On 2012-10-04 at 14:26 -0400, John Stoffel wrote: > But I *hated* how DNS for internal hosts was handled.
> So I've been looking at OpenWRT, but it too is so badly organized that > it's hard to find out which version is supported (or even just > available!) for which hardware and what the gotchas are. We all do > stuff like this for a living, but there are times when I do want to > have something simpler to setup and which won't impact my family when > I'm screwing around. Work writ small I guess. I can burn my own > house down and fix it, but when I burn down the house while the wife > is working on her stuff, it's a five alarm blaze! This is much the situation I was in, which was part of why I was just sticking to a Apple Airport Extreme router: it "just worked" for what it did, it _was_ manageable and the temptation to tinker was removed, so I could get on with other stuff. Much like why I use a Macbook: audio and graphics that "just works" so I don't have to spend a day on basic setup for the 20th time, then forevermore fight competing audio layers. Sometimes, a dedicated appliance is better than a generic server, even if the latter can be cheaper. See NFS servers, routers, spam-filterers, ...; and then, you hit the limitations of the appliance and the pendulum swings back towards generic boxes. Which keeps this nicely on-topic for the list: make sure you know when to use appliances, when not to, and that you maintain the skill-set in house to be _able_ to move off the appliances when the situation warrants it. In this case, I looked at the ceroWRT project as my first choice, looked at the two supported routers, chose the one with more RAM as future-proofing and bought it. Hit snags with that project, switched to openWRT. I avoided the current beta, went with the stable release: I know it will be replaced soon, but since I expected to mess something up badly, I proceeded on a game plan of "read my install notes from the first time, simplify, reduce, replay the commands still needed". It's worked well, and I broke far less than I was expecting. ;) Their main website is currently broken and it was hard to find the right section of the wiki when it wasn't, but once I did, things got simpler. You want to look at: http://wiki.openwrt.org/toh/netgear/wndr3700 The internal DNS provided by dnsmasq was annoying, but I recommend just installing Unbound anyway: it's the resolver I use on my *nix boxen, it does DNSSEC validation, it's sane. So, consistent configuration across the machines and a mature tool. I do insist on doing DNS on the gateway box for home, since otherwise your DNS-over-IPv4 requests get NATted and that often leads to _losing_ the source port entropy which the servers have worked so hard to add, to fight the Kaminsky attack. So, if you have a _good_ recursive resolver on the gateway box, you get far better security than running a validating recursive resolver on the client host. Since I have 89MB free of 128MB RAM, you should be able to still do this on the smaller model. Plus, unbound is easier than Bind when you want to lie about DNS, so as long as you set up a key for unbound-control, you can redirect non-DNSSEC sites on the fly. Oh, other bonus to switching: no longer tied to Apple's philosophical positions; UPnP may suck and be a hideous security hole in many old firmwares, but it's what some clients use and not all of them can be updated to use NAT-PMP instead. So I get to lower my network security and increase inter-op (running both NAT-PMP and UPnP), letting more non-Apple devices and apps "just work". Ultimately, the network is there to support the applications and the security policy needs to _support_ "getting things done" by making sure only the wanted stuff gets done, not contradict getting things done. -Phil _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
