|
← Revision 2 as of 2003-09-26 04:55:39
Size: 946
Comment:
|
← Revision 3 as of 2004-04-26 13:15:34 →
Size: 1063
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 12: | Line 12: |
|
Two ideas: - Only authorise DNS to the knowned DNS servers served by the DHCP - Install a local caching only nameserver |
Two common ideas like only authorise DNS to the knowned DNS servers served by the DHCP or installing a local caching only nameserver both won't work, because these DNS-servers will happily forward the DNS-requests to the target nameserver |
CaptivePortal gateways such as NoCatAuth are great ways for community networks to provision free wireless AccessPoints. However as a commercial authenticaion system they have some weaknesses. I won't elaborate too much here but since DNS is typically required in order to seemlessly capture the clients request you can do IP over DNS tunnels. -- AdamShand
Further if the gateway allows ICMP there are more problems:
There are of course fixes for all of these problems, the most obvious is don't allow ICMP traffic to pass until the cusomter is authenticated. For DNS it's a little harder but I'm sure someone can think of something 
Two common ideas like only authorise DNS to the knowned DNS servers served by the DHCP or installing a local caching only nameserver both won't work, because these DNS-servers will happily forward the DNS-requests to the target nameserver