[LEDE-DEV] s/dnsmasq/unbound+odhcpd/

Eric Luehrsen ericluehrsen at hotmail.com
Fri Jan 20 19:06:36 PST 2017


>>>Sound interesting.  Can it do multiple instances?

(1) The UCI scripts are not configured for instances, but ...

(2) It wouldn't be a good idea. Recursive servers keep a lot of infrastructure cache with the zone data. This grows with DNSSEC. Lame paths (broken DSKEY chains) and slow responding NS with mirrors are cached. The memory can be controlled, but at the cost of performance, so you want one big one with all the cache, and ...

(3) There is no need. Unbound 1.6.0 has "views:" which means from a zone or IP range, you can restrict what is seen. Two obvious uses:
-- CoffeeShop/Guest WiFi. Guests cannot DNS each other or the coffee shop equipment. Firewall prevents access, but why let them enumerate it.
view: -> (Guest 172.16.20.0/24) -> drop all queries for domain "joes-coffee.example.com"
view: -> (CoffeeShop172.16.10.0/24) -> DHCP-DNS domain "joes-coffee.example.com" and adblock everything so employees don't do whatever

-- Home/ChildProof WiFi. 
view: -> (ChildProof 172.16.20.0/24) -> big list of "kittens.jpeg" zones loaded by adblocker package. 
view: -> (Home 172.16.10.0/24) -> normal and mom and dad can do what they want.
 
ERIC    



More information about the Lede-dev mailing list