[wd-isf] Captive DNS, and auth server bypass
Alexandre Carmel-Veilleux
saruman at northernhacking.org
Sun Feb 6 19:25:15 EST 2005
On Sun, Feb 06, 2005 at 01:50:04PM -0500, Mina Naguib wrote:
>
> I think that alone is worth the extra effort. It also opens the door
> for many "neato" fake servers built-into wifidog, such as pop3 server
> that delivers a message "Please use a web browser first to log in at
> http://foo.bar", etc...
Well, the issue with that one is that we'd then have to deal
with forcing the client to send username and passwords in clear text to
the gateway...
> 1. Attempting to resolve anything will point back to the router until
> the user is authenticated. This will definitely interfere with
> pass-through services like teliphone.
>
> Possible solution: "Adaptive" fake DNS where, for certain hostnames, it
> will reply with the real IP instead of the internal IP. This is already
> done for the auth server hostname, so it's simple a matter of a config
> file section of "hostnames to be truly resolved" by the captive dns server.
Some sort of way to integrate that with the firewall would be
desirable.
> 2. Once the user receives the IP of the router as the answer to
> www.homepage.com, they then make an http call http://x.x.y.y:80 - this
> call must then be intercepted by captive HTTP system instead of by any
> web server on the router. In other words, a web server that runs on
> router (admin/config/etc) needs to run on a port different than port 80
Clients that run their own DNS servers and connect to the root
server would have caching issues. We need to make sure we use very short
TTLs in those DNS replies. We should also implement DNS over TCP.
> The ideal solution is to, of course, have multiple
> geographically-redundant auth servers so we'd never need this, but
> reality (as we've seen this morning) is not the case. And even if it is
> the case for ISF, it may not be the case for all wifidog adopters.
Heh. There ain't no such thing as 100% geographically-redundant
always up system, I know that for a fact *EG*. I prefer fail open
systems for most things. We're not guarding a bank vault here.
Alex
-------------- next part --------------
_______________________________________________
wifidog mailing list
wifidog at listes.ilesansfil.org
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog-listes.ilesansfil.org
More information about the Wifidog
mailing list