[Dnssec-trigger] A new type of painful hotspot: split-view for the captive portal

W.C.A. Wijngaards wouter at NLnetLabs.nl
Mon Oct 10 12:23:31 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

In 0.5 I made the HotSpot SignOn menu item, that triggers insecure mode
so you can sign on to the broken signon page of this hotspot.

You can also setup this from the commandline:
$ dnssec-trigger-control hotspot_signon
.. do the signon via web browser ..
$ dnssec-trigger-control reprobe
.. state should be back to DNSSEC secure again ..

This option is evil, in that it allows you to turn off DNSSEC.  And thus
users downgrade themselves.  But it works with these hotspots in
practice.  And may work for some nasty split-view local printer setups
and so on...

Best regards,
   Wouter

On 10/07/2011 09:16 AM, Stephane Bortzmeyer wrote:
> I just encountered a sort of hotspot I didn't now. The DNS resolvers
> are broken, it allows direct access to the authoritative name servers
> but there is a captive portal and its name is not in the public DNS,
> but only in the view of the local resolvers.
> 
> dnssec-trigger 0.5 is happy with it:
> 
> at 2011-10-07 09:08:46
> authority 193.0.14.129: OK 
> cache 10.150.6.1: error no RRSIGs in reply
> cache 10.150.2.1: error no RRSIGs in reply
> state: auth secure
> 
> So it uses it:
> 
> # Generated by dnssec-trigger 0.5
> domain nic.fr
> search nic.fr
> nameserver 127.0.0.1
> 
> And, indeed, I can talk to authoritative name servers:
> 
> ; <<>> DiG 9.7.3 <<>> @193.0.14.129 DNSKEY .
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57997
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.				IN	DNSKEY
> 
> ;; ANSWER SECTION:
> .			172800	IN	DNSKEY	256 3 8 AwEAAcy4Eo1P5B3ut9Vm9ZP92JnCFSALJqdhO5fOq1UsseYaiMFqgDH6 Y40iqDw6JmpkmhiJLW6HGj//JLQXAJ+k4EcQ9tlDJqumEe7OJMU6KpcK s6qI4lugy8j/v6DxDlZdAPASbKmoGx1oceRKzr/UdwyB1G5aIEtwK7/D QFrn3zRj
> .			172800	IN	DNSKEY	256 3 8 AwEAAdNW7YIhcTdqXrzgZjJJ35VjAFT1ArvnhAzXDm7AuGxSQqmGBRmj JvBv0xS4gahB9mj6ekF0dVKoeZgLmNAjo8hj2JI7K281YTo2R5k3mKSc 4hOCP55hR22r5hIsPJoT19pv/VdZQfyTzZ96frQ16qRa9+/GSjzjtFfQ v16FwE7R
> .			172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
> 
> ;; Query time: 42 msec
> ;; SERVER: 193.0.14.129#53(193.0.14.129)
> ;; WHEN: Fri Oct  7 09:10:08 2011
> ;; MSG SIZE  rcvd: 597
> 
> But when I try to surf, I get messages saying that bsc-lsh3.essec.fr
> does not exist. It seems to be the captive portal and is not in the
> public DNS :
> 
> ; <<>> DiG 9.7.3 <<>> A bsc-lsh3.essec.fr
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28170
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;bsc-lsh3.essec.fr.		IN	A
> 
> ;; AUTHORITY SECTION:
> essec.fr.		3201	IN	SOA	rubis.essec.fr. postmaster.essec.fr. 2008102551 10800 3600 1728000 3600
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Oct  7 09:11:33 2011
> ;; MSG SIZE  rcvd: 99
> 
> 
> 
> But it is on the name servers they provide:
> 
> ; <<>> DiG 9.7.3 <<>> @10.150.6.1 A bsc-lsh3.essec.fr
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2500
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;bsc-lsh3.essec.fr.		IN	A
> 
> ;; ANSWER SECTION:
> bsc-lsh3.essec.fr.	28800	IN	A	194.254.137.123
> 
> ;; Query time: 37 msec
> ;; SERVER: 10.150.6.1#53(10.150.6.1)
> ;; WHEN: Fri Oct  7 09:11:26 2011
> ;; MSG SIZE  rcvd: 62
> 
> 
> _______________________________________________
> dnssec-trigger mailing list
> dnssec-trigger at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOkuO+AAoJEJ9vHC1+BF+Nw/gP/jkKe5DSZF0ds3WthnXG14Qx
ll52pbBKogJ38I80dAnV2iOb3y5Eoc5Zhj8nhWQUU5gflNnfDjmJaTK/q5xzZOBj
IpfAMLMwV5o2jQIbP28E0ool8bv8bAVNKK8CG8kTcoZGrXpcQiUH7vpl6Mwzn0X7
pwu30oOLJKuXkb4+1cBUiJyBPDMyxlKYXR/HvCBe3i820Nj3Mv7qNzLn0jRDyx0M
ZtMNEQwT42B1LYOLrdLjz5mA8ntUn8BCe434G6LsOZDgoMOzlMyOW/Qx7nHGrMXa
+vHbwgeTsbAbbmKlKWvCoRR39BB7yPrexflMymESlQqOqLx3hCsC/6kv3unX2grf
I0EAdk3xApUyWZfJ/EI0A8PprqkRLfIsq+e2N4JFdIad3n8v6svvRg4Nat2DEvRy
cklT10Rt0/oqNEeOBDVw14NRS0unQ6lcdiwJosdD4bIz8WQ9VQbFpmvkIrEPdqHu
RpFA+INj2gSs2RjUdaXnnGUk4xpxfZ63SgkjDjr26PYyLWfigXjH8S9rt9lymRKO
4YF4Das0eLhpEcd1O8aBT9urWIbkPW+lGBxXwSNbvLbt6pphNFGeXc5CHTGfkk2G
wqslYREbAuiVALqkBFwANEg0l2AgfVLJmRvkEogoO79GtzIuPl4EIlZRoFv3QnxM
qGtPLVJyspGGq5zBcIj/
=1Uil
-----END PGP SIGNATURE-----

More information about the dnssec-trigger mailing list