NLnet Labs Community

Filtered Redirect (captive portal)

Simon_Wedge February 21, 2017, 8:08pm 1

Hi All,

I am currently building a Network Access Control system, and in order to keep it “out of band” (via a layer 3 firewall), I would ideally like to use a DNS redirect to direct people to the NAC server from a registration VLAN.

I am having issues with doing a redirect with some exceptions (the registration VLAN needs access to the University Shibboleth servers and the IT registration pages which are outside the College network).

Now I realise that I am not the first person to try and do this, so I searched the mailing list for similar discussions.

https://www.unbound.net/pipermail/unbound-users/2010-April/001134.html

https://www.unbound.net/pipermail/unbound-users/2010-May/001171.html

Based on what I found (and read in the annotated unbound.conf file) I realised that something like this should work:

local-zone: “.” redirect

local-data: “. A ”

local-zone: “google.co.uk” transparent

This however doesn’t seem to work as I would expect it to, as everything is redirected by the local-data to the NAC server ip.

(note: changing this to “refuse” rather than “redirect” works as expected, can connect to google.co.uk, get refused for everything else)

I thought this might be a version issue, as CentOS 7 is packaged with an older version (1.4.20??) and I know that in recent versions additional options were added for the zone types.

So I compiled 1.6.0 from source and experienced the same behaviour, even when attempting to use always_transparent , I tried all sorts of other iterations of options and none worked as I had hoped…

Noticing that I can find multiple references to the above example, has the behaviour of Unbound changed?

If so how do I accomplish the above, I would expect the “always_transparent” would have been the answer if the local-data was the cause of the behaviour:

“always_transparent Like transparent, but ignores local data and resolves normally.”

But this still doesn’t work as expected when using a redirect.

Many Thanks,

Simon Wedge

St Antony’s College

University of Oxford

Simon_Wedge February 21, 2017, 8:15pm 2

Hi All,

I am currently building a Network Access Control system, and in order to keep it “out of band” (via a layer 3 firewall), I would ideally like to use a DNS redirect to send people to the NAC server from a registration VLAN.

I am having issues with doing a redirect with some exceptions (the registration VLAN needs access to the University Shibboleth servers and the IT registration pages which are outside the College network).

Now I realise that I am not the first person to try and do this, so I searched the mailing list for similar discussions.

https://www.unbound.net/pipermail/unbound-users/2010-April/001134.html

https://www.unbound.net/pipermail/unbound-users/2010-May/001171.html

Based on what I found (and read in the annotated unbound.conf file) I realised that something like this should work:

local-zone: “.” redirect

local-data: “. A ”

local-zone: “google.co.uk” transparent

This however doesn’t seem to work as I would expect it to, as everything is redirected by the local-data to the NAC server ip.

(note: changing this to “refuse” rather than “redirect” works as expected, can connect to google.co.uk, get refused for everything else)

I thought this might be a version issue, as CentOS 7 is packaged with an older version (1.4.20??) and I know that in recent versions additional options were added for the zone types.

So I compiled 1.6.0 from source and experienced the same behaviour, even when attempting to use always_transparent , I tried all sorts of other iterations of options and none worked as I had hoped…

Noticing that I can find multiple references to the above example, has the behaviour of Unbound changed?

If so how do I accomplish the above, I would expect the “always_transparent” would have been the answer if the local-data was the cause of the behaviour:

“always_transparent Like transparent, but ignores local data and resolves normally.”

But this still doesn’t work as expected when using a redirect.

Any help would be greatly appreciated!

Many Thanks,

Simon Wedge

St Antony’s College

University of Oxford

(apologies if you get two copies of this message)

Simon_Wedge February 27, 2017, 9:06am 3

Apologies for following this up but does anyone have any suggestions on what I should need to do to get a redirect everything working with some exceptions?

It sounds like Unbound should be able to do this, but for the life of me I can’t get it to work.

Simon.

Simon_Wedge February 27, 2017, 11:50am 4

I can now shed some more light on the behaviour:

This is my test configuration:

access-control-view: [ip-range]/24 whitelist

…

local-zone: “.” redirect

local-data: “. A [server-ip]”

…

view:

name: “whitelist”

local-zone: “google.co.uk” transparent

view-first: yes

…

Test 1:

nslookup google.co.uk [server-ip]

Result 1:

Name: google.co.uk.sant.ox.ac.uk (that doesn’t look right)

Address: [server-ip]

Test 2:

nslookup www.sant.ox.ac.uk [server-ip]

Result 3:

Name: www.sant.ox.ac.uk.sant.ox.ac.uk (still not right)

Address: [server-ip]

Test 3:

nslookup google.co.uk. [server-ip]

Result 2:

Name: google.co.uk (works as expected)

Addresses: 2a00:1450:4009:801::2003

172.217.23.3

Test 4:

nslookup www.sant.ox.ac.uk. [server-ip]

Result 4:

Name: www.sant.ox.ac.uk (works as expected)

Address: [server-ip]

From this I have come to the conclusion that when a global redirect is in place using “.” it is unable to match any other “local-zone” without appending . onto the end of the initial DNS request.

I honestly don’t know where to go from here, users won’t be appending all of their DNS requests with . on the end of each request, and I need the redirect to work with the whitelist.

As previously mentioned not using redirect doesn’t result in this behaviour, as refuse (for example) works without having to add . onto the end of the DNS request, is this a bug?

Simon.

Over_Dexia February 27, 2017, 12:35pm 5

Could be I totally misunderstand the combination of aim and
configuration, but from my understanding "redirect" doesn't redirect a
client to use a different nameserver for his request. Instead, it
answers all requests for a certain zone with a given ip. In your case,
all queries for records of the . zone would be answered with the ip of
the NAC server. From the docs:

- redirect
The query is answered from the local data for the zone name.
There may be no local data beneath the zone name. This
answers queries for the zone, and all subdomains of the zone
with the local data for the zone. It can be used to redirect
a domain to return a different address record to the end
user, with local-zone: "example.com." redirect and
local-data: "example.com. A 127.0.0.1" queries for www.exam-
ple.com and www.foo.example.com are redirected, so that users
with web browsers cannot access sites with suffix exam-
ple.com.

(I'm actually not aware of a DNS reply advising clients to use other
name servers in the way I understand your question. For redirecting DNS
requests to a on a client configured name server I might use iptables,
if I can't make the client use the correct name server in the first
place. But it's well possible I just don't know enough.)

If I got that totally wrong, you might want to describe what you expect
to get for which requests, from a client point of view?

Regards, jo

Wouter February 27, 2017, 12:45pm 6

Hi Simon,

These names: google.co.uk.sant.ox.ac.uk make me think that you have
written CNAMEs and you did not terminate domain names with a trailing
'.'. Domain names have to end in a trailing dot; and if you don't, the
zone name is appended to name. In some cases unbound allows a missing
trailing dot; because zone names are not usually available. But for,
eg. authority servers and zone files; this is the case.

So it looks like that name is the result of a typo where the trailing
dot is missing from a domain name.

Best regards, Wouter