We've got a captive portal setup on one of our legacy networks where the portal pages show when someone has failed to authenticate via MAC address. Since we're allowing them online so that they can see the portal and don't want to force a user to change their possibly static DNS configurations, I was wondering if we might be able to redirect the DNS queries while they're in the unauthenticated role ... then allow their DNS traffic anywhere once they've authenticated successfully.
This is basically to address the DNSchanger trojan behavior w/o breaking anything we're currently allowing our users to do. I'd probably prefer to force them to use OpenDNS, but as this unauthenticated->authenticated role change does not send the user off to DHCP again, I can't do this from the DHCP server. I haven't seen UDP redirection in the controller (yet), but it seemed like this would be a possible approach (and perhaps clean up problem cases for our guest network, too).
Thanks!
andrew.