A stick figure TP-Link Wi-Fi access point eating DNS requests.

TP-Link network equipment hijacks some DNS requests

TP-Link network products — including Wi-Fi routers, repeaters, and access points (AP) — use deep packet inspection (DPI) to intercept specific Domain Name System (DNS) requests. Each product looks for one or two domain names and will hijack the request to issue a local response containing its own internet protocol (IP) address.

TP-Link wants to make it easier for its customers to get into the web administration interfaces of its products. No one wants to remember the IP address needed to access it, right? The IP address can also change over time, depending on your network configuration.

To address the need for easier-to-remember and persistent addresses, TP-Link has added DNS hijacking capabilities to its network products! What could possibly go wrong⸮

TP-Link network products will intercept all DNS requests as they pass through it. It will hijack any IPv4 lookup requests for a product-specific domain name and respond with its own current IP address.

Below is a list of the TP-Link web configuration domains I’ve identified. Some of them have a public-facing website when accessed over the internet instead of through a TP-Link product.

  • tplinkap.net
  • tplinkeap.net
  • tplinkwifi.net
  • tplinkrepeater.net
  • tplinkmodem.net
  • tplinkplclogin.net

Other actors have, of course, bought variations of these domains and linked them to various scams. Make sure you type in the correct domain name, and be wary of imitators.

TP-Link isn’t doing anything malicious with this capability. As the above list of domains suggests, it’s a convenience feature for its customers. It lets people discover the IP address needed to access their TP-Link product via the company’s apps or web administration interfaces.

However, the capability can make it easier for attackers to exploit the device. Attackers doesn’t need to bring their own DNS interception software when they can exploit what’s already available on the device. This is known as a “Living off the Land (LotL) attack, where an intruder abuse existing legitimate software and functions to achieve malicious ends.

TP-Link has “helpfully” made its domain name hijacker configurable. The tp_domain.ko kernel extension accepts a parameter to set an IPv4 address and whatever domain name you want to hijack. That’s all an attacker would need to redirect your bank’s website to a server the attacker controls.

This feature from TP-Link demonstrates the importance of using encrypted DNS — such as DNS over TLS or HTTPS — even within a private network. Attackers would have a much harder time hijacking an adequately encrypted DNS request.