Recommended DNSMasq settings

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Thu Jan 25, 2018 17:58    Post subject: Recommended DNSMasq settings Reply with quote
I setup a Netgear R7000 router with r33675M kognac and decided to try DNSMasq. I started noticing some problems:

In Syslog, I see many "possible DNS-rebind attack detected" warnings.

Also, a specific site ( http://dns-record-viewer.online-domain-tools.com/ ) sometimes failed to resolve, with NXDomain error, until I changed the DNSCrypt Resolver server (which is recommended?) or turned off DNSMasq.

Currently I have the following (arbitrary) settings:


Enabled: DNSMasq
Enabled: Encrypt DNS
Enabled: Cache DNSSEC data
Enabled: Validate DNS Replies (DNSSEC)
Disabled: Check unsigned DNS replies
Enabled: Local DNS
Enabled: No DNS Rebind
Enabled: Query DNS in Strict Order
Disabled: Add Requestor MAC to DNS Query

Suggestions?
Sponsor
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Thu Jan 25, 2018 20:18    Post subject: Reply with quote
Quote:
dnssec is only to be used in conjunction with dhcp, if you need to update host names on dhcp lease change. it's not for WAN dns servers/forwarders.

Sorry, not sure what is meant by this.


Quote:
it may also be the browser at fault, if it hasn't been updated in ages.

I'm using Chromium Version 63.0.3239.132, but there are several users so I can't be sure who the router's syslog warnings are referring to.


Quote:
the default settings are fine: in setup > basic, if dhcp is enabled, tick the options 'use dnsmasq for dhcp', 'use dnsmasq for dns', 'dhcp-authoritative'.

Thanks, dhcp is enabled and those are the settings I'm using.

Quote:
in the services > dnsmasq page select enable, disable, disable, enable, enable, disable.

Could you specify the options you're referring to? You mention a sequence of 6, but there are 9 toggles.

In Services > DHCP Server, I did list some static leases, but didn't touch other options such as "Used Domain" (WAN), "LAN Domain", etc as I don't know what they mean.
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Thu Jan 25, 2018 22:16    Post subject: Reply with quote
I doubt it's running out of DHCP leases, since I have just 10-15 devices and about half of them are static.

I'm not (currently) using google's DNS. Right now it's set to my ISPs DNS servers (2), and another one, which I selected based on Steve Gibson's DNS benchmark tool. Aside, I used to use OpenDNS, but it seems some people take issue with it.

The dns rebind attack warnings are especially plentiful for youtube and google ad services. I don't know anything about this, but most of what's listed seems harmless.

What is a LAN domain for? I don't currently have it configured. The 9 options are listed in my first post. Also, see the image below just so we're on the same page:

mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1001
Location: Hung Hom, Hong Kong

PostPosted: Fri Jan 26, 2018 16:26    Post subject: Reply with quote
Throwing in my settings! Smile


dd-wrt.dnsmasq.jpg
 Description:
RT-N18U DD-WRT DNSmasq settings
 Filesize:  64.39 KB
 Viewed:  45007 Time(s)

dd-wrt.dnsmasq.jpg



_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and prosper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Sat Jan 27, 2018 1:03    Post subject: Reply with quote
I think I found the issue:
enabling/disabling "Encrypt DNS" reproducibly creates/solves both issues of
1) the syslog entries for dns rebind attacks, and
2) the random pages not loading.

The specific webpages that have problems depend on which DNS Crypt Resolver server is selected.

DNSSEC validation and DNS encryption seem like important settings. I haven't noticed issues with DNSSEC validation so far. But using DNS encryption seems to my mind like jumping from the frying pan (possible snooping of unencrypted DNS traffic) into the fire (directing DNS traffic to a centralized server run by.. who?). Thoughts?

Thanks @mwchang for posting your settings. Care to explain why you chose them and the additional options?

@rizla7, you seem to know a lot about about this topic, unfortunately I don't understand half of your insights. Where in the wiki can I read the basics?
smhawkes
DD-WRT Novice


Joined: 21 Mar 2008
Posts: 4

PostPosted: Sat Jan 27, 2018 16:23    Post subject: Reply with quote
rizla7 wrote:
dnssec is only to be used in conjunction with dhcp, if you need to update host names on dhcp lease change. it's not for WAN dns servers/forwarders.


I'm not sure you know what dnssec is used for.

"DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack."
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Sat Jan 27, 2018 19:16    Post subject: Reply with quote
@rizla7 so is the takeaway that DNSCrypt and DNSSEC are largely handled by ISPs and not for the end user to worry about? Why are they included in dd-wrt?

Many articles on DNSCrypt are aimed at end users with instructions on configuring it on personal computers, not even the router.

Why trust an ISP if the router can be used to encrypt/validate DNS information?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5819
Location: Texas

PostPosted: Sat Jan 27, 2018 20:25    Post subject: Reply with quote
If you want to use DNScrypt turn it on and use it.
If you also want to use DNSSEC turn it on and use it. You must choose a DNSCrypt resolver that also does DNSSEC for both to work together.
AFAIK all DNSCrypt DOwn resolvers also do DNSSEC. ... probably several others I haven't checked.
And the guy in Canada ( https://dnscrypt.ca/ ) runs dnscrypt.ca-1, dnscrypt.ca-2, dnscrypt.ca-3 all do DNNSEC and they are damn good also.
If using the dd-wrt built-in DNSCrypt you may need a recent build to see some of these I mentioed.

