* [Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface
[not found] <CAMZR1YAYgGKpROv2sjwx0SOMHPa7+0UocucSSDjUVt9KUaWGmg@mail.gmail.com>
@ 2012-08-01 18:12 ` Maciej Soltysiak
2012-08-01 18:18 ` Maciej Soltysiak
0 siblings, 1 reply; 2+ messages in thread
From: Maciej Soltysiak @ 2012-08-01 18:12 UTC (permalink / raw)
To: cerowrt-devel
[-- Attachment #1: Type: text/plain, Size: 1802 bytes --]
Hi guys,
You might want to use it or dismiss it completely but here's what I
was thinking of in previous email with a patch.
Utilize BIND views in CeroWRT to make Guest WiFi interfaces use
OpenDNS.com servers, keeping root resolution for wired and non-guest
wifi.
Rationale:
1) I can use whatever I want internally, but for guests, I'd prefer to
give them an additional layer of filtering against known phishing and
malware, etc. Configuration is up to the user.
2) Since I run my guest networks completely Open, instead of
passwording it, this is also for folks/kids around who might be using
my graciousness.
Patch is (1) attached, (2) inlined in email body and (3) available at
https://soltysiak.com/cerowrt/bind-opendns-for-guests.diff
Regards,
Maciej
--- conf.orig/acls.local.conf
+++ conf/acls.local.conf
@@ -10,3 +10,9 @@
172.16/12;
// 2002::/16; restrict this instead to your 2002::/48
};
+
+acl guests {
+ 172.30.42.129/27;
+ 172.30.42.161/27;
+};
+
--- conf.orig/named.conf
+++ conf/named.conf
@@ -15,6 +15,19 @@
mylan;
};
+view "guests" {
+ match-clients { guests; };
+ allow-query { any; };
+ allow-recursion { any; };
+ recursion yes;
+
+ include "/etc/bind/conf/dnssec.conf";
+ include "/etc/bind/conf/forwarders-opendns.conf";
+
+ include "/etc/bind/default/basic.zones";
+ include "/etc/bind/localzones/us.zones";
+};
+
view "us" {
match-clients { !key them-key; local; };
allow-query { any; };
--- conf.orig/forwarders-opendns.conf
+++ conf/forwarders-opendns.conf
@@ -0,0 +1,8 @@
+# Comcast has DNSSEC
+# Don't use comcast unless you are on comcast, however.
+# Other forwarders exist with DNSSEC (for example 8.8.8.8)
+
+forwarders {
+208.67.222.222;
+208.67.220.220;
+};
[-- Attachment #2: bind-opendns-for-guests.diff --]
[-- Type: application/octet-stream, Size: 965 bytes --]
--- conf.orig/acls.local.conf
+++ conf/acls.local.conf
@@ -10,3 +10,9 @@
172.16/12;
// 2002::/16; restrict this instead to your 2002::/48
};
+
+acl guests {
+ 172.30.42.129/27;
+ 172.30.42.161/27;
+};
+
--- conf.orig/named.conf
+++ conf/named.conf
@@ -15,6 +15,19 @@
mylan;
};
+view "guests" {
+ match-clients { guests; };
+ allow-query { any; };
+ allow-recursion { any; };
+ recursion yes;
+
+ include "/etc/bind/conf/dnssec.conf";
+ include "/etc/bind/conf/forwarders-opendns.conf";
+
+ include "/etc/bind/default/basic.zones";
+ include "/etc/bind/localzones/us.zones";
+};
+
view "us" {
match-clients { !key them-key; local; };
allow-query { any; };
--- conf.orig/forwarders-opendns.conf
+++ conf/forwarders-opendns.conf
@@ -0,0 +1,8 @@
+# Comcast has DNSSEC
+# Don't use comcast unless you are on comcast, however.
+# Other forwarders exist with DNSSEC (for example 8.8.8.8)
+
+forwarders {
+208.67.222.222;
+208.67.220.220;
+};
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface
2012-08-01 18:12 ` [Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface Maciej Soltysiak
@ 2012-08-01 18:18 ` Maciej Soltysiak
0 siblings, 0 replies; 2+ messages in thread
From: Maciej Soltysiak @ 2012-08-01 18:18 UTC (permalink / raw)
To: cerowrt-devel
I forgot to mention that it works because BIND assigns views in order
in the named.conf file, so guests will match the "guests" view first,
non guests, will use the "us" view".
On Wed, Aug 1, 2012 at 8:12 PM, Maciej Soltysiak <maciej@soltysiak.com> wrote:
> Hi guys,
>
> You might want to use it or dismiss it completely but here's what I
> was thinking of in previous email with a patch.
> Utilize BIND views in CeroWRT to make Guest WiFi interfaces use
> OpenDNS.com servers, keeping root resolution for wired and non-guest
> wifi.
>
> Rationale:
> 1) I can use whatever I want internally, but for guests, I'd prefer to
> give them an additional layer of filtering against known phishing and
> malware, etc. Configuration is up to the user.
> 2) Since I run my guest networks completely Open, instead of
> passwording it, this is also for folks/kids around who might be using
> my graciousness.
>
> Patch is (1) attached, (2) inlined in email body and (3) available at
> https://soltysiak.com/cerowrt/bind-opendns-for-guests.diff
>
> Regards,
> Maciej
>
>
> --- conf.orig/acls.local.conf
> +++ conf/acls.local.conf
> @@ -10,3 +10,9 @@
> 172.16/12;
> // 2002::/16; restrict this instead to your 2002::/48
> };
> +
> +acl guests {
> + 172.30.42.129/27;
> + 172.30.42.161/27;
> +};
> +
> --- conf.orig/named.conf
> +++ conf/named.conf
> @@ -15,6 +15,19 @@
> mylan;
> };
>
> +view "guests" {
> + match-clients { guests; };
> + allow-query { any; };
> + allow-recursion { any; };
> + recursion yes;
> +
> + include "/etc/bind/conf/dnssec.conf";
> + include "/etc/bind/conf/forwarders-opendns.conf";
> +
> + include "/etc/bind/default/basic.zones";
> + include "/etc/bind/localzones/us.zones";
> +};
> +
> view "us" {
> match-clients { !key them-key; local; };
> allow-query { any; };
> --- conf.orig/forwarders-opendns.conf
> +++ conf/forwarders-opendns.conf
> @@ -0,0 +1,8 @@
> +# Comcast has DNSSEC
> +# Don't use comcast unless you are on comcast, however.
> +# Other forwarders exist with DNSSEC (for example 8.8.8.8)
> +
> +forwarders {
> +208.67.222.222;
> +208.67.220.220;
> +};
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-08-01 18:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CAMZR1YAYgGKpROv2sjwx0SOMHPa7+0UocucSSDjUVt9KUaWGmg@mail.gmail.com>
2012-08-01 18:12 ` [Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface Maciej Soltysiak
2012-08-01 18:18 ` Maciej Soltysiak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox