Certificate Provision Issue: DNS Rebinding in UDM Pro?


Recommended Posts

I'm trying to provision certificate, and I'm getting the following error: 

     

Sorry, an error occurred in processing your SSL certificate. The error is: Your router or DNS server has DNS rebinding protection enabled, preventing

 

The help message seems to show that I need to add configuration line:

Ubiquiti USG router: you can add this configuration line:

set service dns forwarding options rebind-domain-ok=/unraid.net/

and I've been reading that it seems like UDM Pro / UDM would not allow for configuration changes? Is this true?

If it's this is possible are there any documentation as to how to get this done? I've tried with SSH, and it doesn't seem to be working

Link to comment

I don't have any experience with that router, if nobody else chimes in you may need to google "routername dns rebind" and see if you can get details.

 

If you have the option to disable it just for unraid.net that would be best, then you can still have DNS rebind protection for everything else.

Link to comment

Configuration of Ubiquiti USG routers can be customized by the use of the "config.gateway.json" file, see this article of Ubiquiti.

Unfortunately the UDM models don't support this feature. Seems there is no alternative atm.

 

For those interested, the following script can be used in config.gateway.json

 

{
  "service": {
    "dns": {
      "forwarding": {
        "options": ["rebind-domain-ok=/unraid.net/"]
      }
    }
  }
}

 

Link to comment

I'm connecting to my unRAID server remotely through my UDM Pro without any issues.  I use NextDNS as my DNS provider and run their CLI client on the UDMP.  Who is your DNS provider?  That may well be the issue and not the UDMP.  If it is indeed the UDMP just set up a NextDNS account and install the CLI client on your UDMP with this command:

sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'

 

Edited by boosting1bar
Link to comment

FWIW, I'm running two unRAID servers behind a UDMP right now with this working properly.

I'm on 1.8.6 firmware. No DNS modifications, using ISP DNS.

The first server worked right away when I set it up. The second one was giving me the same error as you yesterday but provisioned fine today.

Link to comment
15 hours ago, sreknob said:

FWIW, I'm running two unRAID servers behind a UDMP right now with this working properly.

I'm on 1.8.6 firmware. No DNS modifications, using ISP DNS.

The first server worked right away when I set it up. The second one was giving me the same error as you yesterday but provisioned fine today.

Oh Weird, I tried it today after reading your comment, and it seems to work fine now...

  • Like 2
Link to comment
  • 2 weeks later...
On 3/16/2021 at 10:46 AM, takkkkkkk said:

Oh Weird, I tried it today after reading your comment, and it seems to work fine now...

Just setting up unraid 6.9 and am using the UDMPro, I am getting the same initial error message when provisioning the certificate. I saw the workaround using PiHole but I also am not using it. Any idea what fixed it for you? The UDM is on version 1.9.2 and network version 6.1.70.

Link to comment
18 hours ago, Minimushroomman said:

Just setting up unraid 6.9 and am using the UDMPro, I am getting the same initial error message when provisioning the certificate. I saw the workaround using PiHole but I also am not using it. Any idea what fixed it for you? The UDM is on version 1.9.2 and network version 6.1.70.

Same weird thing, tried again today and it works! Not sure why lol.

Link to comment
  • 2 weeks later...
1 hour ago, fredl said:

I also have the same issue, my UDM-Pro is still on 1.8.5.2964.

What version of the networking software do you have? I'm currently running on 6.1.71, and was on 6.1.70 when I got it to work. It seemed like just trying again the next day worked for whatever reason, let us know if you can get it to work in the next ~24 hrs.

Link to comment
1 hour ago, Minimushroomman said:

What version of the networking software do you have? I'm currently running on 6.1.71, and was on 6.1.70 when I got it to work. It seemed like just trying again the next day worked for whatever reason, let us know if you can get it to work in the next ~24 hrs.

Upgraded just the Network Controller and now it worked!

Link to comment
On 4/10/2021 at 12:32 AM, numblock699 said:

This has me baffled. Wouldn't enabled DNS rebinding protection on a router prevent you from using Pi-Hole in the first place? I have this issue though, Pi-Hole does not help me.

 

Rebinding and name resolving are two different things. An analogy story.

 

Say your contact to handle your money affairs is John. One day you need a face-to-face meeting to discuss a delicate matter with John.

 

You go to the bank (name resolving) and upon arrival the receptionist says: "Sorry John is unavailable now, I refer you to Jim instead" (rebinding)

 

Now, it is up to you (the router) to allow this referral or not (do you trust Jim enough).

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.