From: Maciej Soltysiak <maciej@soltysiak.com>
To: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface
Date: Wed, 1 Aug 2012 20:18:23 +0200 [thread overview]
Message-ID: <CAMZR1YDKvdnVwcw9LbkAypJtSfkAs8PoPkj4swAmOOq1Bi8QRw@mail.gmail.com> (raw)
In-Reply-To: <CAMZR1YAe3PD9jgnTiuRYMxjaMMcmvTYtFvMuoXLaU4bEzRP2XQ@mail.gmail.com>
I forgot to mention that it works because BIND assigns views in order
in the named.conf file, so guests will match the "guests" view first,
non guests, will use the "us" view".
On Wed, Aug 1, 2012 at 8:12 PM, Maciej Soltysiak <maciej@soltysiak.com> wrote:
> Hi guys,
>
> You might want to use it or dismiss it completely but here's what I
> was thinking of in previous email with a patch.
> Utilize BIND views in CeroWRT to make Guest WiFi interfaces use
> OpenDNS.com servers, keeping root resolution for wired and non-guest
> wifi.
>
> Rationale:
> 1) I can use whatever I want internally, but for guests, I'd prefer to
> give them an additional layer of filtering against known phishing and
> malware, etc. Configuration is up to the user.
> 2) Since I run my guest networks completely Open, instead of
> passwording it, this is also for folks/kids around who might be using
> my graciousness.
>
> Patch is (1) attached, (2) inlined in email body and (3) available at
> https://soltysiak.com/cerowrt/bind-opendns-for-guests.diff
>
> Regards,
> Maciej
>
>
> --- conf.orig/acls.local.conf
> +++ conf/acls.local.conf
> @@ -10,3 +10,9 @@
> 172.16/12;
> // 2002::/16; restrict this instead to your 2002::/48
> };
> +
> +acl guests {
> + 172.30.42.129/27;
> + 172.30.42.161/27;
> +};
> +
> --- conf.orig/named.conf
> +++ conf/named.conf
> @@ -15,6 +15,19 @@
> mylan;
> };
>
> +view "guests" {
> + match-clients { guests; };
> + allow-query { any; };
> + allow-recursion { any; };
> + recursion yes;
> +
> + include "/etc/bind/conf/dnssec.conf";
> + include "/etc/bind/conf/forwarders-opendns.conf";
> +
> + include "/etc/bind/default/basic.zones";
> + include "/etc/bind/localzones/us.zones";
> +};
> +
> view "us" {
> match-clients { !key them-key; local; };
> allow-query { any; };
> --- conf.orig/forwarders-opendns.conf
> +++ conf/forwarders-opendns.conf
> @@ -0,0 +1,8 @@
> +# Comcast has DNSSEC
> +# Don't use comcast unless you are on comcast, however.
> +# Other forwarders exist with DNSSEC (for example 8.8.8.8)
> +
> +forwarders {
> +208.67.222.222;
> +208.67.220.220;
> +};
prev parent reply other threads:[~2012-08-01 18:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAMZR1YAYgGKpROv2sjwx0SOMHPa7+0UocucSSDjUVt9KUaWGmg@mail.gmail.com>
2012-08-01 18:12 ` Maciej Soltysiak
2012-08-01 18:18 ` Maciej Soltysiak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMZR1YDKvdnVwcw9LbkAypJtSfkAs8PoPkj4swAmOOq1Bi8QRw@mail.gmail.com \
--to=maciej@soltysiak.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox