In message <200912080332.nb83wkso037...@aurora.sol.net>, Joe Greco writes: > > IMHO there is no need for any sort of DNS redirection after user > > authentication has taken place. > > It may be hazardous even before user authentication has taken place. > Even given a very low TTL, client resolvers may cache answers returned > during that initial authentication. > > > We of course redirect UDP/TCP 53 to one of our servers along with 80 > > (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any > > authentication has occurred, but once this is completed the only reason > > any guest would use the local DNS server is if they were assigned a DHCP > > address. > > Which, presumably, many/most of them are. Supplying a functional DNS > server shouldn't be that difficult, but real world experience shows just > how well some operators run these services. > > > As far as our Routerboard/Mikrotik setup works, it'll masquerade for any > > non standard IP addresses that appear on the network (guests with static > > ip's assigned, corporate laptops etc) but once again after the > > authentication stage anything is allowed to pass unhindered. > > > > The only redirection that is used after authentication is for port 25 as > > 90% of user trying to send mail out via port 25 have no idea how to > > change their mail server, let alone why they might need to. > > It can be an issue as some systems use authentication on port 25. > > Sounds like an opportunity for a custom proxy. Clients that can > successfully authenticate to an external mailserver on 25 are probably > by definition nonproblematic. The remainder probably deserve to get > jammed through an aggressive spam, virus, and other-crap filter, with > in-line notification of rejections. You can do some other sanity stuff > like counting the number of hosts contacted by a client; anything in > excess of a small number would seem to be a good indicator to stop. > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "We call it the 'one bite at the apple' rule. Give me one chance [and] then I > won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CN > N) > With 24 million small businesses in the US alone, that's way too many apples. >
This really should be a DHCP option which points to the authentification server using ip addresses. This should be return to clients even if they don't request it. Web browers could have a hot-spot button that retrieves this option then connects using the value returned. No need to compromise the DNS or intercept http. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org