DNS Rebind minimal bypass

DNS Rebind minimal bypass

NOTE: this is not hacking, this is an infrastructure tip to allow public dns servers to server internal IPs

tl;dr

pfSense walk through & OPNsense walk through

Why?

So, I have used pfSense for a long time and recently have switched over to OPNsense ( mainly because of their WireGuard VPN feature that they support ). One thing that both of these Firewalls protect against by default is something called DNS rebind, while this is an awesome feature that I will always recommend anyone keep on. I am also efficient ( **cough** lazy **cough** ) from the perspective that I don't want to run my own internal DNS for IP addresses that are inside my network. Yes, I could add DNS record inside the firewalls, but DigitalOcean/VPS providers have nicer GUIs 😁 .

So, if you add up all my  previous statements and you understand what a DNS rebind attack is, then you know I am in a kerfuffle... Since these firewalls prevent DNS rebind attacks, I won't be able to resolve any of my internal IPs from those VPS providers...ok I guess I will just turn off the DNS rebind protection...

NO!!! Don't do that...we just talked about how that was such an amazing feature...so here is how you can "disable" dns rebind protection for specific trusted domains inside of both firewalls.

Feature Name

Both of these firewalls have something called Domain Overrides ( pfSense & OPNsense ), and these are DNS forwarder settings you can configure to allow specific domains that you specify to be resolved by some other host. So, instead of your firewall resolving the IP addresses for that host ( and blocking it because it is an internal IP ), you can point it to 9.9.9.9 so that way Quad-9 can resolve that internal IP address for you. Which then allows you to resolve internal IP addresses with a public DNS provider! The next sections are screenshots for how to access each Firewall's setting.

pfSense - Domain Override

After you Login you go to Services ➡️ DNS Resolver

Then at the very bottom of the page you will see a section called Domain Overrides, click the add button.

In the picture below replace "example.com" with whatever trusted domain you are trying to resolve, and then click save.

Afterwards, don't forget to click the Apply button.

OPNsense - Domain Override

Once you login click on Services ➡️ Unbound DNS ➡️ Overrides

Then click the plus button under the Domain Overrides section

In the picture below replace "example.com" with whatever trusted domain you are trying to resolve, and then click save.

Don't forget to hit Apply changes.