[LEDE-DEV] s/dnsmasq/unbound+odhcpd/

Eric Luehrsen ericluehrsen at hotmail.com
Fri Jan 20 19:06:36 PST 2017

>>>Sound interesting.  Can it do multiple instances?

(1) The UCI scripts are not configured for instances, but ...

(2) It wouldn't be a good idea. Recursive servers keep a lot of infrastructure cache with the zone data. This grows with DNSSEC. Lame paths (broken DSKEY chains) and slow responding NS with mirrors are cached. The memory can be controlled, but at the cost of performance, so you want one big one with all the cache, and ...

(3) There is no need. Unbound 1.6.0 has "views:" which means from a zone or IP range, you can restrict what is seen. Two obvious uses:
-- CoffeeShop/Guest WiFi. Guests cannot DNS each other or the coffee shop equipment. Firewall prevents access, but why let them enumerate it.
view: -> (Guest -> drop all queries for domain "joes-coffee.example.com"
view: -> (CoffeeShop172.16.10.0/24) -> DHCP-DNS domain "joes-coffee.example.com" and adblock everything so employees don't do whatever

-- Home/ChildProof WiFi. 
view: -> (ChildProof -> big list of "kittens.jpeg" zones loaded by adblocker package. 
view: -> (Home -> normal and mom and dad can do what they want.

More information about the Lede-dev mailing list