Resolving Domains with Private IPs Behind a pfSense Firewall

Having all of your devices on a single subnet is easy and convenient. You can access network resources simply by using their hostname, and everything just works. But that kind of configuration also makes it easy for attackers to break into your systems and steal all of your critical data since there’s very little stopping them from jumping from one system to another.

That’s why the common practice in network security is to segregate traffic within your network. One segment could be for office traffic, another for websites you host, and a further one that contains all of your database servers. These segments would each have their own IP address subnet and firewall rules protecting them from unauthorized access.

The problem now is that these assets cannot be reached through their hostname, only by their IP address. Some organizations simply publish the IPs and have their employees connect directly, but others utilize the Domain Name System or DNS to create a record that ties some sub-domain (such as example.nettexsolutions.com) to a specific internal server (like 192.168.10.105).

Normally this isn’t an issue. Firewalls that act as a DHCP and DNS server will return the address when requested and life goes on. Especially with Cisco equipment and their DNS doctoring technology this is a feature that they include to make life easier, re-translating public IPs back into private IPs for known mappings. But with the pfSense firewall this is disabled by default, and it can cause some issues if you don’t know how to fix it.

So let’s fix it together. The following is verified to work for pfSense version 2.4.4 release 1.

The reason why the domain names are being blocked is because pfSense is trying to do you a favor. There’s an attack strategy called DNS Rebinding that can allow malicious actors to attack your network through tricking you to click a malicious link. By disallowing this function pfSense is stopping those attacks. You can read more about this in the pfSense documentation.

If you’re OK with that level of risk and want your internal IP based domains to work, the next step is to turn off the DNS rebinding protection.

The default setting for the pfSense firewall is to be used as a DNS Resolver. In this mode the system will act as a local DNS server, query the root domain servers directly, and return a result.

To disable DNS Rebinding in this mode, navigate to System -> Advanced in the web interface and uncheck the “DNS Rebinding” option.

For those using the DNS Forwarder option (where the firewall will query an upstream DNS server for the host resolution), the same effect can be achieved on an individual basis by navigating to the DNS Forwarder Advanced Settings box and inputting exceptions one at a time.

rebind-domain-ok=/mydomain.com/

Now, when you test again you should be able to navigate to your private IP based domain names on your local network!

Leave a Reply

Your email address will not be published. Required fields are marked *