{"slug":"dns-problems-with-internal-services-and-dns-rebinding-protection","title":"DNS problems with internal services and DNS rebinding protection","tags":["tailscale","dns"],"agent_summary":"Last validated: Apr 1, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# DNS problems with internal services and DNS rebinding protection\r\n\r\nLast validated: Apr 1, 2025\r\n\r\nSome DNS servers have a feature called DNS rebinding protection. This can prevent a [particular type of security issue](https://en.wikipedia.org/wiki/DNS_rebinding) but can impact the ability to access your internal services, particularly those hosted behind a subnet router using [private IP addresses](https://www.rfc-editor.org/rfc/rfc1918.html). Some DNS servers might also apply this policy to the [Tailscale IP address](https://tailscale.com/docs/concepts/tailscale-ip-addresses) range (addresses defined in [RFC6598](https://www.rfc-editor.org/rfc/rfc6598.html)).\r\n\r\nThis issue can affect home routers (for example, [Google Wi-Fi](https://support.google.com/googlenest/answer/9144137)), corporate DNS servers, and internet service provider (ISP) DNS servers.\r\n\r\n## [How does DNS rebinding protection work?](https://tailscale.com/docs/reference/faq/dns-rebinding\\#how-does-dns-rebinding-protection-work)\r\n\r\nDNS servers that have DNS rebinding protection enabled block DNS responses that include a private IP address. On the public internet, that does not cause any problems because public websites do not use private IP addresses. When accessing devices on your private network, this becomes an issue if the DNS names of those devices are visible to public DNS servers because sometimes those DNS responses will be blocked.\r\n\r\n## [How does DNS rebinding protection affect Tailscale?](https://tailscale.com/docs/reference/faq/dns-rebinding\\#how-does-dns-rebinding-protection-affect-tailscale)\r\n\r\nWhen accessing internal services over Tailscale, it might be convenient to use DNS names. For example, imagine an internal dashboard located at `dashboard.internal.example.com` which uses an address of `10.0.0.1`. `10.0.0.1` is a private IP address and can not be reached over the public internet. If that IP address is shared with your tailnet using a [subnet router](https://tailscale.com/docs/features/subnet-routers), then members of your tailnet can easily access the dashboard using its name.\r\n\r\nUnfortunately, if someone in your tailnet tries to load `dashboard.internal.example.com` from their home, and their home router or ISP has DNS rebinding protection enabled, the internal dashboard will not be accessible.\r\n\r\n[MagicDNS](https://tailscale.com/docs/features/magicdns) is not affected by DNS rebinding protection because it works entirely within the Tailscale client without involving external DNS servers.\r\n\r\n## [Workarounds to consider when using Tailscale](https://tailscale.com/docs/reference/faq/dns-rebinding\\#workarounds-to-consider-when-using-tailscale)\r\n\r\nYou can work around issues with DNS rebinding protection in any of the following ways. However, keep in mind that DNS rebinding protection is a security feature. Consider consulting with a person responsible for network security before completely disabling DNS rebinding protection. Using the Tailscale DNS configuration workaround or adjusting DNS rebinding protection for only specific domains are the safest options.\r\n\r\n1. Use the [Tailscale DNS configuration](https://tailscale.com/docs/reference/dns-in-tailscale#tailscale-dns-settings) to configure a restricted nameserver (also known as split DNS) to send DNS requests for just the domain name of your internal service to a DNS server you control.\r\n\r\nIn the above example, configuring `internal.example.com` to use an internal DNS server (either directly in the tailnet with a `100.x.y.z` address or through a subnet router with a `10.a.b.c` address) could be a reasonable approach. This also makes it harder for someone to discover what names are in use within your network (which does not necessarily improve security, but is also unlikely to hurt security).\r\n\r\nIf you do not want to host this domain on an internal DNS server, then you can configure `internal.example.com` to use a public DNS server, such as Google Public DNS, Cloudflare Public DNS, or Quad9.\r\n\r\n2. Configure the problematic DNS server to not perform DNS rebinding protection on the particular domain name (for example, `internal.example.com`). You will have to consult your router or DNS server instructions to determine if you can exclude domain names from DNS rebinding protection.\r\n\r\n3. Disable DNS rebinding protection entirely. You will have to consult your router or DNS server instructions for the required steps.\r\n\r\n4. Reconfigure your device to use a public DNS service that does not include DNS rebinding protection. For example, Google Public DNS, Cloudflare Public DNS, or Quad9.\r\n\r\n5. Use the [Tailscale DNS configuration](https://tailscale.com/docs/reference/dns-in-tailscale#tailscale-dns-settings) with the **Override DNS servers** option enabled to send all DNS queries (other than [MagicDNS](https://tailscale.com/docs/features/magicdns) or domain names configured to use specific nameservers) to a public DNS service that does not include DNS rebinding protection. This is similar to the previous option but applies to the entire tailnet.