the fast, reliable localhost tunneling solution

DNS-Based Authentication

By Tito Brasolin 2012-12-10, 09:01

PyPagekite allows front-ends to delegate authentication to a remote service according to a DNS-based authentication protocol. The command line option --authdomain is documented here.

If you are not familiar with DNS requests and responses, just play around with your Python console and socket.gethostbyname_ex(hostname)

import socket

The answer should look like this:

('', [''], ['', ''])

DNS Lookup

If the front-end is running with a lookup string may look like this:


When a back-end is connecting, the front-end queries the DNS server and extracts authentication errors and extended quota info from CNAME replies.

(hn, al, ips) = socket.gethostbyname_ex(lookup)

The primary hostname is splitted into error, days and connections informations:

if al:
  error, hg, hd, hc, junk = hn.split('.', 4)
  q_days = int(hd, 16)
  q_conns = int(hc, 16)
  error = q_days = q_conns = None

A few constants are defined in

AUTH_ERRORS           = '255.255.255.'
AUTH_ERR_INVALID      = '.1'

If ips[0] starts with '255.255.255.' then an authentication error just happened: the user may be unknown (ips[0] ends with '.0') or invalid (ips[0] ends with '.1').

Otherwise the user has been authenticated and the quota is encoded in the IP. Look at LookupDomainQuota to see how it works.


  1. Michiel de Jong said on 2016-06-01, 14:05
    The link to LookupDomainQuota should be (line numbers have shifted)

Leave a comment

( (Please leave these blank: )

We use Gravatar for commenter's photos. Get your own, it's free!