Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Captive portal leaks DNS requests for unauthorized users

    Captive Portal
    3
    4
    713
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      milan778 last edited by

      I have set up the hotspot or better call it Captive portal on pfSense. Unauthorized users are not allowed to access the internet until been authorized, but there is one security problem: I need a DNS server to resolve captive portal site, and also DNS needs to work because users need to resolve domain into IP before been redirected to captive portal.

      DNS server has connection to the internet and needs forwarders in order to authorized users are able to properly resolve domains. But, unauthorized users can use DNS server to resolve any domain they want.

      Did someone solved the problem, so unauthorized users cannot resolve DNS named to right ones until they are authorized?

      1 Reply Last reply Reply Quote 0
      • Gertjan
        Gertjan last edited by

        @milan778:

        Did someone solved the problem, so unauthorized users cannot resolve DNS named to right ones until they are authorized?

        Well, no.
        If you block DNS requests you'll break the portal. The navigator the unauth users is using will not get redirected to the portal because it will never leave the "some URL to IP" phase (DNS request).

        edit :
        According to :

        65310  8810985   288555095 allow ip from any to table(100) in
65311  8886125   418655178 allow ip from table(100) to any out

        where "table 100" contains the IP of the portal (pfSense) clients can connect to the portal's IP - and if you are (and you are) running a resolver or forwarder, DNS requests are handled. Even if you manage NOT to forward (resolving upstream) that would break things.

        No "help me" PM's please. Use the forum.

        1 Reply Last reply Reply Quote 0
        • D
          demco last edited by

          @milan778:

          But, unauthorized users can use DNS server to resolve any domain they want.

          milan778,

          Is your concern related to unauthorized users can do any type of DNS queries? ie use DNS protocol as covert network channel, so they don't need to do captive portal authorization?

          If yes, pfsense & its captive portal service alone cannot negate this type of threat. You'll need additional solution to handle DNS tunneling.

          1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan last edited by

            I use these rules (see image) to enforce that users can only contact the DNS resolver running on pfSense.
            Abusing this DNS server (the one pfSense uses)  for tunneling purposes …. I don't know ...


            No "help me" PM's please. Use the forum.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post