[Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface

[Maciej Soltysiak <maciej@soltysiak.com>]

[-- Attachment #1: Type: text/plain, Size: 1802 bytes --]

Hi guys,

You might want to use it or dismiss it completely but here's what I
was thinking of in previous email with a patch.
Utilize BIND views in CeroWRT to make Guest WiFi interfaces use
OpenDNS.com servers, keeping root resolution for wired and non-guest
wifi.

Rationale:
1) I can use whatever I want internally, but for guests, I'd prefer to
give them an additional layer of filtering against known phishing and
malware, etc. Configuration is up to the user.
2) Since I run my guest networks completely Open, instead of
passwording it, this is also for folks/kids around who might be using
my graciousness.

Patch is (1) attached, (2) inlined in email body and (3) available at
https://soltysiak.com/cerowrt/bind-opendns-for-guests.diff

Regards,
Maciej


--- conf.orig/acls.local.conf
+++ conf/acls.local.conf
@@ -10,3 +10,9 @@
         172.16/12;
 //        2002::/16; restrict this instead to your 2002::/48
 };
+
+acl guests {
+       172.30.42.129/27;
+       172.30.42.161/27;
+};
+
--- conf.orig/named.conf
+++ conf/named.conf
@@ -15,6 +15,19 @@
        mylan;
 };

+view "guests" {
+       match-clients { guests; };
+       allow-query { any; };
+       allow-recursion { any; };
+       recursion yes;
+
+       include "/etc/bind/conf/dnssec.conf";
+       include "/etc/bind/conf/forwarders-opendns.conf";
+
+       include "/etc/bind/default/basic.zones";
+       include "/etc/bind/localzones/us.zones";
+};
+
 view "us" {
        match-clients { !key them-key; local; };
        allow-query { any; };
--- conf.orig/forwarders-opendns.conf
+++ conf/forwarders-opendns.conf
@@ -0,0 +1,8 @@
+# Comcast has DNSSEC
+# Don't use comcast unless you are on comcast, however.
+# Other forwarders exist with DNSSEC (for example 8.8.8.8)
+
+forwarders {
+208.67.222.222;
+208.67.220.220;
+};

[-- Attachment #2: bind-opendns-for-guests.diff --]
[-- Type: application/octet-stream, Size: 965 bytes --]

--- conf.orig/acls.local.conf
+++ conf/acls.local.conf
@@ -10,3 +10,9 @@
         172.16/12;
 //        2002::/16; restrict this instead to your 2002::/48
 };
+
+acl guests {
+	172.30.42.129/27;
+	172.30.42.161/27;
+};
+
--- conf.orig/named.conf
+++ conf/named.conf
@@ -15,6 +15,19 @@
 	mylan;
 };
 
+view "guests" {
+	match-clients { guests; };
+	allow-query { any; };
+	allow-recursion { any; };
+	recursion yes;
+	
+	include "/etc/bind/conf/dnssec.conf";
+	include "/etc/bind/conf/forwarders-opendns.conf";
+	
+	include "/etc/bind/default/basic.zones";
+	include "/etc/bind/localzones/us.zones";
+};
+
 view "us" {
 	match-clients { !key them-key; local; };
 	allow-query { any; };
--- conf.orig/forwarders-opendns.conf
+++ conf/forwarders-opendns.conf
@@ -0,0 +1,8 @@
+# Comcast has DNSSEC
+# Don't use comcast unless you are on comcast, however.
+# Other forwarders exist with DNSSEC (for example 8.8.8.8)
+
+forwarders {
+208.67.222.222;
+208.67.220.220;
+};