Maintained by: NLnet Labs

[Unbound-users] Captive portal question

Tim Kindberg
Fri Apr 23 12:23:14 CEST 2010


Sven,

Thanks for pointing out a potential problem but obviously I wouldn't 
have suggested this if I was aware of an attack.

If I've understood it correctly, to be useful DNS tunnelling is carried 
out to a DNS server under the attacker's control.  It's not clear to me 
how they could do that.  Say the attacker controls a DNS server at 
example4.org.  Assuming the scheme that I have defined (1-3 in my 
original message) works, then when the attacker tries to resolve 
example4.org, the request will be CNAMEd to example3.org, which I control.

So please explain what I am missing.

I'd also appreciate an answer to my original question :-).  I'm sorry if 
I'm being dense but I'm new to all of these configuration issues.

Cheers,

Tim

Sven Ulland wrote:
> On 2010-04-23 08:25, Tim Kindberg wrote:
>> 1. traffic to example1.org is to be resolved normally, i.e.
>>    ultimately by the DNS server on the internet that the captive
>>    portal machine knows about
> 
> In other words, DNS tunnelling will work without restriction. Thanks
> for keeping this classic loophole available for the few that care to
> use it. Yes, I'm being sincere.
> 
> s.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-- 

Tim Kindberg
Matter 2 Media Ltd
w: matter2media.com
e: tim at matter2media.com
m: +44 (0)7954 582814
t: +44 (0)117 9095221