[Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface
Maciej Soltysiak
maciej at soltysiak.com
Wed Aug 1 11:12:32 PDT 2012
Hi guys,
You might want to use it or dismiss it completely but here's what I
was thinking of in previous email with a patch.
Utilize BIND views in CeroWRT to make Guest WiFi interfaces use
OpenDNS.com servers, keeping root resolution for wired and non-guest
wifi.
Rationale:
1) I can use whatever I want internally, but for guests, I'd prefer to
give them an additional layer of filtering against known phishing and
malware, etc. Configuration is up to the user.
2) Since I run my guest networks completely Open, instead of
passwording it, this is also for folks/kids around who might be using
my graciousness.
Patch is (1) attached, (2) inlined in email body and (3) available at
https://soltysiak.com/cerowrt/bind-opendns-for-guests.diff
Regards,
Maciej
--- conf.orig/acls.local.conf
+++ conf/acls.local.conf
@@ -10,3 +10,9 @@
172.16/12;
// 2002::/16; restrict this instead to your 2002::/48
};
+
+acl guests {
+ 172.30.42.129/27;
+ 172.30.42.161/27;
+};
+
--- conf.orig/named.conf
+++ conf/named.conf
@@ -15,6 +15,19 @@
mylan;
};
+view "guests" {
+ match-clients { guests; };
+ allow-query { any; };
+ allow-recursion { any; };
+ recursion yes;
+
+ include "/etc/bind/conf/dnssec.conf";
+ include "/etc/bind/conf/forwarders-opendns.conf";
+
+ include "/etc/bind/default/basic.zones";
+ include "/etc/bind/localzones/us.zones";
+};
+
view "us" {
match-clients { !key them-key; local; };
allow-query { any; };
--- conf.orig/forwarders-opendns.conf
+++ conf/forwarders-opendns.conf
@@ -0,0 +1,8 @@
+# Comcast has DNSSEC
+# Don't use comcast unless you are on comcast, however.
+# Other forwarders exist with DNSSEC (for example 8.8.8.8)
+
+forwarders {
+208.67.222.222;
+208.67.220.220;
+};
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-opendns-for-guests.diff
Type: application/octet-stream
Size: 964 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20120801/451475ea/attachment.obj>
More information about the Cerowrt-devel
mailing list