Filtered Redirect (captive portal)

Over Dexia over at dexia.de
Mon Feb 27 12:35:11 UTC 2017


Could be I totally misunderstand the combination of aim and
configuration, but from my understanding "redirect" doesn't redirect a
client to use a different nameserver for his request. Instead, it
answers all requests for a certain zone with a given ip. In your case,
all queries for records of the . zone would be answered with the ip of
the NAC server. From the docs:

- redirect
The query is answered from the local data for the zone  name.
There  may  be  no  local  data  beneath the zone name.  This
answers queries for the zone, and all subdomains of the  zone
with the local data for the zone.  It can be used to redirect
a domain to return a different  address  record  to  the  end
user,    with   local-zone:   "example.com."   redirect   and
local-data: "example.com. A 127.0.0.1" queries for  www.exam-
ple.com and www.foo.example.com are redirected, so that users
with web browsers  cannot  access  sites  with  suffix  exam-
ple.com.

(I'm actually not aware of a DNS reply advising clients to use other
name servers in the way I understand your question. For redirecting DNS
requests to a on a client configured name server I might use iptables,
if I can't make the client use the correct name server in the first
place. But it's well possible I just don't know enough.)

If I got that totally wrong, you might want to describe what you expect
to get for which requests, from a client point of view?

Regards, jo


Am 27.02.2017 um 12:50 schrieb Simon Wedge via Unbound-users:

> Hi All,
> 
>  
> 
> I am currently building a Network Access Control system, and in order to
> keep it “out of band” (via a layer 3 firewall), I would ideally like to
> use a DNS redirect to direct people to the NAC server from a
> registration VLAN.
> 
> I am having issues with doing a redirect with some exceptions (the
> registration VLAN needs access to the University Shibboleth servers and
> the IT registration pages which are outside the College network).
> 
>  
> 
> Now I realise that I am not the first person to try and do this, so I
> searched the mailing list for similar discussions.
> 
> https://www.unbound.net/pipermail/unbound-users/2010-April/001134.html
> 
> https://www.unbound.net/pipermail/unbound-users/2010-May/001171.html
> 
>  
> 
> Based on what I found (and read in the annotated unbound.conf file) I
> realised that something like this should work:
> 
>  
> 
> local-zone: "." redirect
> 
> local-data: ". A <NAC server ip>"
> 
> local-zone: "google.co.uk" transparent
> 
>  
> 
> This however doesn’t seem to work as I would expect it to, as everything
> is redirected by the local-data to the NAC server ip.
> 
> (note: changing this to “refuse” rather than “redirect” works as
> expected, can connect to google.co.uk, get refused for everything else)



More information about the Unbound-users mailing list