Re: [LEDE-DEV] s/dnsmasq/unbound+odhcpd/
On Thu, 19 Jan 2017 21:34:45 +0100 Dan Lüdtke wrote: > Hi everyone, > > i built LEDE without dnsmasq but with odhcp instead. Mainly out of > curiosity and to test a recent PR by Eric Luehrsen regarding > unbound+odhcp. Sound interesting. Can it do multiple instances? > > C) How easy it is to determine if dnsmasq and/or odhcp are installed? > I like to make the GUI capable of configuring odhcpd, too. Some > functions do work already, but that is due to the fact that ODHCPD > reads some of dnsmasq/luci variables fine. Some not (ignored) and > some are missing. --> https://github.com/sbyx/odhcpd > Can you look at https://github.com/openwrt/luci/pull/964 and see if it fits this part of your needs? (I had simply not pushed it out yet, it's well tested). Regards, Daniel ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] s/dnsmasq/unbound+odhcpd/
>>>Sound interesting. Can it do multiple instances? (1) The UCI scripts are not configured for instances, but ... (2) It wouldn't be a good idea. Recursive servers keep a lot of infrastructure cache with the zone data. This grows with DNSSEC. Lame paths (broken DSKEY chains) and slow responding NS with mirrors are cached. The memory can be controlled, but at the cost of performance, so you want one big one with all the cache, and ... (3) There is no need. Unbound 1.6.0 has "views:" which means from a zone or IP range, you can restrict what is seen. Two obvious uses: -- CoffeeShop/Guest WiFi. Guests cannot DNS each other or the coffee shop equipment. Firewall prevents access, but why let them enumerate it. view: -> (Guest 172.16.20.0/24) -> drop all queries for domain "joes-coffee.example.com" view: -> (CoffeeShop172.16.10.0/24) -> DHCP-DNS domain "joes-coffee.example.com" and adblock everything so employees don't do whatever -- Home/ChildProof WiFi. view: -> (ChildProof 172.16.20.0/24) -> big list of "kittens.jpeg" zones loaded by adblocker package. view: -> (Home 172.16.10.0/24) -> normal and mom and dad can do what they want. ERIC ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] s/dnsmasq/unbound+odhcpd/
On Sat, 21 Jan 2017 03:06:36 + Eric Luehrsen wrote: > >>>Sound interesting. Can it do multiple instances? > > (1) The UCI scripts are not configured for instances, but ... > > (2) It wouldn't be a good idea. Recursive servers keep a lot of > infrastructure cache with the zone data. This grows with DNSSEC. Lame > paths (broken DSKEY chains) and slow responding NS with mirrors are > cached. The memory can be controlled, but at the cost of performance, > so you want one big one with all the cache, and ... > > (3) There is no need. Unbound 1.6.0 has "views:" which means from a > zone or IP range, you can restrict what is seen. Two obvious uses: -- > CoffeeShop/Guest WiFi. Guests cannot DNS each other or the coffee > shop equipment. Firewall prevents access, but why let them enumerate > it. view: -> (Guest 172.16.20.0/24) -> drop all queries for domain > "joes-coffee.example.com" view: -> (CoffeeShop172.16.10.0/24) -> > DHCP-DNS domain "joes-coffee.example.com" and adblock everything so > employees don't do whatever > Ah! Cool! I like that solution better anyway! Probably takes more code to achieve which is why it's not in dnsmasq... Is that in the UCI yet, or is that 'it'd be nice, but need time/resources?' Regards, Daniel ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] s/dnsmasq/unbound+odhcpd/
Its more of having time to gather common wants and establish sane limits on the scope. Stuff like this can get out of control in feature creep. Good structure is necessary for future maintenance and LuCI. Also its a new feature in 1.6.0 and I want to test it manually first and have yay/nay reports from others. - Eric ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
