GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)
Paul Wouters
paul at nohats.ca
Sat Jun 13 19:54:50 UTC 2015
On Sat, 13 Jun 2015, Michael Catanzaro wrote:
> Hm... the captive portal helper loads www.gnome.org but it only runs
> after NetworkManager has decided there is a captive portal. We can make
> this URL configurable at build time if there's really a problem, but
> I'm not sure there is, since it's not used for NetworkManager's
> connectivity check (which is what triggers us to start the captive
> portal helper, and what decides that we have full Internet access and
> closes it). For the connectivity check, NetworkManager uses
> https://fedoraproject.org/static/hotspot.txt defined in
> /etc/NetworkManager/conf.d/20-connectivity-fedora.conf. So... I guess
> that is not good, and we should switch that to use hotspot
> -nocache.fedoraproject.org instead?
If the captive portal uses the system's DNS, and the system has cached
www.gnome.org from when you were on a previous network, your captive
portal check might use a cached DNS resolve and try to use an HTTP
connection to a blocked IP address, because the local forged DNS answer
to the local hotspot IP never got triggered. So if you use www.gnome.org,
you have to make sure the portal software is not using the system DNS cache
for DNS lookups. So it is better for captive portal login to use
hotspot-nocache.fedoraproject.org, which will always have a TTL of 0,
so it will not cached.
For detecting whether or not you are hotspotted, the decision to say
it is a hotspot is based on "DNS inteception or HTTP interception", so
using https://fedoraproject.org/static/hotspot.txt is fine, as it is
guaranteed to never use any kind of redirects and will always just
return a page stating "OK". Anythign else means hotspot (or attack :)
In this case, DNS caching won't matter because this part is only used
for the HTTP interception test. The DNS interception test (at least
with dnssec-trigger) queries the root zone and a handful of TLD queries,
and does not use DNS queries for fedoraproject.org.
Paul
More information about the devel
mailing list