On Wed, 9 Dec 2020, Dridi Boukelmoune wrote:
So it looks like my initial intuition that there could be a mitigation of sorts is starting to hold water. The problem now is that clients on my system using getaddrinfo in a way that was legit until now are now being DoS'd by systemd-resolved, waiting forever for a reply that is not coming.
This again leads to a required architecture change. We really need to have a captive portal namespace, that handles all of this while the applications still consider the network is down. Once the captive portal has passed and our internet link is "clean", should this be bridged into the regular network namespace so applications see the network as "active". Any state of DNS/browser that was used inside the captive portal namespace is then destroyed (it is untrusted and unverifiable data) That is, only the cpative portal handling code sees these bogus DNS messages, and no regular applications see this. This would also avoid any applications from throwing SSL certificate errors because they are connecting to the network too quickly when the network is still being in captive mode, and your SSL cert is replaced with the portal SSL cert. Pidgin is specificaly bad with this, firefox has builtin logic to prevent all its tabs from reloading in captive portal page clones. Instead, we have gnome, NM, systemd-resolved, firefox et all fighting over who and how to handle captive portal authentication. Paul _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
