mihcox Posted February 21, 2021 Share Posted February 21, 2021 I am unable to access my server without using its https://"local ip", and using the **********.unraid.net is not working, instead showing "ERR_NAME_NOT_RESOLVED" in chrome. I am unable to hit renew, which I believe would resolve this issue. Any suggestions? Quote Link to comment
Frank1940 Posted February 21, 2021 Share Posted February 21, 2021 (edited) I am jumping in here with a suggestion. Turn on the 'Help' for this page ('?'-in-a-circle icon at the right side of the toolbar at the top of the page.) Now, look the Help material at the bottom of the page. Read the material following these statements: Quote Note: Provision may fail if your router or upstream DNS server has DNS rebinding protection enabled. DNS rebinding protection prevents DNS from resolving a private IP network range. DNS rebinding protection is meant as a security feature on a local LAN which includes legacy devices with buggy/insecure "web" interfaces. This was a big issue when SSL/TLS was first implemented into Unraid. (Problem is I can't remember what the error messages were.) While the solution for many of the routers that enable rebinding protections by default are included in the 'Help' information, it is quite possible that there are now a few more have implemented it as the default rather than being an option. If you decided to increase router/dns_security, you could have enabled it while doing so. Edited February 21, 2021 by Frank1940 Quote Link to comment
mihcox Posted February 22, 2021 Author Share Posted February 22, 2021 (edited) 7 hours ago, Frank1940 said: I am jumping in here with a suggestion. Turn on the 'Help' for this page ('?'-in-a-circle icon at the right side of the toolbar at the top of the page.) Now, look the Help material at the bottom of the page. Read the material following these statements: This was a big issue when SSL/TLS was first implemented into Unraid. (Problem is I can't remember what the error messages were.) While the solution for many of the routers that enable rebinding protections by default are included in the 'Help' information, it is quite possible that there are now a few more have implemented it as the default rather than being an option. If you decided to increase router/dns_security, you could have enabled it while doing so. I dont think thats it, im using a pihole and these are my router settings: https://192.xxx.xxx.xx is working though it is showing as "not secure" Edited February 22, 2021 by mihcox Quote Link to comment
Frank1940 Posted February 22, 2021 Share Posted February 22, 2021 Please read my earlier post as I left out two words which completely change the meaning of that sentence! Regarding those settings. I believe you are going to have to turn on the circled one so that the local request is redirected as shown below. If that does not fix the problem, you could take pihole out of your configuration and see what happens. (Or take your Unraid server off of the pihole service.) Quote Link to comment
mihcox Posted February 22, 2021 Author Share Posted February 22, 2021 13 hours ago, Frank1940 said: Please read my earlier post as I left out two words which completely change the meaning of that sentence! Regarding those settings. I believe you are going to have to turn on the circled one so that the local request is redirected as shown below. If that does not fix the problem, you could take pihole out of your configuration and see what happens. (Or take your Unraid server off of the pihole service.) After doing that, i get the following error in IE when trying to load the page: DLG_FLAGS_SEC_CERT_CN_INVALID Quote Link to comment
ljm42 Posted February 22, 2021 Share Posted February 22, 2021 On 2/20/2021 at 9:09 PM, mihcox said: I am unable to hit renew, which I believe would resolve this issue. According to the screenshot, the certificate doesn't expire until Apr 2021, so renewing would not help. What happens when you press "Update DNS"? Does it show that the correct IP address "has been updated for unraid.net"? 1 hour ago, mihcox said: i get the following error in IE Sorry, IE is not supported by the Unraid webgui. Please use a current version of Chrome or Firefox. Pretty sure a current version of Edge would work too. Quote Link to comment
itimpi Posted February 22, 2021 Share Posted February 22, 2021 19 minutes ago, ljm42 said: Pretty sure a current version of Edge would work too I use Edge all the time for accessing unRaid GUI from Windows without any problems 1 Quote Link to comment
mihcox Posted February 22, 2021 Author Share Posted February 22, 2021 1 hour ago, ljm42 said: According to the screenshot, the certificate doesn't expire until Apr 2021, so renewing would not help. What happens when you press "Update DNS"? Does it show that the correct IP address "has been updated for unraid.net"? Sorry, IE is not supported by the Unraid webgui. Please use a current version of Chrome or Firefox. Pretty sure a current version of Edge would work too. No issue, the same is true for chrome/firefox/edge as well. Just wanted to be clear, i can use https://192.168.xxx.xxx fine, but with the .unraid.net it will not load Chrome: Quote Link to comment
