Hoaxing DNS, or equivalent to effectively block internet access?

  • 1
  • Question
  • Updated 4 years ago
On occasions, I would like to effectively block all internet access on devices connected to a particular WLAN. If I simply turn off the WLAN, then cellular data takes over, so I'd like to keep the WLAN "connected" to the devices, but direct the device to a fake page, faulty page or similar. (It won't fool everyone during exams, quizzes, etc - but it will fool some!)

I can see that, if the ZD was a DHCP server, then I could possibly change the DNS, but that would only take effect when new IPs were handed out and anyhow, We don't use the ZD for a DHCP server.

I've tried using Device policies to shove devices onto a fake VLAN, but that actually just reverts to cellular data on devices.

Any thoughts would be appreciated - I have 2 hours before a school-wide quiz takes place, and I'd love to have it "in place" then
Photo of Martin Kane

Martin Kane

  • 72 Posts
  • 7 Reply Likes

Posted 4 years ago

  • 1
Photo of janx

janx

  • 27 Posts
  • 0 Reply Likes
Some kind of messing with default gateways?
Photo of Bill Burns

Bill Burns, AlphaDog

  • 203 Posts
  • 38 Reply Likes
have your DHCP server point clients to a DNS server that you control.
Then reconfigure your DNS server to redirect all queries to a captive portal. (via a wildcard feature)
when you want things to work, change your DNS configs back.
Photo of Martin Kane

Martin Kane

  • 72 Posts
  • 7 Reply Likes
Thanks for the help. I wonder if I just set up VLAN Tag to a non-existant VLAN whether that would quickly stop them in their tracks?
Photo of Bill Burns

Bill Burns, AlphaDog

  • 203 Posts
  • 38 Reply Likes
Not likely.
A newly associating wifi device would realize right away that it was not issued an IP address.
It might take a pre-associated device longer to give up on your wifi.

A better approach would be to change the VLAN to another one that has the "wildcard" DNS server on it. That server would refer all traffic to a single "portal" web server.

So, on this secondary VLAN, the "wildcard" DNS server would have to have the same IP as your regular caching DNS server. You'd also have to have a DHCP server out there to continue to issue IP addresses.

That secondary DNS/DHCP/WEB-server + VLAN should be a "complete" solution that would give you some hope of fooling your wifi devices into thinking they still had a working internet connection.
Photo of Bill Burns

Bill Burns, AlphaDog

  • 203 Posts
  • 38 Reply Likes
Don't know if this helps, but here it is:

Minimal DNS spoofing daemon
http://dachary.org/?p=1947
Photo of Martin Kane

Martin Kane

  • 72 Posts
  • 7 Reply Likes
Thanks, Bill. That looks perfect - and easy!