[Cerowrt-devel] [PATCH] OpenDNS bind config for guest wifi. Was: Re: Different BIND setup per interface
Maciej Soltysiak
maciej at soltysiak.com
Wed Aug 1 11:18:23 PDT 2012
I forgot to mention that it works because BIND assigns views in order
in the named.conf file, so guests will match the "guests" view first,
non guests, will use the "us" view".
On Wed, Aug 1, 2012 at 8:12 PM, Maciej Soltysiak <maciej at soltysiak.com> wrote:
> Hi guys,
>
> You might want to use it or dismiss it completely but here's what I
> was thinking of in previous email with a patch.
> Utilize BIND views in CeroWRT to make Guest WiFi interfaces use
> OpenDNS.com servers, keeping root resolution for wired and non-guest
> wifi.
>
> Rationale:
> 1) I can use whatever I want internally, but for guests, I'd prefer to
> give them an additional layer of filtering against known phishing and
> malware, etc. Configuration is up to the user.
> 2) Since I run my guest networks completely Open, instead of
> passwording it, this is also for folks/kids around who might be using
> my graciousness.
>
> Patch is (1) attached, (2) inlined in email body and (3) available at
> https://soltysiak.com/cerowrt/bind-opendns-for-guests.diff
>
> Regards,
> Maciej
>
>
> --- conf.orig/acls.local.conf
> +++ conf/acls.local.conf
> @@ -10,3 +10,9 @@
> 172.16/12;
> // 2002::/16; restrict this instead to your 2002::/48
> };
> +
> +acl guests {
> + 172.30.42.129/27;
> + 172.30.42.161/27;
> +};
> +
> --- conf.orig/named.conf
> +++ conf/named.conf
> @@ -15,6 +15,19 @@
> mylan;
> };
>
> +view "guests" {
> + match-clients { guests; };
> + allow-query { any; };
> + allow-recursion { any; };
> + recursion yes;
> +
> + include "/etc/bind/conf/dnssec.conf";
> + include "/etc/bind/conf/forwarders-opendns.conf";
> +
> + include "/etc/bind/default/basic.zones";
> + include "/etc/bind/localzones/us.zones";
> +};
> +
> view "us" {
> match-clients { !key them-key; local; };
> allow-query { any; };
> --- conf.orig/forwarders-opendns.conf
> +++ conf/forwarders-opendns.conf
> @@ -0,0 +1,8 @@
> +# Comcast has DNSSEC
> +# Don't use comcast unless you are on comcast, however.
> +# Other forwarders exist with DNSSEC (for example 8.8.8.8)
> +
> +forwarders {
> +208.67.222.222;
> +208.67.220.220;
> +};
More information about the Cerowrt-devel
mailing list