DNS Rebinding



  • DNS Rebinding


    The Monocle Gateway dynamically assigns a DNS record to the private/internal IP address of the computer running the Monocle Gateway service. This DNS is used by Alexa to direct the cameras to a resolvable endpoint that is the Monocle Gateway service.

    Some network routers/gateways may block resolving this DNS record because it points to a private IP address. This is called “DNS Rebinding” and it could be used in a malicious attack to fool users when they are attempting to access a legitimate service but are instead hijacked to a nefarious attacker.

    If you router does block or prevent DNS rebinding, then you will need to create an exception to permit the DNS hostname [ *.mproxy.io ] though so that it may resolve to your computer’s private IP address internally on your network. This is safe because the domain [ *.mproxy.io ] is dedicated for the Monocle Gateway service only used for private IP address resolution.

    You can see the assigned DNS record in the Monocle Gateway output after it starts up. (See the last 6 lines and look for the FQDN field.)

     ******************************************************************
     *             __  __  ___  _  _  ___   ___ _    ___              *
     *            |  \/  |/ _ \| \| |/ _ \ / __| |  | __|             *
     *            | |\/| | (_) | .` | (_) | (__| |__| _|              *
     *            |_|  |_|\___/|_|\_|\___/ \___|____|___|             *
     *                                                                *
     ******************************************************************
    
    -------------------------------------------------
    MONOCLE RUNTIME ENVIRONMENT
    -------------------------------------------------
    VERSION   = 0.0.1
    OS/ARCH   = win32\x64
    PROCESS   = monocle-gateway (PID=4952)
    TIMESTAMP = 2018-06-08T03:57:47.003Z
    
    -------------------------------------------------
    MONOCLE GATEWAY SERVICE         (Version: 0.0.1)
    -------------------------------------------------
    [Monocle Starting]
    [Monocle Connecting]
    [Monocle Started]
    [RTSP Server Starting]
    [RTSP Server Listening] 0.0.0.0:8555 (RTSP)
    [RTSP Server Listening] 0.0.0.0:443 (RTSP-TLS)
    [RTSP Proxy Started] (PID=3128)
    [RTSP Server Listening] 0.0.0.0:8554 (PROXY)
    [RTSP Server Started]
    [Monocle Connected]
    [RTSP Server Registered]
    
    -------------------------------------------------
    MONOCLE RTSP SERVICE - INITIALIZED
    -------------------------------------------------
    FQDN = c5b4w3q2-bv4f-4sdf9-dsf-28a852ecae54.mproxy.io
    HOST = 192.168.1.22
    PORT = 443
    -------------------------------------------------
    

    Testing the DNS Record

    You can test on your local network by using the ping utility to ping the DNS name and it should resolve to the IP address of your computer running the Monocle Gateway service.

    C:\> ping c5b4w3q2-bv4f-4sdf9-dsf-28a852ecae54.mproxy.io
    
    Pinging a35e3469-f52f-4989-8766-28a852ecae54.mproxy.io [10.1.2.42] with 32 bytes of data:
    Reply from 192.168.1.22: bytes=32 time<1ms TTL=128
    Reply from 192.168.1.22: bytes=32 time<1ms TTL=128
    Reply from 192.168.1.22: bytes=32 time<1ms TTL=128
    Reply from 192.168.1.22: bytes=32 time<1ms TTL=128
    

    If you are not able to resolve the address using the DNS name, then you may need to consult your network router/firewall/gateway for restrictions on DNS rebinding and add an exception for *.mproxy.io.


    Additional Resources

    More Information about DNS Rebinding:
    https://en.wikipedia.org/wiki/DNS_rebinding

    PFSense - DNS Rebinding Protections:
    https://www.netgate.com/docs/pfsense/dns/dns-rebinding-protections.html