2011-06-26 - Re: [GRASE-Hotspot] DNS fix proposal

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: abedb9da901ead89dd1334751bd2fef7271ae8c1a692dae16a1bb6d6c94aaaef
Message ID: <BANLkTi=c3JvBa-azJKe0K-iELj8Og_4O0Q@mail.gmail.com>
Reply To: <BANLkTinUH=1p-hq2cKU5SYCUF=quwZ6QAQ@mail.gmail.com>
UTC Datetime: 2011-06-26 04:45:48 UTC
Raw Date: Sun, 26 Jun 2011 21:45:48 +1000

Raw message 

Following up more on this. I'm probably going to implement an
interface to the blacklists maintained at
http://cri.univ-tlse1.fr/blacklists/index_en.php (and any others
people nominate) to allow us to use both dnsmasq as a dns blacklister,
and squidguard as a url blacklister.

Suggestions are welcome for more blacklists and filtering ideas. (i.e.
I'm even thinking of writing a custom squid redirector that looks up
domains on a variety of "dns blacklists" that aren't strictly designed
for black listing.)

Tim

On Sun, Jun 26, 2011 at 8:18 PM, Timothy White <ti***8@gmail.com> wrote:
> I've realised that a component I took out of the hotspot system before
> releasing it to the public last year, probably needs to be added back
> in.
> Simply, dnsmasq.
>
> Currently the coovachilli config file gives out 2 IP's for DNS, one is
> an OpenDNS one, and the other is 10.1.0.1 which will timeout if the
> server doesn't have a DNS server as well. I don't want to go back to
> OpenDNS (as I don't aggree with their idea of redirecting NX to their
> search page).
> What I am going to do is have both DNS's ips (because coovachilli
> needs 2) to point to 10.1.0.1 and depend on dnsmasq. Through a simple
> script we can allow the admin to change which dns servers dnsmasq
> looks at by writing a file to /etc/dnsmasq.d/ with the server=x.y.z.a
> lines as required.
> The default options that I'll install with grase-www-portal will include:
> * strict-order so that the computers default dns (as in
> /etc/resolv.conf) will be tried first
> * server=opendnsipaddress
> * server=googlednsipaddress
> * bogus-nxdomain=x.y.z
>
> What this will do is allow us to try the users default dns server
> first (need for example here on an iinet connection to ensure freezone
> traffic is actually free). Failing that we can try OpenDNS and Google
> DNS without them redirecting NX to their search page (the
> bogus-nxdomain stuff). What it'll also allow us to do, is have the
> hotspot write another file that will be loaded before the defaults, so
> that the admin can override the options with their own server= lines
> (i.e. OpenDNS Family Filter) and with no-resolv to not use the default
> DNS provided by the system.
>
> The only issue I can see currently is if the admin wants to run
> another DNS server on the machine as well. We can tell dnsmasq to only
> bind to the coova chilli interfaces, however I'm inclined to add that
> option commented out and leave it to the system admin to uncomment it
> if they wish to run another DNS server as well.
>
> Any thoughts on all of this? Using dnsmasq may also open up the door
> for Layer 3 coovachilli, however until such a time that I need Layer 3
> coova chilli, I'm probably not going to work on it.
>
> All thoughts are welcomed. If people object to using OpenDNS or Google
> DNS as fallbacks, please speak up.
>
> Tim
>

Thread