Captive Portal Redirect Fails - DNS Issue

I've been using OpenWrt for some time now. I occasionally run into an issue that I haven't been able to figure out how to address it. I searched around for answers to this and I wasn't successful. Forgive me if this has been asked before.

I commonly use my OpenWrt router in hotels and public Wi-Fi hotspots where they redirect you to a captive portal via a fully-qualified domain name (FQDN) that can only be resolved when using their internal DNS servers.

For example, tonight I logged into OpenWrt, scanned for the hotel Wi-Fi network and the router connected successfully. The hotel's network assigned two internally accessible DNS servers.

When I attempt to access the Internet from a computer behind OpenWrt, the browser receives the HTTP 302 redirect from the hotel Wi-Fi network but fails to connect because my computer cannot resolve the FQDN of their web server.

The way I work around this issue is to find the DNS server addresses that were assigned to the OpenWrt WAN interface and add one of them to my computer's Wi-Fi adapter. Once I do that, I can resolve the FQDN in the captive portal redirect URL, agree to the acceptable use policy, then I can access the Internet.

I can even revert back to the DNS sever IP assigned by the OpenWrt DHCP server which is the IP of OpenWrt itself.

If I SSH into OpenWrt, then try to resolve the FQDN for the captive portal, that works as I would expect.

It seems that the dnsmasq is just using the DNS root servers and is ignoring the DNS servers assigned by the hotel Wi-Fi network.

  1. Why doesn't OpenWrt just use the upstream DNS server(s) assigned to the WAN interface when a host on the LAN issues a DNS query?

  2. Is there an option to force OpenWrt to use the upstream DNS servers?

  3. Is there an option where I can have OpenWrt automatically update the DHCP configuration such that it assigns the upstream DNS servers to DHCP clients on the LAN?

Thanks in advance!

There's a chance I might have figured out what setting to change to alleivate this issue:

Rebind Protection - Discard upstream RFC1918 responses

That setting was enabled by default. If I submit a DNS query for mycaptiveportal.hotelwifi.com and it resolves to 10.2.36.60, then in theory Rebind Protection would effectively discard the DNS response since it includes an RFC1918 IP address.

Once I disabled the option, I tried performing an nslookup from a computer on the LAN and it resolved!

Am I on to something here? :slight_smile:

I'd still like to know if it's possible for DHCP to assign the upstream DNS servers to my DHCP clients on the LAN side.

The announced nameservers are preconfigured in dnsmasq as far as I know. In order to advertise the upstream nameservers you'd need to change them manually, or by a script and reload dnsmasq. It is better if you let dnsmasq do the caching and resolving according to what the dhcp server of the hotel advertises.
Other than that, switching off rebind protection should solve your issue.

dnsmasq doesn't do that; and that doesn't make sense - given you're blocked by a captive portal.

It should be doing this, as long as you haven't configured DNS servers elsewhere.

It should be. Did you change the config (i.e. on a client)?

Yes, you can assign them directly to clients (as opposed to the OpenWrt forwarding requests) by using DHCP Options. The option to use is No. 6.

:bulb:

Yes!

If your WAN DNS servers reply with any RFC 1918 addresses (i.e. to redirect to a local captive portal), Rebind Protection has to be turned off.

1 Like

@lleachii

Thanks for your response!

With respect to your response about using DHCP option 6 for assigning DNS servers to clients on the LAN side, I know I can specify DNS servers I already know about ahead of time.

If I were to use OpenWrt in the same location(s) on a regular basis, the IP addresses of the DNS servers are predictable and I can add them to the DHCP server configuration.

What I was asking is whether or not it's possible to dynamically update option 6 with the IP addresses of the DNS servers that are assigned by the upstream DHCP server.

I move from one location to another quite often as I travel for work. I would like option 6 to automatically update based on the DNS server IP addresses assigned to the WAN interface as I move from one location to another.

For example, if I'm in a hotel in NYC tonight and the hotel Wi-Fi assigns 10.10.10.10 and 10.10.10.11 to the OpenWrt WAN interface, I would like the DHCP server configuration automatically updated to offer those DNS servers to clients.

Then I move to another hotel in Chicago the next night, and the hotel Wi-Fi assigns 10.20.20.20 and 10.20.20.21 to the OpenWrt WAN interface, those should be the DNS servers automatically assigned to DHCP clients.

Is there an option in dnsmasq that supports that use-case? Or is that something I would have to write a script for?

Just use travelmate (Travelmate support thread) which keeps the rebind protection enabled but automatically whitelist such cp domains, e.g.:

	option rebind_protection '1'
	list rebind_domain 'hotspot.t-mobile.net'

Thanks for the tip on travelmate! That's HOT!