2

I have read a lot online how redirection by DNS works, could someone please tell me or point me in the right direction how a captive portal redirects unauthenticated users via IP and not DNS to provide the login page?

Improve this question

2 Answers 2

Reset to default
6

If you are captive, the network can do pretty much anything it wants with your connection attempts.

So if you choose to go to http://20.20.20.20/, the gateway can respond to those requests itself with a simple http redirect to the login page.

The gateway is not obliged to forward packets to IP addresses beyond itself.

Improve this answer
0
3

The IP-based captive portals I've seen work by altering ("rewriting") the destination IP before passing the packet on; then, in cases where the captive portal is the same box as the router, the packet is passed to the internal interface instead of the WAN side.

On the way back to the captive machine (ie. client), the source IP is rewritten, so the captive machine thinks it's talking to its original destination. Search online for DNAT if you want to know more.

Side note - it works nicely for HTTP, but causes mayhem for other apps such as IM.

A cleaner solution would be to operate above the IP layer: use a transparent HTTP proxy which issues 301s to captive machines, combined with dropping all non-HTTP traffic coming from captive machines, but the user has to use a browser to give their credit card details (or whatever releases them from being captive.)

Improve this answer
3
  • Hey Chris, how does the IP redirection differ from the HTTP? I was reading a presentation online and the way they worded things, HTTP redirection doesn't require DNS, but another source (may have been wikipedia) suggested HTTP redirection also uses DNS partially?
    – William
    Commented Dec 28, 2011 at 23:18
  • @Daniel - http redirection does not require DNS, but it can use it - it could specify the redirected host by hostname rather than by IP (usually it is by IP).
    – Paul
    Commented Dec 29, 2011 at 7:51
  • Neither approach requires DNS. When building a captive portal system be wary of DNS as it's unnecessary (you can use IP addresses if they're predictable) and it's a point of failure (requires a net connection, or else requires embedding a full DNS server and configuring the thing - either way you added a moving part.)
    – Chris Adams
    Commented Dec 29, 2011 at 14:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .