Join Log in
Score:0
erotavlas avatar Server

Web server, firewall and active directory: internal network connection error "DNS rebinding attack"

fr flag
erotavlas

I have a problem with a web server (WS) (apache on ubuntu 20.04 server), Fortinet Firewall (FF) and windows Active Directory (AD). My ISP recently upgraded my Internet connection and changed some configuration (static IP addresses and subnet). Before the upgrade, there was no problem. In particular, the AD was behind FF while the WS was external to it (machines from local networks and from external networks reached the WS from the Internet).

After the upgrade, the configuration of AD and WS is still the same, but due to change of my ISP, I have connection problems between my local network managed by AD and the WS. In detail, on firefox I get error message from ISP firewall pfsense "potential DNS rebinding attack detected try to access to WS via IP instead of hostname" on chromium the problem is the same, but I get less specific error. Whereas there is not any problem by connecting to the WS from any external network. I contacted my ISP asking about the error, they told me that they changed their configuration and that to solve the problem I should use their DNS only.

I know apache and GNU/linux quite well whereas I'm not good at both AD and FF. I searched on the web about changing DNS for AD. So I set up as local DNS a local machine (DHCP) and as external/forwarder DNS (the one provided by the ISP). However, the problem is still present. My first idea is to move WS from outside FF into a DMZ in such a way that machines from the internal network could reach it as a local connection without passing from the Internet. However, this requires some change in FF configuration (I have to learn it). Is there something that I can do in the meantime? Something on AD? Thank you

Edit: I attached a schematic of the network. On the first page, there is the network configuration before the upgrade of my ISP1. The current network configuration is in the second page. In the meantime, I contacted my ISP again and it configured pfsense with split DNS as described here. Now, after configuring the AD with only ISP1 DNS, the potential DNS rebinding attack problem seems solved. I could leave the configuration of network in this way since it is working. However, I'm still planning to configure a DMZ as showed on the third page. In theory it should be enough to follow this guide. Do you have any suggestion? Am I missing something?

40
0 + 2
web
djdomi avatar
za flag
djdomi
Can you please be more Specific what is the question and problem? Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers.
0
Reply
erotavlas avatar
fr flag
erotavlas
You are right. I edited the question by adding further information.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.