[Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface

[Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface

[Maciej Soltysiak]

[-- Attachment #1: Type: text/plain, Size: 1802 bytes --]

Hi guys,

You might want to use it or dismiss it completely but here's what I
was thinking of in previous email with a patch.
Utilize BIND views in CeroWRT to make Guest WiFi interfaces use
OpenDNS.com servers, keeping root resolution for wired and non-guest
wifi.

Rationale:
1) I can use whatever I want internally, but for guests, I'd prefer to
give them an additional layer of filtering against known phishing and
malware, etc. Configuration is up to the user.
2) Since I run my guest networks completely Open, instead of
passwording it, this is also for folks/kids around who might be using
my graciousness.

Patch is (1) attached, (2) inlined in email body and (3) available at
https://soltysiak.com/cerowrt/bind-opendns-for-guests.diff

Regards,
Maciej


--- conf.orig/acls.local.conf
+++ conf/acls.local.conf
@@ -10,3 +10,9 @@
         172.16/12;
 //        2002::/16; restrict this instead to your 2002::/48
 };
+
+acl guests {
+       172.30.42.129/27;
+       172.30.42.161/27;
+};
+
--- conf.orig/named.conf
+++ conf/named.conf
@@ -15,6 +15,19 @@
        mylan;
 };

+view "guests" {
+       match-clients { guests; };
+       allow-query { any; };
+       allow-recursion { any; };
+       recursion yes;
+
+       include "/etc/bind/conf/dnssec.conf";
+       include "/etc/bind/conf/forwarders-opendns.conf";
+
+       include "/etc/bind/default/basic.zones";
+       include "/etc/bind/localzones/us.zones";
+};
+
 view "us" {
        match-clients { !key them-key; local; };
        allow-query { any; };
--- conf.orig/forwarders-opendns.conf
+++ conf/forwarders-opendns.conf
@@ -0,0 +1,8 @@
+# Comcast has DNSSEC
+# Don't use comcast unless you are on comcast, however.
+# Other forwarders exist with DNSSEC (for example 8.8.8.8)
+
+forwarders {
+208.67.222.222;
+208.67.220.220;
+};

[-- Attachment #2: bind-opendns-for-guests.diff --]
[-- Type: application/octet-stream, Size: 965 bytes --]

--- conf.orig/acls.local.conf
+++ conf/acls.local.conf
@@ -10,3 +10,9 @@
         172.16/12;
 //        2002::/16; restrict this instead to your 2002::/48
 };
+
+acl guests {
+	172.30.42.129/27;
+	172.30.42.161/27;
+};
+
--- conf.orig/named.conf
+++ conf/named.conf
@@ -15,6 +15,19 @@
 	mylan;
 };
 
+view "guests" {
+	match-clients { guests; };
+	allow-query { any; };
+	allow-recursion { any; };
+	recursion yes;
+	
+	include "/etc/bind/conf/dnssec.conf";
+	include "/etc/bind/conf/forwarders-opendns.conf";
+	
+	include "/etc/bind/default/basic.zones";
+	include "/etc/bind/localzones/us.zones";
+};
+
 view "us" {
 	match-clients { !key them-key; local; };
 	allow-query { any; };
--- conf.orig/forwarders-opendns.conf
+++ conf/forwarders-opendns.conf
@@ -0,0 +1,8 @@
+# Comcast has DNSSEC
+# Don't use comcast unless you are on comcast, however.
+# Other forwarders exist with DNSSEC (for example 8.8.8.8)
+
+forwarders {
+208.67.222.222;
+208.67.220.220;
+};

Re: [Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface

[Maciej Soltysiak]

I forgot to mention that it works because BIND assigns views in order
in the named.conf file, so guests will match the "guests" view first,
non guests, will use the "us" view".

On Wed, Aug 1, 2012 at 8:12 PM, Maciej Soltysiak <maciej@soltysiak.com> wrote:
> Hi guys,
>
> You might want to use it or dismiss it completely but here's what I
> was thinking of in previous email with a patch.
> Utilize BIND views in CeroWRT to make Guest WiFi interfaces use
> OpenDNS.com servers, keeping root resolution for wired and non-guest
> wifi.
>
> Rationale:
> 1) I can use whatever I want internally, but for guests, I'd prefer to
> give them an additional layer of filtering against known phishing and
> malware, etc. Configuration is up to the user.
> 2) Since I run my guest networks completely Open, instead of
> passwording it, this is also for folks/kids around who might be using
> my graciousness.
>
> Patch is (1) attached, (2) inlined in email body and (3) available at
> https://soltysiak.com/cerowrt/bind-opendns-for-guests.diff
>
> Regards,
> Maciej
>
>
> --- conf.orig/acls.local.conf
> +++ conf/acls.local.conf
> @@ -10,3 +10,9 @@
>          172.16/12;
>  //        2002::/16; restrict this instead to your 2002::/48
>  };
> +
> +acl guests {
> +       172.30.42.129/27;
> +       172.30.42.161/27;
> +};
> +
> --- conf.orig/named.conf
> +++ conf/named.conf
> @@ -15,6 +15,19 @@
>         mylan;
>  };
>
> +view "guests" {
> +       match-clients { guests; };
> +       allow-query { any; };
> +       allow-recursion { any; };
> +       recursion yes;
> +
> +       include "/etc/bind/conf/dnssec.conf";
> +       include "/etc/bind/conf/forwarders-opendns.conf";
> +
> +       include "/etc/bind/default/basic.zones";
> +       include "/etc/bind/localzones/us.zones";
> +};
> +
>  view "us" {
>         match-clients { !key them-key; local; };
>         allow-query { any; };
> --- conf.orig/forwarders-opendns.conf
> +++ conf/forwarders-opendns.conf
> @@ -0,0 +1,8 @@
> +# Comcast has DNSSEC
> +# Don't use comcast unless you are on comcast, however.
> +# Other forwarders exist with DNSSEC (for example 8.8.8.8)
> +
> +forwarders {
> +208.67.222.222;
> +208.67.220.220;
> +};