I have an IoT device that connects to a.iot.x.amazonaws.com at port 8883 (secure MQTT). I would instead like it to connect to my own site at b.iot.x.amazonaws.com (same port and protocol). I would like to use network tools to redirect the traffic. I do not wish to replace the firmware on the IoT device. I am using a site on the same subdomain (iot.x) to avoid TLS issues, since the certificate AWS provides covers the whole iot.x subdomain.

My trouble is, I think both domains resolve to the same IP addresses, so I can't simply use the hosts file in my OpenWRT router to redirect traffic. Shared hosting would mean that the site it connects to is determined by the domain name, not the IP address alone.

Is modifying the domain name during the connection request enough to accomplish this? Is there a tool available to do this?


Solution 1:

Distinguishing between different domains on the same IP address is done using the server_name extension (SNI) in the TLS handshake. Changing this information by some man-in-the-middle would lead to a failing integrity check over the TLS handshake, causing the handshake to fail. This means that this kind of approach is not possible.