Celejar wrote: > On Fri, 2 Jul 2010 22:07:03 -0400 > Rob Owens <rowens@ptd.net> wrote: > > ... > > >> I think the solution was to use opendns servers in /etc/resolv.conf. >> The reason it works is that, according to the article I read, many of >> these captive portal systems work by not giving you a dns server until >> you enter your credentials. If you manually specify your own dns >> server, you can avoid entering your credentials. >> >> I've never tested it, but I know that the captive portal systems I've seen give you an IP >> address before you enter your credentials. In fact, they have to give >> you an IP address otherwise you couldn't get to the "credentials" >> webpage. >> > > >From http://en.wikipedia.org/wiki/Captive_portal#Implementation > > ----- > > Implementation > > There is more than one way to implement a captive portal. > [edit] Redirection by HTTP > > If an unauthenticated client requests a website, DNS is queried by the > browser and the appropriate IP resolved as usual. The browser then > sends an HTTP request to that IP address. This request, however, is > intercepted by a firewall and forwarded to a redirect server. This > redirect server responds with a regular HTTP response which contains > HTTP status code 302 to redirect the client to the Captive Portal. Is the 302 status code standardized? (I'm here dealing with CISCO routers and network stuff, and do they use 302 too?) > To the client, this process is totally transparent. The client assumes > that the website actually responded to the initial request and sent the > redirect. [edit] IP Redirect > > Client traffic can also be redirected using IP redirect on the layer 3 > level. This has the disadvantage that content served to the client does > not match the URL. [edit] Redirection by DNS > / > When a client requests a website, DNS is queried by the browser. The > firewall will make sure that only the DNS server(s) provided by DHCP > can be used by unauthenticated clients (or, alternatively, it will > forward all DNS requests by unauthenticated clients to that DNS > server). This DNS server will return the IP address of the Captive > Portal page as a result of all DNS lookups. > > The DNS poisoning technique used here, when not considering answers > with a TTL of 0, may negatively affect post-authenticated internet use > when the client machine references non-authentic data in its local > resolver cache. > > Some naive implementations don't block outgoing DNS requests from > clients, and therefore are very easy to bypass; a user simply needs to > configure their computer to use another, public, DNS server. > Implementing a firewall or ACL that ensures no inside clients can use > an outside DNS server is critical. > Thanks for this. -- Merciadri Luca See http://www.student.montefiore.ulg.ac.be/~merciadri/ I use PGP. If there is an incompatibility problem with your mail client, please contact me. Act today only, tomorrow is too late.
Attachment:
signature.asc
Description: OpenPGP digital signature