[Dnssec-trigger] A new type of painful hotspot: split-view for the captive portal
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri Oct 7 07:16:22 UTC 2011
I just encountered a sort of hotspot I didn't now. The DNS resolvers
are broken, it allows direct access to the authoritative name servers
but there is a captive portal and its name is not in the public DNS,
but only in the view of the local resolvers.
dnssec-trigger 0.5 is happy with it:
at 2011-10-07 09:08:46
authority 193.0.14.129: OK
cache 10.150.6.1: error no RRSIGs in reply
cache 10.150.2.1: error no RRSIGs in reply
state: auth secure
So it uses it:
# Generated by dnssec-trigger 0.5
domain nic.fr
search nic.fr
nameserver 127.0.0.1
And, indeed, I can talk to authoritative name servers:
; <<>> DiG 9.7.3 <<>> @193.0.14.129 DNSKEY .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57997
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 172800 IN DNSKEY 256 3 8 AwEAAcy4Eo1P5B3ut9Vm9ZP92JnCFSALJqdhO5fOq1UsseYaiMFqgDH6 Y40iqDw6JmpkmhiJLW6HGj//JLQXAJ+k4EcQ9tlDJqumEe7OJMU6KpcK s6qI4lugy8j/v6DxDlZdAPASbKmoGx1oceRKzr/UdwyB1G5aIEtwK7/D QFrn3zRj
. 172800 IN DNSKEY 256 3 8 AwEAAdNW7YIhcTdqXrzgZjJJ35VjAFT1ArvnhAzXDm7AuGxSQqmGBRmj JvBv0xS4gahB9mj6ekF0dVKoeZgLmNAjo8hj2JI7K281YTo2R5k3mKSc 4hOCP55hR22r5hIsPJoT19pv/VdZQfyTzZ96frQ16qRa9+/GSjzjtFfQ v16FwE7R
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
;; Query time: 42 msec
;; SERVER: 193.0.14.129#53(193.0.14.129)
;; WHEN: Fri Oct 7 09:10:08 2011
;; MSG SIZE rcvd: 597
But when I try to surf, I get messages saying that bsc-lsh3.essec.fr
does not exist. It seems to be the captive portal and is not in the
public DNS :
; <<>> DiG 9.7.3 <<>> A bsc-lsh3.essec.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28170
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bsc-lsh3.essec.fr. IN A
;; AUTHORITY SECTION:
essec.fr. 3201 IN SOA rubis.essec.fr. postmaster.essec.fr. 2008102551 10800 3600 1728000 3600
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct 7 09:11:33 2011
;; MSG SIZE rcvd: 99
But it is on the name servers they provide:
; <<>> DiG 9.7.3 <<>> @10.150.6.1 A bsc-lsh3.essec.fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2500
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bsc-lsh3.essec.fr. IN A
;; ANSWER SECTION:
bsc-lsh3.essec.fr. 28800 IN A 194.254.137.123
;; Query time: 37 msec
;; SERVER: 10.150.6.1#53(10.150.6.1)
;; WHEN: Fri Oct 7 09:11:26 2011
;; MSG SIZE rcvd: 62
More information about the dnssec-trigger
mailing list