\r\n\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>DNS problems with internal services and DNS rebinding protection</h1>\n<p>Last validated: Apr 1, 2025</p>\n<p>Some DNS servers have a feature called DNS rebinding protection. This can prevent a <a href=\"https://en.wikipedia.org/wiki/DNS_rebinding\">particular type of security issue</a> but can impact the ability to access your internal services, particularly those hosted behind a subnet router using <a href=\"https://www.rfc-editor.org/rfc/rfc1918.html\">private IP addresses</a>. Some DNS servers might also apply this policy to the <a href=\"https://tailscale.com/docs/concepts/tailscale-ip-addresses\">Tailscale IP address</a> range (addresses defined in <a href=\"https://www.rfc-editor.org/rfc/rfc6598.html\">RFC6598</a>).</p>\n<p>This issue can affect home routers (for example, <a href=\"https://support.google.com/googlenest/answer/9144137\">Google Wi-Fi</a>), corporate DNS servers, and internet service provider (ISP) DNS servers.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/faq/dns-rebinding#how-does-dns-rebinding-protection-work\">How does DNS rebinding protection work?</a></h2>\n<p>DNS servers that have DNS rebinding protection enabled block DNS responses that include a private IP address. On the public internet, that does not cause any problems because public websites do not use private IP addresses. When accessing devices on your private network, this becomes an issue if the DNS names of those devices are visible to public DNS servers because sometimes those DNS responses will be blocked.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/faq/dns-rebinding#how-does-dns-rebinding-protection-affect-tailscale\">How does DNS rebinding protection affect Tailscale?</a></h2>\n<p>When accessing internal services over Tailscale, it might be convenient to use DNS names. For example, imagine an internal dashboard located at <code>dashboard.internal.example.com</code> which uses an address of <code>10.0.0.1</code>. <code>10.0.0.1</code> is a private IP address and can not be reached over the public internet. If that IP address is shared with your tailnet using a <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet router</a>, then members of your tailnet can easily access the dashboard using its name.</p>\n<p>Unfortunately, if someone in your tailnet tries to load <code>dashboard.internal.example.com</code> from their home, and their home router or ISP has DNS rebinding protection enabled, the internal dashboard will not be accessible.</p>\n<p><a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a> is not affected by DNS rebinding protection because it works entirely within the Tailscale client without involving external DNS servers.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/faq/dns-rebinding#workarounds-to-consider-when-using-tailscale\">Workarounds to consider when using Tailscale</a></h2>\n<p>You can work around issues with DNS rebinding protection in any of the following ways. However, keep in mind that DNS rebinding protection is a security feature. Consider consulting with a person responsible for network security before completely disabling DNS rebinding protection. Using the Tailscale DNS configuration workaround or adjusting DNS rebinding protection for only specific domains are the safest options.</p>\n<ol>\n<li>Use the <a href=\"https://tailscale.com/docs/reference/dns-in-tailscale#tailscale-dns-settings\">Tailscale DNS configuration</a> to configure a restricted nameserver (also known as split DNS) to send DNS requests for just the domain name of your internal service to a DNS server you control.</li>\n</ol>\n<p>In the above example, configuring <code>internal.example.com</code> to use an internal DNS server (either directly in the tailnet with a <code>100.x.y.z</code> address or through a subnet router with a <code>10.a.b.c</code> address) could be a reasonable approach. This also makes it harder for someone to discover what names are in use within your network (which does not necessarily improve security, but is also unlikely to hurt security).</p>\n<p>If you do not want to host this domain on an internal DNS server, then you can configure <code>internal.example.com</code> to use a public DNS server, such as Google Public DNS, Cloudflare Public DNS, or Quad9.</p>\n<ol start=\"2\">\n<li>\n<p>Configure the problematic DNS server to not perform DNS rebinding protection on the particular domain name (for example, <code>internal.example.com</code>). You will have to consult your router or DNS server instructions to determine if you can exclude domain names from DNS rebinding protection.</p>\n</li>\n<li>\n<p>Disable DNS rebinding protection entirely. You will have to consult your router or DNS server instructions for the required steps.</p>\n</li>\n<li>\n<p>Reconfigure your device to use a public DNS service that does not include DNS rebinding protection. For example, Google Public DNS, Cloudflare Public DNS, or Quad9.</p>\n</li>\n<li>\n<p>Use the <a href=\"https://tailscale.com/docs/reference/dns-in-tailscale#tailscale-dns-settings\">Tailscale DNS configuration</a> with the <strong>Override DNS servers</strong> option enabled to send all DNS queries (other than <a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a> or domain names configured to use specific nameservers) to a public DNS service that does not include DNS rebinding protection. This is similar to the previous option but applies to the entire tailnet.</p>\n</li>\n</ol>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}