Skip to main content

77 Messages

 • 

1.2K Points

Wed, Dec 11, 2013 7:31 PM

Hoaxing DNS, or equivalent to effectively block internet access?

On occasions, I would like to effectively block all internet access on devices connected to a particular WLAN. If I simply turn off the WLAN, then cellular data takes over, so I'd like to keep the WLAN "connected" to the devices, but direct the device to a fake page, faulty page or similar. (It won't fool everyone during exams, quizzes, etc - but it will fool some!)

I can see that, if the ZD was a DHCP server, then I could possibly change the DNS, but that would only take effect when new IPs were handed out and anyhow, We don't use the ZD for a DHCP server.

I've tried using Device policies to shove devices onto a fake VLAN, but that actually just reverts to cellular data on devices.

Any thoughts would be appreciated - I have 2 hours before a school-wide quiz takes place, and I'd love to have it "in place" then

Responses

38 Messages

 • 

536 Points

7 years ago

Some kind of messing with default gateways?

Champion

 • 

202 Messages

 • 

3K Points

7 years ago

have your DHCP server point clients to a DNS server that you control.
Then reconfigure your DNS server to redirect all queries to a captive portal. (via a wildcard feature)
when you want things to work, change your DNS configs back.

77 Messages

 • 

1.2K Points

7 years ago

Thanks for the help. I wonder if I just set up VLAN Tag to a non-existant VLAN whether that would quickly stop them in their tracks?

Champion

 • 

202 Messages

 • 

3K Points

7 years ago

Not likely.
A newly associating wifi device would realize right away that it was not issued an IP address.
It might take a pre-associated device longer to give up on your wifi.

A better approach would be to change the VLAN to another one that has the "wildcard" DNS server on it. That server would refer all traffic to a single "portal" web server.

So, on this secondary VLAN, the "wildcard" DNS server would have to have the same IP as your regular caching DNS server. You'd also have to have a DHCP server out there to continue to issue IP addresses.

That secondary DNS/DHCP/WEB-server + VLAN should be a "complete" solution that would give you some hope of fooling your wifi devices into thinking they still had a working internet connection.

Champion

 • 

202 Messages

 • 

3K Points

7 years ago

Don't know if this helps, but here it is:

Minimal DNS spoofing daemon
http://dachary.org/?p=1947

77 Messages

 • 

1.2K Points

7 years ago

Thanks, Bill. That looks perfect - and easy!