Like many home network tinkerers, my UniFi setup has grown with me over the last decade. A cluster of UniFi access points controlled by a self-hosted UniFi Controller has quietly kept my Wi-Fi humming along for years. I hadn’t touched the controller in a long time — because I hadn’t needed to. Until recently.
As part of a new home lab project, I decided to start shipping logs from UniFi into my monitoring stack. Think dashboards, alerts, automations — the kind of thing any good IT hobbyist tells themselves is essential. But when I went to log in to my UniFi Controller, I hit a roadblock.
Turns out the controller had been living on a machine I decommissioned years ago. Luckily, I had a backup — the silver lining of being just paranoid enough to prepare for your own forgetfulness. I spun up a fresh UniFi Controller on one of my home lab servers and restored the backup.
Everything looked good — until the login screen appeared.
No worries, I thought, I’ll just reset the password. But none of my usual email addresses received the password reset link. Then it hit me: I’d used an old Hotmail address — one I haven’t had access to in over a decade. Classic move from a time when I assumed I’d never need an email from UniFi.
Now, a reasonable person might say: “Just set it up from scratch.” But I’ve never been accused of being reasonable. I’d rather spend hours crafting a workaround than take the straightforward route.
Turning DNS Against Myself
I knew that when the UniFi Controller sends a password reset email, it first resolves the mail server domain via DNS. If I could trick the controller into resolving hotmail.com to an IP I controlled, I could impersonate Hotmail’s mail server and intercept the email.
So I did exactly that.
The Plan:
- PiHole DNS Spoofing: I used PiHole to create a fake DNS entry for
hotmail.com, pointing it to a local VM. - Exim Mail Server: On that VM, I installed and configured Exim to accept mail for the domain
hotmail.com. - Forced DNS Redirection: I configured my router to redirect all DNS traffic (port 53) from the UniFi Controller to my PiHole.
With everything in place, I returned to the UniFi Controller and clicked “Forgot Password.” A few seconds later, an email appeared — delivered straight to my fake Hotmail inbox. Mission accomplished. I reset the password and was back in business.
Why This Worked — And Why It Wouldn’t Today
This workaround was a fun exercise in local DNS spoofing, SMTP manipulation, and a little bit of creative problem-solving. But let’s be honest — it worked because of an outdated, insecure setup:
- Local Controller: Modern UniFi setups push users toward cloud-based controllers. If mine had been cloud-hosted, intercepting DNS traffic would have been impossible.
- Lack of SSL Enforcement: Older UniFi Controllers didn’t enforce SSL/TLS on outbound SMTP. Newer versions default to enabling SSL, which would require a valid certificate on the receiving mail server. My fake Hotmail server would’ve been rejected outright.
Lessons Learned
- Always use a valid, accessible email address for admin accounts — no matter how “throwaway” the device seems at the time.
- Keep your backup game strong. If I hadn’t had that UniFi backup, I’d be reconfiguring Wi-Fi from scratch.
- Home labs are the perfect place to safely test the kind of exploits and techniques that, in an enterprise environment it is unlikely that this would have worked.
This wasn’t just a fun weekend project — it was a great reminder of how easily legacy systems can become security liabilities.
Closing Thought:
We often think of cyber threats as external. But sometimes, the biggest vulnerabilities come from our past selves — armed with a decade-old email and just enough knowledge to be dangerous.
Hi, this is a comment.
To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.
Commenter avatars come from Gravatar.