[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Discovering captive portal API URL via DNS?

Tommy Pauly <[email protected]> wrote:
    > I wanted to clarify the issue a bit before diving into the
    > mitigations. Do these captive portal operators have *no* relationship
    > to the DHCP configuration? Presumably, the captive portal enforcement

I think that the issue is that the relationship is adversarial: different
silos.  The example that was given previously was that DHCP belonged to the
"desktop" group, while DNS belongs to the "network" group in some enterprise.
The DHCP all backends (via relays) to some DHCP servers, while the DNS
is operated by the "Internet" group.  That probably means that capport.arpa
(and ipv4.arpa) will get populated, and all of the non-captive desktops will
see that.  I think that this is okay.

    > Since the mitigation below is specific to modifying the DNS, I assume
    > that we are talking about captive portal solutions that work, in part,
    > by intercepting DNS.

I don't think that is necessarily the case.
The Internet group probably controls the routers, just not the DHCP.

]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     [email protected]  http://www.sandelman.ca/        |   ruby on rails    [ 

Attachment: signature.asc
Description: PGP signature