3

My Environment: *OS:* Angstrom Linux

DNS: Bind

Current Scenario:

  1. User connects to my private offline network.
  2. User tries to access google.com, and my box is on a private network therefore they connection unavailable error.

Example Desired Scenario:

  1. User connects to my private offline network.
  2. User tries to access google.com or any other external host in their browser and they get redirected to my splash page.

The idea is that if my machine looses internet connectivity, the end user will still be able to hit google.com or any other external site and get redirected to my splash/portal page.

Any thoughts or feedback on how this can be achieved would be greatly appreciated.

Anthon
  • 78,313
  • 42
  • 165
  • 222
Fostah
  • 165
  • 6
  • I wouldn't do that through DNS, I would simply use `iptables` to DNAT them over to your "splash page" (you can match on destination port 80). You can redirect port 443, but remember this will cause browser warnings about invalid Certificates (this will happen no matter what you do). – Drav Sloan Aug 22 '13 at 18:02
  • @DravSloan I am currently using iptables to DNAT port 80 requests, however it seems that only if the connection to the internet is NOT available, the DNAT will fail and the user will get a connection unavailable from their browser. – Fostah Aug 22 '13 at 19:35

1 Answers1

3

Method 1# IPTABLES

                                                                     xxxxx
      +----------+                 +----------+             xxxxxxxxx     xxx xxxxx
      |          |                 |          |            xx                     xx
      |          |                 |  Linux   |          xxx                       xx x
      |          |                 |  Box     |          x                            x
      |  Clinet  |     ========>   |  As      |  ====>  x   WebServer portal page.
      |          |                 |  GateWay |          xx                        xxx
      |          |                 |          |           x                         x
      |          |                 |          |            xx xxx       x       xxxxx
      +----------+                 +----------+                   xxxxxxxxxx xxx

Use Gateway in Client Machine, and Add following Rule in your Linux Box and enable Ipforwording 

/sbin/iptables -t nat -A PREROUTING -s [source network/mask] -p tcp --dport 80 -j DNAT --to-destination [your webserver]

Enable IP_Forwarding:

sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

then apply

sysctl -p

As Drav Said

You can redirect port 443, but remember this will cause browser warnings about invalid Certificates (this will happen no matter what you do)

Method 2# DNS

In named.conf:

zone "." IN {
    type master;
    file "named.root";
};

In "named.root":

$ORIGIN .
$TTL 1D
@    IN     SOA  @ none. ( 0 1D 1H 1W 3H );
.     IN     NS   @
@     IN     A   10.0.0.1
*     IN     A   10.0.0.1

Replace IP Address 10.0.0.1 with your WebServer.

Above method is tested and working .

Rahul Patil
  • 24,281
  • 25
  • 80
  • 96
  • I am currently using IPTables to DNAT requests, however, this only seems to work if the domain is resolvable. If the domain can't be resolved the browsers basically die on the DNAT redirect. Is there any further setup required to DNAT an external domain that is unreachable on my network? – Fostah Aug 22 '13 at 19:33
  • redirect the DNAT to an IP and not a DNS name? – Drav Sloan Aug 22 '13 at 19:47
  • 1
    @Fostah Checkout second method, I just updated.. – Rahul Patil Aug 22 '13 at 20:14
  • @Fostah have you checked that method ? are you facing any issue ? – Rahul Patil Aug 23 '13 at 10:57
  • @RahulPatil I am testing it today. I have an open embedded system with a lot of interfaces so I'm tweaking what posted to see if I can get it work. I will accept your answer when I finish testing. thanks! – Fostah Aug 23 '13 at 16:14
  • @RahulPatil Your second method works wonderfully. Can you explain why recursion is supposed to be yes? – Fostah Aug 23 '13 at 17:24
  • 1
    We do not need to specify because default value is true of recursion, if recursion is true then it will perform dns query to root servers if that domain does not exists in zone. so we already have given * means we have all records, so we do not need to use recursion, but if recursion is enable then server will use more resources to search domain from root server but we have root server one in our zone then it will query only that. – Rahul Patil Aug 24 '13 at 03:57
  • 1
    so enable it or disable it no issue because we have all records in our zone it is wildcard record – Rahul Patil Aug 24 '13 at 03:58