[isf-wifidog] CaptiveDNS branch

Michael Dyrna michael.dyrna at triagnosys.com
Lun 28 Jan 10:35:02 EST 2008


Hi Mina,

My post relates to your CaptiveDNS branch where you implemented a fake 
DNS server in order to prevent browsers from showing DNS error messages 
before being redirected to the Wifidog Portal if no Internet connection 
is available.

http://listes.ilesansfil.org/pipermail/wifidog/2005-June/001237.html
> The trouble happens when a client has been re-directed to captive DNS  
> but then authenticates, they are moved into a separate chain that  
> prevents them from being re-directed to captive DNS anymore (much  
> like web logic) - however, the conntrack entry for that client's IP  
> and DNS protocol remains.
I have not experienced that problem. But have you ever had a look at 
iptables' NOTRACK target? From the man page:

>    NOTRACK
>        This target disables connection tracking for all packets 
> matching that rule.
>
>        It can only be used in the
>               raw table.

However, I came across some other problems:

1. In the latest version of the CaptiveDNS branch you append the 
redirection rule to the WiFiDog_Unknown chain which is only evaluated if 
the destination IP address is not the router. However, in my 
installation the (real) DNS server runs on the same node as wifidog so I 
had to move the rule (together with the two rules that evaluate the 
marks 0x2 and 0x1) to the WiFiDog_Outgoing chain. This captures all DNS 
queries now.

2. Returning the gateway's IP address in the fake DNS server resulted in 
a recursive HTTP redirection and in Apache 404 error messages for any 
HTTP request performed by the client's PC (e.g. software update 
requests) prior to authentication. I changed the dnsserver.c sources to 
return the address 240.240.240.240 instead of the gateway's IP address. 
This address belongs to an IP range reserved by IANA, so clients' HTTP 
requests will never and up in a existing systems.

I don't have write access to the repository so I didn't contribute my 
changes. If this is desired, please let me know.

Anyway, with these small fixes it seems to work as expected. :-)

Michael





Plus d'informations sur la liste de diffusion WiFiDog