pfsense DNS Rebinding Protections

DNS Rebinding Protections

pfSense includes two built in methods of protection against DNS rebinding attacks. These measures are described below.
DNS forwarder

The DNS forwarder (dnsmasq) uses the option –stop-dns-rebind by default, which rejects and logs addresses from upstream nameservers which are in the private IP ranges. In the most common usage, this is filtering DNS responses you’re getting from the Internet to prevent DNS rebinding attacks. Internet DNS responses should never come back with a private IP, hence it’s safest to block this.

Note this is automatically overridden for domains in the DNS forwarder’s domain override list, as the most common usage of that functionality is to resolve internal DNS hostnames.
Web interface protection

For those not using the DNS forwarder and already having that protection, and as an additional layer of checks, the web interface will block attempts to access it via an unknown hostname. It will display “Potential DNS Rebind Attack Detected” and drop any request. By default, only the hostname and domain configured under System>General Setup are accepted. For instance if you have configured as your system’s hostname, and you try to browse to it using, that attempt will be rejected. You can add additional hostnames under System>Advanced, “Alternate Hostnames”.

Note you can log in using the IP address of the system rather than the hostname should you find yourself unable to log in with this message. Then configure the hostname(s) accordingly and you will be able to log in using the hostname