Captive portal with dns forwarder - do not resolve internal IPs?



  • Hi,

    my captive portal use the internal dns forwarder which know all my local IP <-> FQDN.

    • is there a option to not answer local FQDN requests of the captive portal interface?
    • is it better to push a external DNS server and open the firewall to this server (IP/53/UDP)?


  • Hi,

    IF you use a dedicated interface for your captuve portal, I guess you could try this :

    Deactivate the "internal dns forwarder" for your Captive Portal.
    Instruct the DHCP server that serves the Captive Portal with your (example) ISP DNS servers, or Google DNS servers, or whatever.

    Like this, portal visitors can not resolve your internal LAN FQDN's anymore.

    BUT : why do you care anyway ? Normally, portal visitors can go (only !) "out" to the net, and your firewall rules for the captive portal interface won't let them into your LAN …. so even if they 'know' that a FQDN exists on your ... what ? LAN ? they can't do nothing with it.



  • @Gertjan:

    Deactivate the "internal dns forwarder" for your Captive Portal.
    Instruct the DHCP server that serves the Captive Portal with your (example) ISP DNS servers, or Google DNS servers, or whatever.

    Like this, portal visitors can not resolve your internal LAN FQDN's anymore.

    […]Also, the DNS Forwarder or Resolver must be enabled for DNS lookups by unauthenticated clients to work.

    Not possible, because the unauthenticated clients can never resolve a dns.
    @Gertjan:

    BUT : why do you care anyway ? Normally, portal visitors can go (only !) "out" to the net, and your firewall rules for the captive portal interface won't let them into your LAN …. so even if they 'know' that a FQDN exists on your ... what ? LAN ? they can't do nothing with it.

    Yes, you are right my visitors can only go out into the internet.