Add dns spoofing support for offline mode and dns tunneling protection

[zaolin]

No description provided.

[lynxis]

@zaolin can you please re-base this onto master?

[bluewavenet]

@zaolin
Any progress on this? It will be VERY useful. I'm happy to help if I can.

[tim-moody]

I am very interested in this PR. In my experience, it makes and installs. It also works, but I have not managed to get it to work without an internet connection. Possibly the dnsmasq options are wrong.

It is also very nearly able to be merged. Most of the conflicts are either style (// vs /* comments and spacing of log messages) or an attempt to add safe string allocation.

I would like to see this or another approach to #154 .

[Justinzobel]

If this can be please re-opened and looked at it would be much appreciated. Offline mode for areas where no internet is available would be great for showing locally served pages.

[bluewavenet]

This solution could be made to work but is always going to be dependent on, at least, configuration changes in whatever DNS service is in use, if even that is possible in any particular case.

The approach proposed in #328 enables NDS itself to handle all DNS requests as an inline "proxy" independent of whatever DNS service is in use.

This will give NDS the ability to autonomously detect if its Internet feed is available and react accordingly to display local html content within the standard operation of client device CPD .

For cases where an Internet connection is permanently/intentionally unavailable, modifying the config of dnsmasq to return a fixed ip address for all DNS requests works very well in conjunction with either FAS or PreAuth being used to serve the local html without actually completing NDS authentication (thus preventing client CPD browser closure).

The only real issue preventing #328 from being implemented is time - it is somewhere near the lower end of my todo list unfortunately - ......

[Justinzobel]

Is it possible to post details on a full off-line FAS or PreAuth as you mentioned? This is the result I am trying to achieve. I've got CPD working with the internet but without no luck.

[bluewavenet]

@Justinzobel
On OpenWrt, the following commands will force Offline mode:

uci add_list dhcp.@dnsmasq[0].address='/#/1.1.1.1'
uci commit dhcp
service dhcp restart

To re-enable Online mode:

uci del_list dhcp.@dnsmasq[0].address='/#/1.1.1.1'
uci commit dhcp
service dhcp restart

On other operating systems it is a similar process as long as you are using dnsmasq.

Details for using FAS and PreAuth are here:
https://nodogsplashdocs.readthedocs.io/en/stable/

Your FAS or PreAuth script should NOT authenticate to NDS as if it does, this will usually result in the client CPD browser closing (depending on vendor).