Further problems with systemd-resolved on xubuntu 17.04
Chris Green
cl at isbd.net
Wed Jun 7 11:42:23 UTC 2017
On Wed, Jun 07, 2017 at 01:17:15PM +0200, Xen wrote:
> Chris Green schreef op 07-06-2017 13:09:
> > >
> > > I don't know why you would have a fallback DNS in any case.
> > >
> > > You could remove it?
> > >
> > Yes, I could, but guest users on my network can't access the local DNS
> > server (they only have access to the outside world) but they *do* get
> > DHCP services from the local server (an oddity of the firewall). Thus
> > they need a fallback DNS that will work for them, that's why I added
> > it.
>
> You don't have to share this info of course,
>
> but you could create a firewall rule.... I know, I am suggesting things you
> don't want.
>
> Since your guest wifi ssid is on a different subnet you could disallow input
> from that subnet to the local dns server.
>
> Routing does not work using the input chain. Your router could be hidden
> from the guest network /while routing it/, ie. they could not portscan it or
> get any kind of contact with it other than routing.
>
> At least this works if the wifi access point is the primary router for the
> guest subnet and forwards the traffic to the real router.
>
> The guests then are able to access the access point itself, but the router
> further ahead, including the entire subnet it is part of, is going to be
> invisible.
>
> Anyway, that is probably not what you want.
>
> Good luck battling that thing.
>
Yes, it is all rather messy at the moment and I'd really prefer to
make it simpler. Complex security is a bad thing.
If I can simply make guests 'see' *only* the outside world then they
won't get local DHCP (or DNS) and all will be well.
--
Chris Green
More information about the ubuntu-users
mailing list