I just installed nextcloud on my linux machine and forwarded ports 80 and 443. I am happy to be able to connect via the web [nextcloud.mydomain.com] to my apache server/nextcloud BUT whenever I try to connect to it from my home network using the (sub).domain I get an error from my fritz box about DNS rebinding.
As far as I understand that happens when a device inside the network makes DNS request and that request is resolved to a private IP inside my home network. But I don’t understand why that happens.
The sub domain gets resolved fine when looking at it with nslookup. It points to the public IP of my router. I presume my router than forwards the request to my server. Is this where my private IP is pointing to another private IP in my network?
I added an exception in my fritzbox settings and that works, but have a feeling that that is a security risk.
How can I resolve this issue without adding this exception? I want to be able to login to my nextcloud from the internt and my home network.
Thank you very much
Afaik, you can try to customize the DNS rebind protection function within your Fritzbox.
Yes, that’s what I have done. I just don’t understand why I have to do this. The DNS record I put is an A-Record pointing to the public IP of my Fritzbox, not the private (is that even possible?)
A request at Port 80 is then forwarded via port forwarding to my server (with a private IP say 192.168.178.57). This works from everywhere except the network the server is in.
My understanding is, that a device in my network makes a dns request to resolve nextcloud.mydomain.com and gets the public IP of my router/fritzbox. It then sends its request (over the internet) to my fritzbox, which then forwards it to the server.
I am guessing that somewhere on the way out the fritzbox knows that nextcloud.mydomain.com will end up on the server in the private network and blocks it because a device from the same network requested this. But I can’t seem to find where this happens.
You’re right, the Fritzbox by default acts a a DNS forwarder only, so you will get the ip address on the internet return - which is unresolvable on your LAN. If you activate the rebind function, the Fritzbox try to assign the internal ip address to the name so that the server is reachable on your LAN.
I think I understand what you are saying, but could you elaborate on
- “acts as a DNS forwarder only”
- “try to assign the internal ip adress to the name”
Which direction are you talking about?
Scenario A: I want to acces nextcloud.mydomain.com from the web. I ask global DNS for an IP and get the public IP of my fritzbox. I send a request on port 80, fritzbox forwards that to the server.
Scenario B: I want to access nextcloud.mydomain.com from home-LAN. I send my request to fritzbox. It [i dont exactly know what happens here (see ideas)]. I get a rebind error unless I configure nextcloud.mydomain.com to be an exception in my fritzbox settings.
Idea 1: fritzbox has the domain-name = ip adress pair saved and sees that it should forward the request to itself?
Idea 2: fritzbox asks global DNS and my requests goes from inside the home-network to the public ip of my fritzbox? But why is it not forwarded like any other? Because I have a TCP connection and metaphorically speaking PC 1 in my home-LAN is connected to PC 2 in my home-LAN via internet/fritzbox and that is prohibited?
Thank you so much for your time!
BTW, all of this is totally off-topic and not related to Nextcloud. You should ask aunt G. for further details to understand how DNS on a Fritzbox works in detail.
All DNS requests coming from the LAN are send to the Fritzbox, because the DHCP server on the router provides it to all devices on your LAN. The Fritzbox isn’t a fully blown DNS server and can only resolve internal names, like fritz.box or the short names of your local resources. Therefore it forwards all requests which cannot be resolved locally, to the configured external DNS servers on the Internet. The reply from the DNS servers on the internet are then returned to the client.
As a result it knows every resource on your LAN which have a local IP assigned, like 192.168.178.x and additionally the external address of servers on the Internet.
If you now send a DNS request for your external DNS name to the Fritzbox it is forwarded to the internet and then resolved to the external IP address. If you now try to reach this server all packets are routed over the Fritzbox to the internet and cannot be routed back to your LAN. AVM explains all this in detail in their support forum:
I would personally recommend to play with the rebind function, which might solve the problem (I personally never used it), use a different host name or the ip address on your LAN or install your own local DNS where you can overwrite DNS requests from your LAN and assign a local ip address.
I don’t know anything about Fritzbox - but this appliance needs a DHCP host override that will resolve nextcloud.mydomain.com — to an internal LAN IP address and not an external WAN address. Perhaps this isn’t possible in a Fritzbox.
As an alternative – I don’t know if your client trying to access nextcloud is a windows or linux machine, however if it is linux – you could make an entry in the /etc/hosts file for nextcloud.mydomain.com <xxx.xx.xxx.xxx> . Usually linux machines try looking at their /etc/hosts file first prior to contacting an external DNS server (which is usually your router next, followed by an external DNS such as google, opendns, cloudflare, etc). Windows has something similar but since I don’t have a windows machine I can’t exactly tell you how to do something similar.
Sorry for being a nitpicker, but you most likely wanted to say “
... need a DNS host override ...”