Breaking the internet (hotels, guestnet style)
marka at isc.org
Mon Dec 7 23:39:22 CST 2009
In message <200912080332.nB83WKSo037049 at aurora.sol.net>, Joe Greco writes:
> > IMHO there is no need for any sort of DNS redirection after user
> > authentication has taken place.
> It may be hazardous even before user authentication has taken place.
> Even given a very low TTL, client resolvers may cache answers returned
> during that initial authentication.
> > We of course redirect UDP/TCP 53 to one of our servers along with 80
> > (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any
> > authentication has occurred, but once this is completed the only reason
> > any guest would use the local DNS server is if they were assigned a DHCP
> > address.
> Which, presumably, many/most of them are. Supplying a functional DNS
> server shouldn't be that difficult, but real world experience shows just
> how well some operators run these services.
> > As far as our Routerboard/Mikrotik setup works, it'll masquerade for any
> > non standard IP addresses that appear on the network (guests with static
> > ip's assigned, corporate laptops etc) but once again after the
> > authentication stage anything is allowed to pass unhindered.
> > The only redirection that is used after authentication is for port 25 as
> > 90% of user trying to send mail out via port 25 have no idea how to
> > change their mail server, let alone why they might need to.
> > It can be an issue as some systems use authentication on port 25.
> Sounds like an opportunity for a custom proxy. Clients that can
> successfully authenticate to an external mailserver on 25 are probably
> by definition nonproblematic. The remainder probably deserve to get
> jammed through an aggressive spam, virus, and other-crap filter, with
> in-line notification of rejections. You can do some other sanity stuff
> like counting the number of hosts contacted by a client; anything in
> excess of a small number would seem to be a good indicator to stop.
> ... JG
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CN
> With 24 million small businesses in the US alone, that's way too many apples.
This really should be a DHCP option which points to the authentification
server using ip addresses. This should be return to clients even
if they don't request it. Web browers could have a hot-spot button that
retrieves this option then connects using the value returned.
No need to compromise the DNS or intercept http.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG