[isf-wifidog] CaptiveDNS question
webmaster at topfx.com
Sam 4 Juin 09:59:37 EDT 2005
On 2-Jun-05, at 3:22 PM, Josh Nerius wrote:
> I recently came across a message on a mailing list regarding the
> CaptiveDNS application. I am very interested in using this, and
> have checked it out of cvs as the message had stated. I'm trying to
> figure out how to compile/use it at this point. Any assistance/
> direction as to how to use this would be much appreciated.
The captive DNS works and doesn't at the same time :-)
Here is how it works:
WiFiDog listens on a non-official UDP port, and inserts a rule into
netfilter upon startup to re-direct DNS traffic to that port.
This is the exact same logic that the captive web uses. The only
difference is that the web thread talks web, and the DNS thread talks
The reason it's not yet incorporated into the official WiFiDog distro
is that I ran into a peculiar behavior under linux. The netfilter
framework has a feature called "conntrack" which keeps track of
active connections for stateful firewalling reasons.
The trouble happens when a client has been re-directed to captive DNS
but then authenticates, they are moved into a separate chain that
prevents them from being re-directed to captive DNS anymore (much
like web logic) - however, the conntrack entry for that client's IP
and DNS protocol remains.
Until I (we :) ?) can find a way to flush conntrack entries from
netfilter's cache (there are a couple of libraries out there but I
haven't played with them too much), that feature is fairly unusable.
More information about the WiFiDog