[Dnssec-trigger] A new type of painful hotspot: split-view for the captive portal

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Oct 7 07:16:22 UTC 2011


I just encountered a sort of hotspot I didn't now. The DNS resolvers
are broken, it allows direct access to the authoritative name servers
but there is a captive portal and its name is not in the public DNS,
but only in the view of the local resolvers.

dnssec-trigger 0.5 is happy with it:

at 2011-10-07 09:08:46
authority 193.0.14.129: OK 
cache 10.150.6.1: error no RRSIGs in reply
cache 10.150.2.1: error no RRSIGs in reply
state: auth secure

So it uses it:

# Generated by dnssec-trigger 0.5
domain nic.fr
search nic.fr
nameserver 127.0.0.1

And, indeed, I can talk to authoritative name servers:

; <<>> DiG 9.7.3 <<>> @193.0.14.129 DNSKEY .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57997
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	DNSKEY

;; ANSWER SECTION:
.			172800	IN	DNSKEY	256 3 8 AwEAAcy4Eo1P5B3ut9Vm9ZP92JnCFSALJqdhO5fOq1UsseYaiMFqgDH6 Y40iqDw6JmpkmhiJLW6HGj//JLQXAJ+k4EcQ9tlDJqumEe7OJMU6KpcK s6qI4lugy8j/v6DxDlZdAPASbKmoGx1oceRKzr/UdwyB1G5aIEtwK7/D QFrn3zRj
.			172800	IN	DNSKEY	256 3 8 AwEAAdNW7YIhcTdqXrzgZjJJ35VjAFT1ArvnhAzXDm7AuGxSQqmGBRmj JvBv0xS4gahB9mj6ekF0dVKoeZgLmNAjo8hj2JI7K281YTo2R5k3mKSc 4hOCP55hR22r5hIsPJoT19pv/VdZQfyTzZ96frQ16qRa9+/GSjzjtFfQ v16FwE7R
.			172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

;; Query time: 42 msec
;; SERVER: 193.0.14.129#53(193.0.14.129)
;; WHEN: Fri Oct  7 09:10:08 2011
;; MSG SIZE  rcvd: 597

But when I try to surf, I get messages saying that bsc-lsh3.essec.fr
does not exist. It seems to be the captive portal and is not in the
public DNS :

; <<>> DiG 9.7.3 <<>> A bsc-lsh3.essec.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28170
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bsc-lsh3.essec.fr.		IN	A

;; AUTHORITY SECTION:
essec.fr.		3201	IN	SOA	rubis.essec.fr. postmaster.essec.fr. 2008102551 10800 3600 1728000 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct  7 09:11:33 2011
;; MSG SIZE  rcvd: 99



But it is on the name servers they provide:

; <<>> DiG 9.7.3 <<>> @10.150.6.1 A bsc-lsh3.essec.fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2500
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bsc-lsh3.essec.fr.		IN	A

;; ANSWER SECTION:
bsc-lsh3.essec.fr.	28800	IN	A	194.254.137.123

;; Query time: 37 msec
;; SERVER: 10.150.6.1#53(10.150.6.1)
;; WHEN: Fri Oct  7 09:11:26 2011
;; MSG SIZE  rcvd: 62





More information about the dnssec-trigger mailing list