pfSense - NAT resulting in DNS rebind error from local network

COGlory · January 5, 2019, 5:59am

So I have a couple of Dell Optiplexes (Optipli?). One is running pfSense, the other is running a Linux/DynDNS/Docker/Traefik/Nextcloud stack. The way Traefik is configured, when there’s incoming traffic from cloud.mydomain.com, it redirects it to the proper server.

The cloud.mydomain.com was working fine on my old router. But when I put up my pfSense box, it broke. I have NAT set up for WAN and LAN for HTTP and HTTPS to that box. I have a static IP assigned to it, and the weird thing is that accessing it off the network via cloud.mydomain.com works just fine. Local access, however, gives me a DNS Rebind error.

I tried disabling the DNS Resolver and switching to DNS Forwarder (still not totally sure on the differences between the two) and adding an exception for cloud.mydomain.com. This worked OK for a while, but then randomly stopped working and giving me the DNS Rebind warning/error. I can’t use the local IP because of the Traefik rules.

Is there any way to set this up properly so that it forwards my domain to the actual machine? Thanks for the help.

Dexter_Kane · January 5, 2019, 7:05am

You should use the resolver, the forwarder is legacy. Basically the difference is that the resolver is unbound and the forwarder is dnsmasq.

Are you trying to access your local server using a global FQDN? If so you’ll just need to add entries on your local DNS server and that should work.

COGlory · January 6, 2019, 9:15pm

OK great, so I managed to get it working, thanks. I added a Host Override and realized I had been doing it wrong. To get it to work you apparently enter the subdomain in the host field, and the root domain in the domain field, and it will concatenate them for you. I was entering the host as the hostname of the server, and the domain as the FQDN (so like server name, subdomain.domain.com) which was resulting in server.subdomain.domain.com which was not the proper address.

I also added the following to the DNS Resolver custom options to solve the DNS Rebind Attack warning:

server:
private-domain: "subdomain.mydomain.com"

Thanks for the clarification!