[Technical] The pros and cons of DNS Rebinding protection

Using Proxyman on my iPhone/iPad I discovered that the Homey App was indeed trying HTTPS to access 192.168.1.x.homey.homeylocal.com first, but all requests failed and it then tried HTTP instead (which succeeds).

Since this is only related to local traffic, I tried to solve it via my router, instead of NextDNS. I have an ASUS router which runs the excellent AsusWrt-Merlin third-party firmware. I added this line to the dnsmasq configuration file /jffs/configs/dnsmasq.conf.add (to bypass NextDNS - and thus its DNS Rebinding Protection?):

address=/192-168-1-x.homey.homeylocal.com/192.168.1.x

After restarting both the dnsmasq service on the router and the Homey App on my iOS devices the requests now succeed using HTTPS and there is no fallback to HTTP!

Thank you for bringing this to our attention @Dijker!

1 Like

Oh, it’s even nicer to learn about this in my case!

In the past I changed the "Homey p1 smartmeter DSMR reader for com.p1.smartmeter " script to use the (local) IP address 192.168.1.x (I have assigned a fixed IP to Homey in my router) instead of the (external) hostname <homeyId>.connect.athom.com, but as a side effect I had to use HTTP because the Homey did not have a SSL certificate for that IP address.

With this new knowledge and the dnsmasq workaround I can now use the hostname 192-168-1-x.homey.homeylocal.com instead of the IP address 192.168.1.x with HTTPS.

1 Like

I already verified that on 3 Local Homey Pro’s here. Therefore it is a Wildcard :wink:

I also run dnsmasq locally, with DNS rebinding protection enabled except for the homeylocal.com domain:

stop-dns-rebind
rebind-domain-ok=homeylocal.com
2 Likes

That’s indeed what the certificate shows:

$ echo | \
    openssl s_client -servername 192-168-1-10.homey.homeylocal.com -connect 192.168.1.10:443 2>/dev/null | \
    openssl x509 -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:c9:46:27:6a:63:fc:a6:fd:f4:c6:e4:90:f5:4a:00:4c:2d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Dec  6 03:01:23 2021 GMT
            Not After : Mar  6 03:01:22 2022 GMT
        Subject: CN=*.homey.homeylocal.com
…
1 Like

Nice! Unfortunately, I can’t use that, as the NextDNS install script removes the stop-dns-rebind line from the router’s configuration (NextDNS takes care of DNS Rebinding Protection in my setup).

Indeed; I can use

address=/my.homey.homeylocal.com/192.168.1.x

instead of

address=/192-168-1-x.homey.homeylocal.com/192.168.1.x

for (and in) the P1 script and that still works with HTTPS, it seems.

So change the script :stuck_out_tongue: According to NextDNS, the allow list “takes precedence over everything else, including security features”, so perhaps it’s possible to add an exception for homeylocal.com?