topic Re: Hoaxing DNS, or equivalent to effectively block internet access? in ZoneDirector

Hoaxing DNS, or equivalent to effectively block internet access?

martin_kane — Wed, 11 Dec 2013 19:31:47 GMT

On occasions, I would like to effectively block all internet access on devices connected to a particular WLAN. If I simply turn off the WLAN, then cellular data takes over, so I'd like to keep the WLAN "connected" to the devices, but direct the device to a fake page, faulty page or similar. (It won't fool everyone during exams, quizzes, etc - but it will fool some!)

I can see that, if the ZD was a DHCP server, then I could possibly change the DNS, but that would only take effect when new IPs were handed out and anyhow, We don't use the ZD for a DHCP server.

I've tried using Device policies to shove devices onto a fake VLAN, but that actually just reverts to cellular data on devices.

Any thoughts would be appreciated - I have 2 hours before a school-wide quiz takes place, and I'd love to have it "in place" then

Re: Hoaxing DNS, or equivalent to effectively block internet access?

sven_jaanson — Thu, 12 Dec 2013 09:59:25 GMT

Some kind of messing with default gateways?

Re: Hoaxing DNS, or equivalent to effectively block internet access?

bill_burns_6069 — Fri, 10 Jan 2014 03:17:58 GMT

have your DHCP server point clients to a DNS server that you control.
Then reconfigure your DNS server to redirect all queries to a captive portal. (via a wildcard feature)
when you want things to work, change your DNS configs back.

Re: Hoaxing DNS, or equivalent to effectively block internet access?

martin_kane — Fri, 10 Jan 2014 08:46:29 GMT

Thanks for the help. I wonder if I just set up VLAN Tag to a non-existant VLAN whether that would quickly stop them in their tracks?

Re: Hoaxing DNS, or equivalent to effectively block internet access?

bill_burns_6069 — Fri, 10 Jan 2014 15:34:16 GMT

Not likely.
A newly associating wifi device would realize right away that it was not issued an IP address.
It might take a pre-associated device longer to give up on your wifi.

A better approach would be to change the VLAN to another one that has the "wildcard" DNS server on it. That server would refer all traffic to a single "portal" web server.

So, on this secondary VLAN, the "wildcard" DNS server would have to have the same IP as your regular caching DNS server. You'd also have to have a DHCP server out there to continue to issue IP addresses.

That secondary DNS/DHCP/WEB-server + VLAN should be a "complete" solution that would give you some hope of fooling your wifi devices into thinking they still had a working internet connection.

Re: Hoaxing DNS, or equivalent to effectively block internet access?

bill_burns_6069 — Wed, 22 Jan 2014 18:53:12 GMT

Don't know if this helps, but here it is:

Minimal DNS spoofing daemon
http://dachary.org/?p=1947

Re: Hoaxing DNS, or equivalent to effectively block internet access?

martin_kane — Wed, 22 Jan 2014 19:03:40 GMT

Thanks, Bill. That looks perfect - and easy!