[LEDE-DEV] s/dnsmasq/unbound+odhcpd/
Daniel Dickinson
lede-daniel at cshore.thecshore.com
Sat Jan 21 11:30:23 PST 2017
On Sat, 21 Jan 2017 03:06:36 +0000
Eric Luehrsen <ericluehrsen at hotmail.com> wrote:
> >>>Sound interesting. Can it do multiple instances?
>
> (1) The UCI scripts are not configured for instances, but ...
>
> (2) It wouldn't be a good idea. Recursive servers keep a lot of
> infrastructure cache with the zone data. This grows with DNSSEC. Lame
> paths (broken DSKEY chains) and slow responding NS with mirrors are
> cached. The memory can be controlled, but at the cost of performance,
> so you want one big one with all the cache, and ...
>
> (3) There is no need. Unbound 1.6.0 has "views:" which means from a
> zone or IP range, you can restrict what is seen. Two obvious uses: --
> CoffeeShop/Guest WiFi. Guests cannot DNS each other or the coffee
> shop equipment. Firewall prevents access, but why let them enumerate
> it. view: -> (Guest 172.16.20.0/24) -> drop all queries for domain
> "joes-coffee.example.com" view: -> (CoffeeShop172.16.10.0/24) ->
> DHCP-DNS domain "joes-coffee.example.com" and adblock everything so
> employees don't do whatever
>
Ah! Cool! I like that solution better anyway! Probably takes more
code to achieve which is why it's not in dnsmasq...
Is that in the UCI yet, or is that 'it'd be nice, but need
time/resources?'
Regards,
Daniel
More information about the Lede-dev
mailing list