[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Discovering captive portal API URL via DNS?



Lorenzo Colitti <[email protected]> wrote:
    mcr>     that things like DoT/DoH can not be used by the captive portal
    mcr> client.  (I just want to make the assumption explicit. I'm not
    mcr> complaining about it)

    > That's not really an assumption - the fact that the captive portal
    > client can't do DoT/DoH is mostly true today, because unless the portal
    > is open, 443 and 853 are likely to be blocked. By and large, DoT / DoH
    > clients probably already know not to attempt them on captive portals.

Well, a captive portal could leave HTTPS to cloudflare open, the same way
that they might leave Do53 open to themselves, or to quadX.  That works today
for some portals.

And if the portal doesn't let just *any* Do53, but only to known public
resolvers (which they can even proxy if they want), then they can be sure to
defeat DNS-VPN mechanisms.

Some portals today *do* depend upon creating answers for names that aren't
real.  That fails today if you do DNSSEC validation.  Of course, some still
depend upon lying about all DNS requests, and but we have agreed that this is
bad.  

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     [email protected]  http://www.sandelman.ca/        |   ruby on rails    [ 
	

Attachment: signature.asc
Description: PGP signature