[Unbound-users] Captive portal question
Ondřej Surý
ondrej at sury.org
Fri Apr 23 12:25:24 UTC 2010
Isn't it easier to mess with tcp then to mess with dns? It's just few
lines in your firewall configuration.
Ondrej Sury
On 23.4.2010, at 12:23, Tim Kindberg <tim at matter2media.com> wrote:
> Sven,
>
> Thanks for pointing out a potential problem but obviously I wouldn't
> have suggested this if I was aware of an attack.
>
> If I've understood it correctly, to be useful DNS tunnelling is
> carried out to a DNS server under the attacker's control. It's not
> clear to me how they could do that. Say the attacker controls a DNS
> server at example4.org. Assuming the scheme that I have defined
> (1-3 in my original message) works, then when the attacker tries to
> resolve example4.org, the request will be CNAMEd to example3.org,
> which I control.
>
> So please explain what I am missing.
>
> I'd also appreciate an answer to my original question :-). I'm
> sorry if I'm being dense but I'm new to all of these configuration
> issues.
>
> Cheers,
>
> Tim
>
> Sven Ulland wrote:
>> On 2010-04-23 08:25, Tim Kindberg wrote:
>>> 1. traffic to example1.org is to be resolved normally, i.e.
>>> ultimately by the DNS server on the internet that the captive
>>> portal machine knows about
>> In other words, DNS tunnelling will work without restriction. Thanks
>> for keeping this classic loophole available for the few that care to
>> use it. Yes, I'm being sincere.
>> s.
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
> --
>
> Tim Kindberg
> Matter 2 Media Ltd
> w: matter2media.com
> e: tim at matter2media.com
> m: +44 (0)7954 582814
> t: +44 (0)117 9095221
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
More information about the Unbound-users
mailing list