[isf-wifidog] CaptiveDNS question

[Mina Naguib]

On 2-Jun-05, at 3:22 PM, Josh Nerius wrote:


> I recently came across a message on a mailing list regarding the  
> CaptiveDNS application. I am very interested in using this, and  
> have checked it out of cvs as the message had stated. I'm trying to  
> figure out how to compile/use it at this point. Any assistance/ 
> direction as to how to use this would be much appreciated.
>
> Thanks,
>

Hello Josh

The captive DNS works and doesn't at the same time :-)

Here is how it works:

WiFiDog listens on a non-official UDP port, and inserts a rule into  
netfilter upon startup to re-direct DNS traffic to that port.

This is the exact same logic that the captive web uses.  The only  
difference is that the web thread talks web, and the DNS thread talks  
DNS.

The reason it's not yet incorporated into the official WiFiDog distro  
is that I ran into a peculiar behavior under linux.  The netfilter  
framework has a feature called "conntrack" which keeps track of  
active connections for stateful firewalling reasons.

The trouble happens when a client has been re-directed to captive DNS  
but then authenticates, they are moved into a separate chain that  
prevents them from being re-directed to captive DNS anymore (much  
like web logic) - however, the conntrack entry for that client's IP  
and DNS protocol remains.

Until I (we :) ?) can find a way to flush conntrack entries from  
netfilter's cache (there are a couple of libraries out there but I  
haven't played with them too much), that feature is fairly unusable.