From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yx0-f171.google.com (mail-yx0-f171.google.com [209.85.213.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 72A6E20019F for ; Wed, 1 Aug 2012 11:18:24 -0700 (PDT) Received: by yenq11 with SMTP id q11so14050365yen.16 for ; Wed, 01 Aug 2012 11:18:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:content-type:x-gm-message-state; bh=VbdKNZ904Ld52Bl8n2lB35waKAIZoH6rivrnqLS/H4M=; b=NlWOZopW+wATOAumgxlYhJBn9gTRmEpp7f5hTgZLBflbcc+cPyc03l9DDFthI0d19U AK7j/gtO8EHPt2WytunXz+Y6HtODfVulu1MyZIG2BAxvYojl8ljMtkdYHHSp9oOy4dN/ cGjh2I5JNoeONDfmrdmzm4ei6XfI8UPjvgyfft+TN57O2CStCv5IM7pDMdeyATR7sDxH GoK/ZPKMsjmR5WCS5jNgDg5/PRjqnZWKCy1a5+yPlvchObXb/rC6Okn+wT1z/+VgjsJV KLZ8ysdGYQ1y85/fKpHPLYbxZdxHFhZxOKpwWTvGWSn9euntVhMcgXzx2kUS0Jy2Uq/h fiBw== MIME-Version: 1.0 Received: by 10.50.36.131 with SMTP id q3mr6305733igj.56.1343845103232; Wed, 01 Aug 2012 11:18:23 -0700 (PDT) Received: by 10.64.22.162 with HTTP; Wed, 1 Aug 2012 11:18:23 -0700 (PDT) X-Originating-IP: [77.65.42.82] In-Reply-To: References: Date: Wed, 1 Aug 2012 20:18:23 +0200 Message-ID: From: Maciej Soltysiak To: cerowrt-devel@lists.bufferbloat.net Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQlj8Y+5M2Va5S7VdOURCF3kZqJqZltRy9UAUaIPqTm2rx3afd3jUxUptfnvdP+RanhvmVzP Subject: Re: [Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2012 18:18:24 -0000 I forgot to mention that it works because BIND assigns views in order in the named.conf file, so guests will match the "guests" view first, non guests, will use the "us" view". On Wed, Aug 1, 2012 at 8:12 PM, Maciej Soltysiak wrote: > Hi guys, > > You might want to use it or dismiss it completely but here's what I > was thinking of in previous email with a patch. > Utilize BIND views in CeroWRT to make Guest WiFi interfaces use > OpenDNS.com servers, keeping root resolution for wired and non-guest > wifi. > > Rationale: > 1) I can use whatever I want internally, but for guests, I'd prefer to > give them an additional layer of filtering against known phishing and > malware, etc. Configuration is up to the user. > 2) Since I run my guest networks completely Open, instead of > passwording it, this is also for folks/kids around who might be using > my graciousness. > > Patch is (1) attached, (2) inlined in email body and (3) available at > https://soltysiak.com/cerowrt/bind-opendns-for-guests.diff > > Regards, > Maciej > > > --- conf.orig/acls.local.conf > +++ conf/acls.local.conf > @@ -10,3 +10,9 @@ > 172.16/12; > // 2002::/16; restrict this instead to your 2002::/48 > }; > + > +acl guests { > + 172.30.42.129/27; > + 172.30.42.161/27; > +}; > + > --- conf.orig/named.conf > +++ conf/named.conf > @@ -15,6 +15,19 @@ > mylan; > }; > > +view "guests" { > + match-clients { guests; }; > + allow-query { any; }; > + allow-recursion { any; }; > + recursion yes; > + > + include "/etc/bind/conf/dnssec.conf"; > + include "/etc/bind/conf/forwarders-opendns.conf"; > + > + include "/etc/bind/default/basic.zones"; > + include "/etc/bind/localzones/us.zones"; > +}; > + > view "us" { > match-clients { !key them-key; local; }; > allow-query { any; }; > --- conf.orig/forwarders-opendns.conf > +++ conf/forwarders-opendns.conf > @@ -0,0 +1,8 @@ > +# Comcast has DNSSEC > +# Don't use comcast unless you are on comcast, however. > +# Other forwarders exist with DNSSEC (for example 8.8.8.8) > + > +forwarders { > +208.67.222.222; > +208.67.220.220; > +};