Re: [Captive-portals] Discovering captive portal API URL via DNS?

• To: Michael Richardson <[email protected]>
• Subject: Re: [Captive-portals] Discovering captive portal API URL via DNS?
• From: Tommy Pauly <[email protected]>
• Date: Wed, 04 Sep 2019 08:51:54 -0700
• Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/OBIfWNxkP-pXPJR0Kle-K3lWPgE>
• Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
• Cc: Lorenzo Colitti <[email protected]>, [email protected]
• Delivered-to: [email protected]
• Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=PaqhJSqM1T43BhwBGso7EfpytqpqKKyS5zes1IDGZvQ=; b=pSG23zgyZI/o+hbUxhYQ44L7QO2S90n2ebuUMMe8kSkwDa+2I/HPxB+HM34u8g331Go+ WueEoHPppNbgxAytuJiCScg2j0YvoKt5Oy6udtMAh0NgYdKUx/i4rzL/n8GZkYEsOr3i mNv4gg29Xf0fvRASE5wbJYCQd8/2W2Sdk/xREBnMCWFwZjF5OCCHVFXml2uP5xQNDWmw XnhVN9sedK3+zsqmNO0jZPkxxAli7thgwW+2yWpeowOL6ReJmvTPpXLntAYetG2RzyYB kNnliqVo7nT1bsvuzTEth+qLVH5o1npLZx30K3NWTf30sJWbZWyjpeDBjQ0Qur4OVY3Y 4A==
• In-reply-to: <[email protected]>
• List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
• List-help: <mailto:[email protected]?subject=help>
• List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>
• References: <[email protected]om> <[email protected]> <[email protected]om> <[email protected]>
• Sender: [email protected]

In general, I think that the code on a client system that is intentionally interacting with a Captive Portal (for discovery, etc), will need to use the locally-provisioned DNS. That is probably Do53, but could be DoT/DoH in the future; it would, however, be expected to be under the control of the portal if there is a portal present. Even if a system is strictly using DoT/DoH for other use cases, it needs to have some local exceptions for this kind of "system" traffic. A good example is the ipv4only.arpa lookup on DNS64 networks.

—Tommy

> On Sep 4, 2019, at 7:16 AM, Michael Richardson <[email protected]> wrote:
> 
> 
> Lorenzo Colitti <[email protected]> wrote:
>    mcr>     that things like DoT/DoH can not be used by the captive portal
>    mcr> client.  (I just want to make the assumption explicit. I'm not
>    mcr> complaining about it)
> 
>> That's not really an assumption - the fact that the captive portal
>> client can't do DoT/DoH is mostly true today, because unless the portal
>> is open, 443 and 853 are likely to be blocked. By and large, DoT / DoH
>> clients probably already know not to attempt them on captive portals.
> 
> Well, a captive portal could leave HTTPS to cloudflare open, the same way
> that they might leave Do53 open to themselves, or to quadX.  That works today
> for some portals.
> 
> And if the portal doesn't let just *any* Do53, but only to known public
> resolvers (which they can even proxy if they want), then they can be sure to
> defeat DNS-VPN mechanisms.
> 
> Some portals today *do* depend upon creating answers for names that aren't
> real.  That fails today if you do DNSSEC validation.  Of course, some still
> depend upon lying about all DNS requests, and but we have agreed that this is
> bad.  
> 
> -- 
> ]               Never tell me the odds!                 | ipv6 mesh networks [ 
> ]   Michael Richardson, Sandelman Software Works        | network architect  [ 
> ]     [email protected]  http://www.sandelman.ca/        |   ruby on rails    [ 
> 	
> 
> _______________________________________________
> Captive-portals mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/captive-portals

• References:
  • [Captive-portals] Discovering captive portal API URL via DNS?
    • From: Lorenzo Colitti <[email protected]>
  • Re: [Captive-portals] Discovering captive portal API URL via DNS?
    • From: Michael Richardson <[email protected]>
  • Re: [Captive-portals] Discovering captive portal API URL via DNS?
    • From: Lorenzo Colitti <[email protected]>
  • Re: [Captive-portals] Discovering captive portal API URL via DNS?
    • From: Michael Richardson <[email protected]>

• Prev by Date: Re: [Captive-portals] Discovering captive portal API URL via DNS?
• Next by Date: Re: [Captive-portals] Discovering captive portal API URL via DNS?
• Previous by thread: Re: [Captive-portals] Discovering captive portal API URL via DNS?
• Next by thread: Re: [Captive-portals] Discovering captive portal API URL via DNS?
• Index(es):
  • Date
  • Thread