Re: GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 13 Jun 2015, Michael Catanzaro wrote:


Hm... the captive portal helper loads www.gnome.org but it only runs
after NetworkManager has decided there is a captive portal. We can make
this URL configurable at build time if there's really a problem, but
I'm not sure there is, since it's not used for NetworkManager's
connectivity check (which is what triggers us to start the captive
portal helper, and what decides that we have full Internet access and
closes it). For the connectivity check, NetworkManager uses
https://fedoraproject.org/static/hotspot.txt defined in
/etc/NetworkManager/conf.d/20-connectivity-fedora.conf. So... I guess
that is not good, and we should switch that to use hotspot
-nocache.fedoraproject.org instead?


If the captive portal uses the system's DNS, and the system has cached
www.gnome.org from when you were on a previous network, your captive
portal check might use a cached DNS resolve and try to use an HTTP
connection to a blocked IP address, because the local forged DNS answer
to the local hotspot IP never got triggered. So if you use www.gnome.org,
you have to make sure the portal software is not using the system DNS cache
for DNS lookups. So it is better for captive portal login to use
hotspot-nocache.fedoraproject.org, which will always have a TTL of 0,
so it will not cached.

For detecting whether or not you are hotspotted, the decision to say
it is a hotspot is based on "DNS inteception or HTTP interception", so
using https://fedoraproject.org/static/hotspot.txt is fine, as it is
guaranteed to never use any kind of redirects and will always just
return a page stating "OK". Anythign else means hotspot (or attack :)
In this case, DNS caching won't matter because this part is only used
for the HTTP interception test. The DNS interception test (at least
with dnssec-trigger) queries the root zone and a handful of TLD queries,
and does not use DNS queries for fedoraproject.org.

Paul

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux