Link to home
Start Free TrialLog in
Avatar of minniejp
minniejpFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Guest WiFi

Hey guys,

I’ve recently started a new role and I’ve noticed that the guy before me has configured his guest WiFi to use the internal DNS for name resolution....traditionally, the approach I’ve always taken is to direct all guest access off the LAN and to use the DNS of our ISP.  Surely this is a security risk? The guys here say it was done to control/manipulate and secure DNS - but I’m not seeing their point.  Can anyone shed some light?

Cheers
Avatar of Shreedhar Ette
Shreedhar Ette
Flag of India image

Use External DNS.
Avatar of noci
noci

Is the local DNS server filtering on certain content? (f.e disable known certain known sites?)
Like pi-hole, dnsmasq  etc. do.

Also if AD is involved and access is needed you may need the local DNS on AD as first DNS and forward from there.
Right, so they could be filtering porn, p2p sharing and such by controlling DNS resolution.  Not perfect unless they prevent communication to all external DNS servers too.

I would recommend removing them from accessing the internal LAN or better yet proxy the DNS through a firewall if you are concerned about something.  But if you are concerned about spyware and cryptolocker style C&C. what position are you in to remediate the device.  At best you could remove it from the wifi network.
Avatar of minniejp

ASKER

From my point of view, guest WiFi are for guests, they should have no access to the LAN at all, surely DNS access, means access to that server and potentially the rest of the LAN...I've used Meraki in the past and from there I can send Guest traffic out to the web and also restrict what they can do, without accessing the local LAN.
I agree, Meraki works well, what model of AP do you have, is it guest only, and internal devices?

In the past I would have recommended just pointing the guests to OpenDNS, but when Cisco acquired them it become a paid service.
I've used MR32 devices in the past - they have both internal and external SSIDs they are very good! From a security perspective however, do I need to change this sooner rather than later?
Then just point them to an external DNS.  Is the issuing DHCP?  Too me it is just what risk are you mitigating and is it worth it
No, the issue is convincing the rest of the guys that the setup is wrong.  They are pretty sure (but won't elaborate) that it's the most secure way to go but I would like to give them specifics as to why that is the opposite!
1) allowing any access to internal network does allow some chance to scan at least parts of it, even if only through DNS queries one can get names of servers, clients etc.
2) any weaknesses in the DNS servers could be misused.
3) Guest networks tend to be open access ==> anyone including hackers can use it.  (Is the whole world allowed the same access? through the internet connection?)
4) If filtering is needed for some reason, setup a specific GuestLAN DNS server up for it ON the GuestLAN.
well to answer that you would have to fully see the risk, for example, is it just port 53 that is open?  If not, problem.  If it is how are you protecting for DOS/DDOS attacks on your DNS server.  Are you sure you have plugged all the exploit holes in NDS?

Then back to my original comment, what are you trying to protect/avoid and is it worth it?  I am not sure of your role, but it sounds like you replaced the person who set it up that way, can't you in your role also just make the correction?
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.