cancel
Showing results for 
Search instead for 
Did you mean: 

Hoaxing DNS, or equivalent to effectively block internet access?

martin_kane
Contributor
On occasions, I would like to effectively block all internet access on devices connected to a particular WLAN. If I simply turn off the WLAN, then cellular data takes over, so I'd like to keep the WLAN "connected" to the devices, but direct the device to a fake page, faulty page or similar. (It won't fool everyone during exams, quizzes, etc - but it will fool some!)

I can see that, if the ZD was a DHCP server, then I could possibly change the DNS, but that would only take effect when new IPs were handed out and anyhow, We don't use the ZD for a DHCP server.

I've tried using Device policies to shove devices onto a fake VLAN, but that actually just reverts to cellular data on devices.

Any thoughts would be appreciated - I have 2 hours before a school-wide quiz takes place, and I'd love to have it "in place" then
6 REPLIES 6

sven_jaanson
New Contributor III
Some kind of messing with default gateways?

bill_burns_6069
Contributor III
have your DHCP server point clients to a DNS server that you control.
Then reconfigure your DNS server to redirect all queries to a captive portal. (via a wildcard feature)
when you want things to work, change your DNS configs back.

martin_kane
Contributor
Thanks for the help. I wonder if I just set up VLAN Tag to a non-existant VLAN whether that would quickly stop them in their tracks?

bill_burns_6069
Contributor III
Not likely.
A newly associating wifi device would realize right away that it was not issued an IP address.
It might take a pre-associated device longer to give up on your wifi.

A better approach would be to change the VLAN to another one that has the "wildcard" DNS server on it. That server would refer all traffic to a single "portal" web server.

So, on this secondary VLAN, the "wildcard" DNS server would have to have the same IP as your regular caching DNS server. You'd also have to have a DHCP server out there to continue to issue IP addresses.

That secondary DNS/DHCP/WEB-server + VLAN should be a "complete" solution that would give you some hope of fooling your wifi devices into thinking they still had a working internet connection.