default local DNS caching name server

Paul Wouters paul at
Fri Apr 11 20:39:34 UTC 2014

On Fri, 11 Apr 2014, Przemek Klosowski wrote:

> On 04/11/2014 03:14 PM, P J P wrote:
> On Saturday, 12 April 2014 12:40 AM, Bruno Wolff III wrote:
> It looks like your proposal is going to break things for people using 
> some wifi hotspots.
>   Why, how?
> It's a hack designed to handle someone that just connected to the network and opened a browser, say.
> Instead of blocking access, one runs a fake DNS system that responds with the captive portal's IP to every query.
> The httpd service at that IP responds with an "enter your credentials to get network access" page to all URLs.
> An example of such fake DNS server is the following code resolving all queries to

yum install dnssec-triggerd, start the service, start the applet, then
attack yourself and see. That situation is handled fine, and you will be
given the choice to join the rogue network (insecurely!) or operate
using "cache-only", meaning you can still get DNS answers for items in
your cache, but no new items can be retrieved over the network.

Note that dnssec-trigger can reconfigure unbound in various ways to work
around DNS blockage, in order of preference:

- Use fully functional ISP obtained DNS servers as forwarder
- Become a full recursive server and bypass ISP DNS servers
- Try DNS over TCP 53 to connect to well known remote DNS servers
   configured in dnssec-triggerd.conf as forwarder
- Try DNS over TCP 443 wrapped in SSL to connect to well known remote
   DNS servers configured in dnssec-triggerd.conf.
- Operate from cache only

It will regularly probe to see if network conditions improved to try and
go back to a more prefered method.

I've been running this solution on fedora for about five years now. It
works reasonably well, and anyone who is on this list surely has could
try it out. Because of lack of NM integration I would not call it
enduser ready yet.


More information about the devel mailing list