pfSense

Problem¶

The DNS rebind protection approach currently being used by pfSense is too heavy handed. It indiscriminately blocks all RFC1918 ranges regardless of whether or not the resolver/forwarder is reasonably expected to be protecting those networks from potential rebind attacks.

This is a problem for me because I use a VPN that does not map a private DNS server, and instead all private hosts behind the VPN have their FQDNs available in public DNS. With pfSense's unbound resolver operating normally, I can't look up any of the domains behind my VPN because I'm being "protected" from resolving IPs that aren't even on the LAN side of my pfSense box anyway.

Request¶

• Instead of outright blocking all RFC1918 results, block only ranges that pfSense has a link or route to by default.
• Provide an option to disable the stock rebind protection altogether, which will then allow users to configure granular rebind protections directly in the unbound Custom options.