Breaking the internet (hotels, guestnet style)

Mark Andrews marka at
Mon Dec 7 23:39:22 CST 2009

In message <200912080332.nB83WKSo037049 at>, Joe Greco writes:
> > IMHO there is no need for any sort of DNS redirection after user 
> > authentication has taken place.
> It may be hazardous even before user authentication has taken place.
> Even given a very low TTL, client resolvers may cache answers returned
> during that initial authentication.
> > We of course redirect UDP/TCP 53 to one of our servers along with 80 
> > (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any 
> > authentication has occurred, but once this is completed the only reason 
> > any guest would use the local DNS server is if they were assigned a DHCP 
> > address.
> Which, presumably, many/most of them are.  Supplying a functional DNS
> server shouldn't be that difficult, but real world experience shows just
> how well some operators run these services.
> > As far as our Routerboard/Mikrotik setup works, it'll masquerade for any 
> > non standard IP addresses that appear on the network (guests with static 
> > ip's assigned, corporate laptops etc) but once again after the 
> > authentication stage anything is allowed to pass unhindered.
> > 
> > The only redirection that is used after authentication is for port 25 as 
> > 90% of user trying to send mail out via port 25 have no idea how to 
> > change their mail server, let alone why they might need to.
> > It can be an issue as some systems use authentication on port 25.
> Sounds like an opportunity for a custom proxy.  Clients that can
> successfully authenticate to an external mailserver on 25 are probably
> by definition nonproblematic.  The remainder probably deserve to get
> jammed through an aggressive spam, virus, and other-crap filter, with
> in-line notification of rejections.  You can do some other sanity stuff
> like counting the number of hosts contacted by a client; anything in
> excess of a small number would seem to be a good indicator to stop.
> ... JG
> -- 
> Joe Greco - Network Services - Milwaukee, WI -
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CN
> N)
> With 24 million small businesses in the US alone, that's way too many apples.

This really should be a DHCP option which points to the authentification
server using ip addresses.  This should be return to clients even
if they don't request it.  Web browers could have a hot-spot button that
retrieves this option then connects using the value returned.

No need to compromise the DNS or intercept http.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list