From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-gh0-f171.google.com (mail-gh0-f171.google.com [209.85.160.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id E99F920051B for ; Wed, 1 Aug 2012 11:12:33 -0700 (PDT) Received: by ghy10 with SMTP id 10so13958376ghy.16 for ; Wed, 01 Aug 2012 11:12:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:content-type:x-gm-message-state; bh=rJQnBNht7a12n70l2jc4Pzs9UdHV+3h+ASSlvlHUiOg=; b=DFZ5u0i4VVV8pwbP2fo4LxGY4ddgSyLjHARj5W3JZZtQgoPN+dv1m83l7ROigV26Z8 kMx1owAWoDUYPK6R6xPD1WHcrSl+Y33DdD/WyKEtr/E4sNBOWF83cM7LGYYqZBuEyJ1h MVZ4nwBzQMD99tN0maN/pONFNR0q6qiTVARQl8KWzeRBxzmMyAV632ah1KEqlcfeQ0mw xRpx8IfCoY4qdzO9CRi8B1wWefE6rsIDxdMlTWFnZX/XEt06SCJ2/LL0hBxWOliZTiNn yS8bb0Z+vq6LjJsFlkah8srGBj2Kh8A5fkzm437fPkuUMVV+DotR+OsKYpsTHURTvTwn enIA== MIME-Version: 1.0 Received: by 10.50.237.9 with SMTP id uy9mr6339006igc.40.1343844752924; Wed, 01 Aug 2012 11:12:32 -0700 (PDT) Received: by 10.64.22.162 with HTTP; Wed, 1 Aug 2012 11:12:32 -0700 (PDT) X-Originating-IP: [77.65.42.82] In-Reply-To: References: Date: Wed, 1 Aug 2012 20:12:32 +0200 Message-ID: From: Maciej Soltysiak To: cerowrt-devel@lists.bufferbloat.net Content-Type: multipart/mixed; boundary=f46d044786ed219e4904c6383df7 X-Gm-Message-State: ALoCoQk13M5CWBsg7ZPU6qNZY4TU6vl8X52Sn6jmCV7iyPen5lucOEo/oE259fZFiKJ/NkmRN412 Subject: [Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2012 18:12:34 -0000 --f46d044786ed219e4904c6383df7 Content-Type: text/plain; charset=UTF-8 Hi guys, You might want to use it or dismiss it completely but here's what I was thinking of in previous email with a patch. Utilize BIND views in CeroWRT to make Guest WiFi interfaces use OpenDNS.com servers, keeping root resolution for wired and non-guest wifi. Rationale: 1) I can use whatever I want internally, but for guests, I'd prefer to give them an additional layer of filtering against known phishing and malware, etc. Configuration is up to the user. 2) Since I run my guest networks completely Open, instead of passwording it, this is also for folks/kids around who might be using my graciousness. Patch is (1) attached, (2) inlined in email body and (3) available at https://soltysiak.com/cerowrt/bind-opendns-for-guests.diff Regards, Maciej --- conf.orig/acls.local.conf +++ conf/acls.local.conf @@ -10,3 +10,9 @@ 172.16/12; // 2002::/16; restrict this instead to your 2002::/48 }; + +acl guests { + 172.30.42.129/27; + 172.30.42.161/27; +}; + --- conf.orig/named.conf +++ conf/named.conf @@ -15,6 +15,19 @@ mylan; }; +view "guests" { + match-clients { guests; }; + allow-query { any; }; + allow-recursion { any; }; + recursion yes; + + include "/etc/bind/conf/dnssec.conf"; + include "/etc/bind/conf/forwarders-opendns.conf"; + + include "/etc/bind/default/basic.zones"; + include "/etc/bind/localzones/us.zones"; +}; + view "us" { match-clients { !key them-key; local; }; allow-query { any; }; --- conf.orig/forwarders-opendns.conf +++ conf/forwarders-opendns.conf @@ -0,0 +1,8 @@ +# Comcast has DNSSEC +# Don't use comcast unless you are on comcast, however. +# Other forwarders exist with DNSSEC (for example 8.8.8.8) + +forwarders { +208.67.222.222; +208.67.220.220; +}; --f46d044786ed219e4904c6383df7 Content-Type: application/octet-stream; name="bind-opendns-for-guests.diff" Content-Disposition: attachment; filename="bind-opendns-for-guests.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h5cpocj20 LS0tIGNvbmYub3JpZy9hY2xzLmxvY2FsLmNvbmYKKysrIGNvbmYvYWNscy5sb2NhbC5jb25mCkBA IC0xMCwzICsxMCw5IEBACiAgICAgICAgIDE3Mi4xNi8xMjsKIC8vICAgICAgICAyMDAyOjovMTY7 IHJlc3RyaWN0IHRoaXMgaW5zdGVhZCB0byB5b3VyIDIwMDI6Oi80OAogfTsKKworYWNsIGd1ZXN0 cyB7CisJMTcyLjMwLjQyLjEyOS8yNzsKKwkxNzIuMzAuNDIuMTYxLzI3OworfTsKKwotLS0gY29u Zi5vcmlnL25hbWVkLmNvbmYKKysrIGNvbmYvbmFtZWQuY29uZgpAQCAtMTUsNiArMTUsMTkgQEAK IAlteWxhbjsKIH07CiAKK3ZpZXcgImd1ZXN0cyIgeworCW1hdGNoLWNsaWVudHMgeyBndWVzdHM7 IH07CisJYWxsb3ctcXVlcnkgeyBhbnk7IH07CisJYWxsb3ctcmVjdXJzaW9uIHsgYW55OyB9Owor CXJlY3Vyc2lvbiB5ZXM7CisJCisJaW5jbHVkZSAiL2V0Yy9iaW5kL2NvbmYvZG5zc2VjLmNvbmYi OworCWluY2x1ZGUgIi9ldGMvYmluZC9jb25mL2ZvcndhcmRlcnMtb3BlbmRucy5jb25mIjsKKwkK KwlpbmNsdWRlICIvZXRjL2JpbmQvZGVmYXVsdC9iYXNpYy56b25lcyI7CisJaW5jbHVkZSAiL2V0 Yy9iaW5kL2xvY2Fsem9uZXMvdXMuem9uZXMiOworfTsKKwogdmlldyAidXMiIHsKIAltYXRjaC1j bGllbnRzIHsgIWtleSB0aGVtLWtleTsgbG9jYWw7IH07CiAJYWxsb3ctcXVlcnkgeyBhbnk7IH07 Ci0tLSBjb25mLm9yaWcvZm9yd2FyZGVycy1vcGVuZG5zLmNvbmYKKysrIGNvbmYvZm9yd2FyZGVy cy1vcGVuZG5zLmNvbmYKQEAgLTAsMCArMSw4IEBACisjIENvbWNhc3QgaGFzIEROU1NFQworIyBE b24ndCB1c2UgY29tY2FzdCB1bmxlc3MgeW91IGFyZSBvbiBjb21jYXN0LCBob3dldmVyLgorIyBP dGhlciBmb3J3YXJkZXJzIGV4aXN0IHdpdGggRE5TU0VDIChmb3IgZXhhbXBsZSA4LjguOC44KQor Citmb3J3YXJkZXJzIHsKKzIwOC42Ny4yMjIuMjIyOworMjA4LjY3LjIyMC4yMjA7Cit9Owo= --f46d044786ed219e4904c6383df7--