Well, I am quite sure we don't want spend some more money this way just to plug this hole. It is possible to set custom DNS per SSID (Content filtering: custom DNS), we tried that, it did not work.
... View more
SLR, can you please elaborate? Where do you set Umbrella and how will that stop tunneling over DNS? We tried to set Custom DNS in the SSID settings, even that is not working in the pre-auth phase.
... View more
The issue here is that DNS to any public IP is allowed in the pre-auth phase. It should be allowed only to those servers which are handed out to client by DHCP. Those allowed should be captured and all answers should point to the captive server instead of the original answer. Cisco WLC is also vulnerable but that can be fixed by creating a pre-auth ACL.
... View more
