Maintained by: NLnet Labs

[Unbound-users] Captive portal question

Tim Kindberg
Fri Apr 23 12:23:14 CEST 2010


Thanks for pointing out a potential problem but obviously I wouldn't 
have suggested this if I was aware of an attack.

If I've understood it correctly, to be useful DNS tunnelling is carried 
out to a DNS server under the attacker's control.  It's not clear to me 
how they could do that.  Say the attacker controls a DNS server at  Assuming the scheme that I have defined (1-3 in my 
original message) works, then when the attacker tries to resolve, the request will be CNAMEd to, which I control.

So please explain what I am missing.

I'd also appreciate an answer to my original question :-).  I'm sorry if 
I'm being dense but I'm new to all of these configuration issues.



Sven Ulland wrote:
> On 2010-04-23 08:25, Tim Kindberg wrote:
>> 1. traffic to is to be resolved normally, i.e.
>>    ultimately by the DNS server on the internet that the captive
>>    portal machine knows about
> In other words, DNS tunnelling will work without restriction. Thanks
> for keeping this classic loophole available for the few that care to
> use it. Yes, I'm being sincere.
> s.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at


Tim Kindberg
Matter 2 Media Ltd
e: tim at
m: +44 (0)7954 582814
t: +44 (0)117 9095221