ljm42 Posted February 22, 2021 Share Posted February 22, 2021 The Chrome error message shows that your client computer is unable to get an IP address for yourpersonalhash.unraid.net. The most likely cause is DNS Rebinding, although it could be some other local DNS problem. On your client computer, go to a command prompt and type ping rebindtest.unraid.net If rebinding is NOT an issue you will see that address resolves to 192.168.42.42 (the ping will still fail, but what we are checking here is whether it can resolve to an IP address) C:\>ping rebindtest.unraid.net Pinging rebindtest.unraid.net [192.168.42.42] with 32 bytes of data: Request timed out. Ping statistics for 192.168.42.42: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss), Control-C ^C This address has existed for months, so if it does not resolve to an IP address then it is unlikely to be a weird caching problem, it means *something* (either your pihole, your upstream DNS provider, your router, your ISP, perhaps even security software running on the client computer) has DNS rebinding protection that is preventing a valid FQDN from returning a non-routable IP address. Quote Link to comment
Frank1940 Posted February 22, 2021 Share Posted February 22, 2021 @ljm42, Just realized the significance of your avatar... 🤣 🤣 🤣 Quote Link to comment
ljm42 Posted February 22, 2021 Share Posted February 22, 2021 2 hours ago, Frank1940 said: @ljm42, Just realized the significance of your avatar... 🤣 🤣 🤣 oh I just realized my "the answer to life, the universe, and everything" blurb isn't visible, odd Quote Link to comment
JonathanM Posted February 23, 2021 Share Posted February 23, 2021 27 minutes ago, ljm42 said: oh I just realized my "the answer to life, the universe, and everything" blurb isn't visible, odd But that's implied by the number. Stating it would be redundant. 1 Quote Link to comment
mihcox Posted February 23, 2021 Author Share Posted February 23, 2021 5 hours ago, ljm42 said: The Chrome error message shows that your client computer is unable to get an IP address for yourpersonalhash.unraid.net. The most likely cause is DNS Rebinding, although it could be some other local DNS problem. On your client computer, go to a command prompt and type ping rebindtest.unraid.net If rebinding is NOT an issue you will see that address resolves to 192.168.42.42 (the ping will still fail, but what we are checking here is whether it can resolve to an IP address) C:\>ping rebindtest.unraid.net Pinging rebindtest.unraid.net [192.168.42.42] with 32 bytes of data: Request timed out. Ping statistics for 192.168.42.42: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss), Control-C ^C This address has existed for months, so if it does not resolve to an IP address then it is unlikely to be a weird caching problem, it means *something* (either your pihole, your upstream DNS provider, your router, your ISP, perhaps even security software running on the client computer) has DNS rebinding protection that is preventing a valid FQDN from returning a non-routable IP address. After trial and error based on what you provided, the unbound server I was using as a part of my pihole was blocking this flow. Pointing my dns back to google/cloudflare worked fine. So other than disabling it so this works, is there a workaround? Otherwise how can I switch back to just using my local ip, instead of the unraidhash? Quote Link to comment
ljm42 Posted February 23, 2021 Share Posted February 23, 2021 2 hours ago, mihcox said: After trial and error based on what you provided, the unbound server I was using as a part of my pihole was blocking this flow. Pointing my dns back to google/cloudflare worked fine. So other than disabling it so this works, is there a workaround? A Google search for "unbound dns rebind protection" points to this: https://pfsense-docs.readthedocs.io/en/latest/dns/dns-rebinding-protections.html Maybe that can get you started? Another option would be to override the DDNS provided by unraid.net and hard-code your DNS server so that on your network, yourpersonalhash.unraid.net resolves to the correct IP. The downside is if you later change the IP but forget you setup this local DNS entry, it will be extremely hard to figure out why things aren't working. 2 hours ago, mihcox said: Otherwise how can I switch back to just using my local ip, instead of the unraidhash? On the Settings -> Management Access page, set "Use SSL/TLS" to "No". Quote Link to comment
Skylinar Posted August 26, 2021 Share Posted August 26, 2021 In case someone finds this thread searching why the xxx.unraid.net domain is not accessible using OPNsense with Unbound. For me it fixes with setting [System] -> [Settings] -> [Administration] -> [DNS Rebind Check]. 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.