#3345 hotspot detection needs a ttl=0 A/AAAArecord
Closed: Fixed None Opened 11 years ago by pwouters.

dnssec-triggerd has two checks for dns stealing and port 80 stealing. It detects this by requesting fedoraproject.org/static/hotspot.html.

Once we found that the user is hotspotted, we need to provide them with an option to "break through" it, either by paying or clicking an agreement button. So we need the browser to open a connection that can be "stolen". We need to ensure this uses a dns record that is not in the cache, in case they are intercepting these requests based on fake dns. This would fail if we had the dns answer cached already from a previous probe.

Please add something like:

hotspot-nocache.fedoraproject.org 0 IN A 1.2.3.4
hotspot-nocache.fedoraproject.org 0 IN AAAA aa:bb::c

where 1.2.3.4/aa:bb::c are valid IP addresses for fedoraproject.org. More then one is A/AAAA is fine. But you cannot use CNAME/DNAME as the limited/broken dns at hotspots won't properly deal with it.

possible, ensure hotspot-nocache.fedoraproject.org ends up as a vhost so in case the dns/redirector/hotspot manages to restore the user's original url, they get to something valid.


I added the entries into dns with a 0 ttl. They are all active now - pointing to all of our proxy servers for the region where they are coming from.

Login to comment on this ticket.

Metadata