[Jouster]

I am aware that DNSSBinding can be blocked or enabled system wide but I am wondering if it is possible to put in an exception per device/mac address.

I have recently setup some Echo devices on my network to view my home IP cameras and due to some new security protocols installed by Amazon, we've been forced into using a new gateway that the skill team have created. (https://monoclecam.com)

Through a bit of trial and error I discovered that the N0 DNS Rebind option was enabled and this was stopping me seeing the camera feeds on these specific devices. Disabling this enable the camera feeds but I appreciate that this could open the system and my network unto some potential security issues...(or am I worrying about nothing?)

The websites explains that it should be possible to place an exception into my router but I am a little lost as to how that might be possible. Here is the section of the write up that explains the fix...if anyone is able to let me know where I can place this exception...and in truth...how I would do so, I would be grateful.

Thanks in advance



Overview
The Monocle Gateway dynamically assigns a DNS record to the private/internal IP address of the computer running the Monocle Gateway service. This DNS is used by Alexa to direct the cameras to a resolvable endpoint that is the Monocle Gateway service.

Some network routers/gateways may block resolving this DNS record because it points to a private IP address. This is called "DNS Rebinding" and it could be used in a malicious attack to fool users when they are attempting to access a legitimate service but are instead hijacked to a nefarious attacker.

If you router does block or prevent DNS rebinding, then you will need to create an exception to permit the DNS hostname [ *.mproxy.io ] though so that it may resolve to your computer's private IP address internally on your network. This is safe because the domain [ *.mproxy.io ] is dedicated for the Monocle Gateway service only used for private IP address resolution.

You can see the assigned DNS record in the Monocle Gateway output after it starts up. (See the last 6 lines and look for the FQDN field.)

******************************************************************
* __ __ ___ _ _ ___ ___ _ ___ *
* | \/ |/ _ \| \| |/ _ \ / __| | | __| *
* | |\/| | (_) | .` | (_) | (__| |__| _| *
* |_| |_|\___/|_|\_|\___/ \___|____|___| *
* *
******************************************************************

-------------------------------------------------
MONOCLE RUNTIME ENVIRONMENT
-------------------------------------------------
VERSION = 0.0.1
OS/ARCH = win32\x64
PROCESS = monocle-gateway (PID=4952)
TIMESTAMP = 2018-06-08T03:57:47.003Z

-------------------------------------------------
MONOCLE GATEWAY SERVICE (Version: 0.0.1)
-------------------------------------------------
[Monocle Starting]
[Monocle Connecting]
[Monocle Started]
[RTSP Server Starting]
[RTSP Server Listening] 0.0.0.0:8555 (RTSP)
[RTSP Server Listening] 0.0.0.0:443 (RTSP-TLS)
[RTSP Proxy Started] (PID=3128)
[RTSP Server Listening] 0.0.0.0:8554 (PROXY)
[RTSP Server Started]
[Monocle Connected]
[RTSP Server Registered]

-------------------------------------------------
MONOCLE RTSP SERVICE - INITIALIZED
-------------------------------------------------
FQDN = c5b4w3q2-bv4f-4sdf9-dsf-28a852ecae54.mproxy.io
HOST = 192.168.1.22
PORT = 443
-------------------------------------------------
Testing the DNS Record
You can test on your local network by using the ping utility to ping the DNS name and it should resolve to the IP address of your computer running the Monocle Gateway service.

C:\> ping c5b4w3q2-bv4f-4sdf9-dsf-28a852ecae54.mproxy.io

Pinging a35e3469-f52f-4989-8766-28a852ecae54.mproxy.io [10.1.2.42] with 32 bytes of data:
Reply from 192.168.1.22: bytes=32 time<1ms TTL=128
Reply from 192.168.1.22: bytes=32 time<1ms TTL=128
Reply from 192.168.1.22: bytes=32 time<1ms TTL=128
Reply from 192.168.1.22: bytes=32 time<1ms TTL=128
If you are not able to resolve the address using the DNS name, then you may need to consult your network router/firewall/gateway for restrictions on DNS rebinding and add an exception for *.mproxy.io.