OS Builder/Add OpenDNS Configuration: Difference between revisions

From OLPC
Jump to navigation Jump to search
No edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 7: Line 7:
* Your school servers (if any) must have a common "base" to their FQDN.
* Your school servers (if any) must have a common "base" to their FQDN.


Steps
'''Steps:'''

* Create your OpenDNS account
* Configure your public DNS server
* Customize the script to your server and "base domain name"
* Create the OS image with the script


== Create your OpenDNS account ==
== Create your OpenDNS account ==
Line 57: Line 52:
fi
fi


If you do not have local School Servers, it is still recommended that you define a "base" domain name and configure it. This allows you to deploy School Servers later if desired.


== Create the OS image ==
== Create the OS image ==
Line 63: Line 59:


[custom_scripts]
[custom_scripts]
custom_scripts1=/home/xobuilds/scripts/install-001-nameserver-override
custom_scripts1=/home/xobuilds/scripts/install-000-override-nameserver


And now create that installer script, which should look like:
And now create that installer script, which should look like:
Line 70: Line 66:
set -e
set -e
cat > "$INSTALLROOT/etc/NetworkManager/dispatcher.d/001-nameserver-override" <<'EOF'
cat > "$INSTALL_ROOT/etc/NetworkManager/dispatcher.d/000-override-nameserver" <<'EOF'
{ Here, place the content of the 001-nameserver-override script,
{ Here, place the content of the 001-nameserver-override script,
edited to have the correct configuration for your deployment. }
edited to have the correct configuration for your deployment. }
EOF
EOF
chmod 755 "$INSTALLROOT/etc/NetworkManager/dispatcher.d/001-nameserver-override"
chmod 755 "$INSTALL_ROOT/etc/NetworkManager/dispatcher.d/000-override-override"


=Alternative: Use OpenDNS "Nomad" service=
=Notes=


See [http://opendns.org/nomad/ OpenDNS Nomad]. This can potentially save you from the hassle of running your own forwarding DNS servers. Using the Nomad service requires
The configuration hereuses


* prior arrangement with OpenDNS
=Alternative: Use OpenDNS "Nomad" service=
* good local connectivity to the OpenDNS servers
* installing and configuring the client software


This alternative involves more work and will probably be significantly slower for deployments outside USA.
See [http://opendns.org/nomad/]. Using the Nomad service requires an arrangement with OpenDNS, and installing the client software.

Latest revision as of 22:40, 3 October 2011

Using OS Builder, you can install a script on the XO that will force DNS resolution through a DNS server that blocks servers with inappropriate content when users are connected via a conventional ISP outside of school. This complements a filtering solution applied on the School Server.

This has some pre-requisites:

  • You must have one or two DNS servers with public IP addresses.
  • Local ISPs must not block DNS traffic to other servers. In other words, they must allow connected clients to use an alternative DNS service.
  • Your school servers (if any) must have a common "base" to their FQDN.

Steps:

Create your OpenDNS account

If you have not done so yet, create your OpenDNS account!

Configure your public DNS server

  • Install one or more DNS servers with a public IP address. Make sure you can use that IP address for a long time -- if you later need to change the IP address of the DNS server it will be a major problem.
  • Configure the DNS service (for example, BIND) to only be a "forwarder" -- serving no names of its own, only forwarding to the OpenDNS servers.
  • Configure your OpenDNS account to associate the IP address of your DNS server to your account, so that any custom filtering options are applied to your traffic.
  • Test that custom filtering options are working (for example, by temporarily blacklisting a given domain name for the test).

Customize script

Overview: The script gets called when Network Manager establishes a connection. It must determine whether we are in the school network (controlled by the XS) or not. If we are not in the school network, then it must force-apply the DNS server configuration, overwriting the configuration from NM (which in turn is usually obtained via DHCP).

The script must be stored at /etc/NetworkManager/dispatcher.d/000-override-nameserver, and be executable.

#!/bin/sh
# Copyright (C) 2010 One Laptop Per Child Association, Inc.
# Licensed under the terms of the GNU GPL v2 or later; see COPYING for details.
# Written by Martin Langhoff <martin@laptop.org>

# REPLACE with the base domain for your servers
basedomain="xs\.base\.domain\.tld"

# REPLACE with IP addresses of your DNS servers
PRIMARYDNS="208.67.222.222"
SECONDARYDNS="208.67.220.220" 

if="$1"
updown="$2"

if [ "$updown" = "up" ]; then
    # 
    # no confundirse con iparatodos como ISP
    if ! grep -q "^search [0-9]*\.$basedomain" /etc/resolv.conf; then
        # reemplazar resolv.conf
        echo "# Overwritten by 000-override-nameserver" > /etc/resolv.conf
        echo nameserver $PRIMARYDNS   >> /etc/resolv.conf
        echo nameserver $SECONDARYDNS >> /etc/resolv.conf  
    fi
fi

If you do not have local School Servers, it is still recommended that you define a "base" domain name and configure it. This allows you to deploy School Servers later if desired.

Create the OS image

Use OS Builder's "custom_scripts" to install the above script into your OS image. In your olpc-os-builder configuration file, add a "custom_scripts" section, or add to the existing one...

[custom_scripts]
custom_scripts1=/home/xobuilds/scripts/install-000-override-nameserver

And now create that installer script, which should look like:

#!/bin/sh
set -e

cat > "$INSTALL_ROOT/etc/NetworkManager/dispatcher.d/000-override-nameserver" <<'EOF'
{ Here, place the content of the 001-nameserver-override script,
  edited to have the correct configuration for your deployment.  } 

EOF
chmod 755 "$INSTALL_ROOT/etc/NetworkManager/dispatcher.d/000-override-override"

Alternative: Use OpenDNS "Nomad" service

See OpenDNS Nomad. This can potentially save you from the hassle of running your own forwarding DNS servers. Using the Nomad service requires

  • prior arrangement with OpenDNS
  • good local connectivity to the OpenDNS servers
  • installing and configuring the client software

This alternative involves more work and will probably be significantly slower for deployments outside USA.