Captive portal leaks DNS requests for unauthorized users



  • I have set up the hotspot or better call it Captive portal on pfSense. Unauthorized users are not allowed to access the internet until been authorized, but there is one security problem: I need a DNS server to resolve captive portal site, and also DNS needs to work because users need to resolve domain into IP before been redirected to captive portal.

    DNS server has connection to the internet and needs forwarders in order to authorized users are able to properly resolve domains. But, unauthorized users can use DNS server to resolve any domain they want.

    Did someone solved the problem, so unauthorized users cannot resolve DNS named to right ones until they are authorized?



  • @milan778:

    Did someone solved the problem, so unauthorized users cannot resolve DNS named to right ones until they are authorized?

    Well, no.
    If you block DNS requests you'll break the portal. The navigator the unauth users is using will not get redirected to the portal because it will never leave the "some URL to IP" phase (DNS request).

    edit :
    According to :

    65310  8810985   288555095 allow ip from any to table(100) in
    65311  8886125   418655178 allow ip from table(100) to any out
    
    

    where "table 100" contains the IP of the portal (pfSense) clients can connect to the portal's IP - and if you are (and you are) running a resolver or forwarder, DNS requests are handled. Even if you manage NOT to forward (resolving upstream) that would break things.



  • @milan778:

    But, unauthorized users can use DNS server to resolve any domain they want.

    milan778,

    Is your concern related to unauthorized users can do any type of DNS queries? ie use DNS protocol as covert network channel, so they don't need to do captive portal authorization?

    If yes, pfsense & its captive portal service alone cannot negate this type of threat. You'll need additional solution to handle DNS tunneling.



  • I use these rules (see image) to enforce that users can only contact the DNS resolver running on pfSense.
    Abusing this DNS server (the one pfSense uses)  for tunneling purposes …. I don't know ...