Sven, Thanks for pointing out a potential problem but obviously I wouldn't have suggested this if I was aware of an attack. If I've understood it correctly, to be useful DNS tunnelling is carried out to a DNS server under the attacker's control. It's not clear to me how they could do that. Say the attacker controls a DNS server at example4.org. Assuming the scheme that I have defined (1-3 in my original message) works, then when the attacker tries to resolve example4.org, the request will be CNAMEd to example3.org, which I control. So please explain what I am missing. I'd also appreciate an answer to my original question :-). I'm sorry if I'm being dense but I'm new to all of these configuration issues. Cheers, Tim Sven Ulland wrote: > On 2010-04-23 08:25, Tim Kindberg wrote: >> 1. traffic to example1.org is to be resolved normally, i.e. >> ultimately by the DNS server on the internet that the captive >> portal machine knows about > > In other words, DNS tunnelling will work without restriction. Thanks > for keeping this classic loophole available for the few that care to > use it. Yes, I'm being sincere. > > s. > _______________________________________________ > Unbound-users mailing list > Unbound-users at unbound.net > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -- Tim Kindberg Matter 2 Media Ltd w: matter2media.com e: tim at matter2media.com m: +44 (0)7954 582814 t: +44 (0)117 9095221