Maintained by: NLnet Labs

[Unbound-users] Captive portal question

Ondřej Surý
Fri Apr 23 14:25:24 CEST 2010


Isn't it easier to mess with tcp then to mess with dns? It's just few  
lines in your firewall configuration.

Ondrej Sury

On 23.4.2010, at 12:23, Tim Kindberg <tim at matter2media.com> wrote:

> Sven,
>
> Thanks for pointing out a potential problem but obviously I wouldn't  
> have suggested this if I was aware of an attack.
>
> If I've understood it correctly, to be useful DNS tunnelling is  
> carried out to a DNS server under the attacker's control.  It's not  
> clear to me how they could do that.  Say the attacker controls a DNS  
> server at example4.org.  Assuming the scheme that I have defined  
> (1-3 in my original message) works, then when the attacker tries to  
> resolve example4.org, the request will be CNAMEd to example3.org,  
> which I control.
>
> So please explain what I am missing.
>
> I'd also appreciate an answer to my original question :-).  I'm  
> sorry if I'm being dense but I'm new to all of these configuration  
> issues.
>
> Cheers,
>
> Tim
>
> Sven Ulland wrote:
>> On 2010-04-23 08:25, Tim Kindberg wrote:
>>> 1. traffic to example1.org is to be resolved normally, i.e.
>>>   ultimately by the DNS server on the internet that the captive
>>>   portal machine knows about
>> In other words, DNS tunnelling will work without restriction. Thanks
>> for keeping this classic loophole available for the few that care to
>> use it. Yes, I'm being sincere.
>> s.
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
> -- 
>
> Tim Kindberg
> Matter 2 Media Ltd
> w: matter2media.com
> e: tim at matter2media.com
> m: +44 (0)7954 582814
> t: +44 (0)117 9095221
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users