I read the description on the setting and it is not at all obvious > that this is the symptom of the checkbox being unset. That's why I also changed the description pretty considerably last night. > It totally made all of my VPN servers invisible. Seems a tough > choice: protect against rebinding or make the VPN usable. > You get both if you just use domain overrides for domains where you expect private IP responses. Domains in domain overrides are excluded since most commonly those return private IPs, generally leaving Internet DNS only as where private IP responses are blocked. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dns forwarder failing on some hostnames
On Tue, Jan 18, 2011 at 9:38 PM, Chris Buechler wrote: >> It feels like it is eating up any 192.168.0.0/16 IP address returned >> for a hostname. >> > > This is by design to protect against DNS rebinding attacks. If you > have to get private IP responses from your upstream DNS you must > disable that under System>Advanced. > Thanks. I'll flip that setting when I'm at home. I read the description on the setting and it is not at all obvious that this is the symptom of the checkbox being unset. I guess this also explains the metric ton-load of warnings about dns rebinding attempt for my phone trying to connect to the office's PBX server... It totally made all of my VPN servers invisible. Seems a tough choice: protect against rebinding or make the VPN usable. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dns forwarder failing on some hostnames
On Tue, Jan 18, 2011 at 4:49 PM, Vick Khera wrote: > I updated from my 1.2.3 based WRAP box to a 2.0-BETA5 (self-updated > after install to have latest image from around 4am today) ALIX box > earlier this afternoon. I observe the same behavior from a December > 13 firmware (I made the CF card way back then). > > Almost everything is working. I am having some trouble with the DNS > forwarder but only for *some* domains. This did not occur with > 1.2.3-RELEASE. > > 192.168.135.1 is my pfSense LAN address. The WAN is over comcast, > which assigns 75.75.75.75 and 75.75.76.76 as the DNS servers. I have > selected the "allow DHCP to override the DNS servers" option on the > WAN. > > It feels like it is eating up any 192.168.0.0/16 IP address returned > for a hostname. > This is by design to protect against DNS rebinding attacks. If you have to get private IP responses from your upstream DNS you must disable that under System>Advanced. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] dns forwarder failing on some hostnames
I updated from my 1.2.3 based WRAP box to a 2.0-BETA5 (self-updated after install to have latest image from around 4am today) ALIX box earlier this afternoon. I observe the same behavior from a December 13 firmware (I made the CF card way back then). Almost everything is working. I am having some trouble with the DNS forwarder but only for *some* domains. This did not occur with 1.2.3-RELEASE. 192.168.135.1 is my pfSense LAN address. The WAN is over comcast, which assigns 75.75.75.75 and 75.75.76.76 as the DNS servers. I have selected the "allow DHCP to override the DNS servers" option on the WAN. It feels like it is eating up any 192.168.0.0/16 IP address returned for a hostname. if I look up certain host names, I get back an empty response from the dns forwarder, but other DNS servers work just fine: [lappy]% dig vk-dev.int.kcilink.com ; <<>> DiG 9.6.0-APPLE-P2 <<>> vk-dev.int.kcilink.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7576 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;vk-dev.int.kcilink.com.IN A ;; Query time: 43 msec ;; SERVER: 192.168.135.1#53(192.168.135.1) ;; WHEN: Tue Jan 18 16:35:34 2011 ;; MSG SIZE rcvd: 40 [lappy]% dig vk-dev.int.kcilink.com @75.75.75.75 ; <<>> DiG 9.6.0-APPLE-P2 <<>> vk-dev.int.kcilink.com @75.75.75.75 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4576 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;vk-dev.int.kcilink.com.IN A ;; ANSWER SECTION: vk-dev.int.kcilink.com. 3089IN A 192.168.7.96 ;; Query time: 18 msec ;; SERVER: 75.75.75.75#53(75.75.75.75) ;; WHEN: Tue Jan 18 16:35:42 2011 ;; MSG SIZE rcvd: 56 Note below how mmfe1-prv.m1e.net fails but mmfe1.m1e.net does not. mmfe1-prv.m1e.net should resolve to 192.168.100.7 [lappy]% dig mmfe1.m1e.net ; <<>> DiG 9.6.0-APPLE-P2 <<>> mmfe1.m1e.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10198 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mmfe1.m1e.net. IN A ;; ANSWER SECTION: mmfe1.m1e.net. 14299 IN A 206.112.95.7 ;; Query time: 8 msec ;; SERVER: 192.168.135.1#53(192.168.135.1) ;; WHEN: Tue Jan 18 16:38:26 2011 ;; MSG SIZE rcvd: 47 [lappy]% dig mmfe1-prv.m1e.net ; <<>> DiG 9.6.0-APPLE-P2 <<>> mmfe1-prv.m1e.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41805 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mmfe1-prv.m1e.net. IN A ;; Query time: 40 msec ;; SERVER: 192.168.135.1#53(192.168.135.1) ;; WHEN: Tue Jan 18 16:38:34 2011 ;; MSG SIZE rcvd: 35 Seems the only solution is to disable the dns forwarder and renew the DHCP leases. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org