Strange DNS rebind attacks -->
I'm not going to beat up on these guys but 'CS Dallas Texas US DNSCrypt resolver' (its in the list) and actually very close to me but I will get DNSRebind attack mess in log within minutes of turning them on. Tried thenm several times and always the same -- good resolvers but something with them does not jive with my network at all. Made a post about it in the other forums several months back.... oh , and they do not do DNSSEC iffin you was wondering Smile
FWIW, that is the only time I get notices of possible DNS Rebind attacks in the log --- well unless I'm goofin around with something my own self

very good -- carry on
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Sat Jan 27, 2018 23:30    Post subject: Reply with quote
@mrjcd Yes! The DNS rebind attack log entries you described is what I had with DNSCrypt enabled with some resolver/servers. And if some resolvers also do DNSSEC, that might also explain why some pages were unreachable.

So this illustrates a concern with using DNSCrypt: the resolver becomes a single point of failure which can disable the user's internet connection. For this reason https://dnscrypt.ca/ recommends using more than one resolver, but I don't see that option in ddwrt.

As a side note, even when I disabled DNSCrypt in ddwrt, I saw syslog entries relating to dnscrypt-proxy (fetching server certificates). Not sure if something's broken. I had to ssh in and kill the process.

@rizla7 I understand your skepticism and concerns about performance, but I don't think security is just for the paranoid. There's a question of trust, which I think has clearly been shown to have been abused by various organizations. One way to fix this is by not requiring trust.

The problem I see with DNSCrypt is that it still requires trust in the one running the resolver or at least their server. There's no guarantee that person isn't keeping logs, or that unknown to them their server might be compromised, etc. So, the value of DNSCrypt is unclear to me, especially given the serious usability impact from potential resolver failures.

As for DNSSEC, I disabled both DNSCrypt and DNSSEC related options under Services and went here https://dnssec.vs.uni-due.de/ to check if DNSSEC validation is being done... and it is. Assuming that ddwrt's gui isn't lying to me, that might imply my ISP is doing DNSSEC validation?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5819
Location: Texas

PostPosted: Sun Jan 28, 2018 0:17    Post subject: Reply with quote
Yea that is the thing with dd-wrt DNSCrypt in its current state, you are using only one DNS server.
You can of course add to that --- many do ... don't ask me specifics on that, I'm not really a big
fan of DNSCrypt although I use it from time to time. My main router runs unbound so yea everything
is DNSSEC and I don't have to worry about getting to where I intend to go.

https://dnssec.vs.uni-due.de/ is cute an all and fairly accurate but if you really want to
see about DNSSEC you should visit http://dnssectest.sidnlabs.nl/
Do the test and if whatever resolver you are using is actually using DNSSEC it will tel you
and you can also continue with 'Further connection testing' and see exactly what algorithm your
said resolver is using. I just run this -- here is what unbound does --

Fairly common stuff there.
unbound will never fail -- yea it uses root servers -- I've used it for long time and never ever had a problem or failure.

If you run same test using DNSSEC validation w/dd-wrt for some individual resolvers or combined with
DNSCrypt on valid resolvers you may see some that will handle more signing algorithm combinations but
you will also likely always see many combinations that will show SERVERFAIL. Unbound don't do that --
that's one reason I like him ---- and before someone jumps in and says it's not as fast you should
run some tests ---- and besides a piece of a millisecond doesn't mean much to me at the age I'm getting Rolling Eyes

NOTE:
Doing tests after changing these types of configs you should reboot your
router first to get any meaningful info --
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Sun Jan 28, 2018 1:44    Post subject: Reply with quote
With DNSCrypt and DNSSEC disabled in ddwrt, and using my ISPs DNS, I get this final result with https://internet.nl/ :



mrjcd, when you mentioned SERVERFAILs, did you mean there would be some combinations with that result after the test is fully completed? During the testing I saw the icons change almost randomly between the three possible outcomes, including SERVERFAIL, until it settled on the result above.

As rizla7 pointed out, it seems I don't need to deal with DNSSEC myself. And I'm not enthusiastic about DNSCrypt after considering the weaknesses pointed out in this thread.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5819
Location: Texas

PostPosted: Sun Jan 28, 2018 2:15    Post subject: Reply with quote
fizikz wrote:
With DNSCrypt and DNSSEC disabled in ddwrt, and using my ISPs DNS, I get this final result with https://internet.nl/ :



mrjcd, when you mentioned SERVERFAILs, did you mean there would be some combinations with that result after the test is fully completed? During the testing I saw the icons change almost randomly between the three possible outcomes, including SERVERFAIL, until it settled on the result above.

As rizla7 pointed out, it seems I don't need to deal with DNSSEC myself. And I'm not enthusiastic about DNSCrypt after considering the weaknesses pointed out in this thread.

certain algorithms will give the complete red X serverfail when checked from some resolvers.

What ISP you gave?
Looks good to me. There has been a big push towards DNSSec for long time but it seemed slow to catch on ---- maybe some ISPs are finally doing the right thing. At least your DNS queries should always get to where they are meant to go ....but just because they can't be redirected don't mean they can't be seen......that is where DNSCrypt comes in.

Edit:
Haven't seen any doing that many algorithms for DNSSEC but maybe Google.
Just connected to ovpn server that uses Google DNS and yea they cover 'bout everything but looks like they have completely dropped any MD5 stuff .....those showing server fail using Google but not surprised MD5 is ancient and unsecure these days Razz


Last edited by mrjcd on Sun Jan 28, 2018 2:34; edited 1 time in total
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Sun Jan 28, 2018 2:32    Post subject: Reply with quote
mrjcd wrote:
At least your DNS queries should always get to where they are meant to go ....but just because they can't be redirected don't mean they can't be seen......that is where DNSCrypt comes in.


If I'm using my ISP's DNS, it shouldn't be possible to snoop, should it? Unless someone is on the line between my computer and ISP's servers...
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5819
Location: Texas

PostPosted: Sun Jan 28, 2018 2:47    Post subject: Reply with quote
fizikz wrote:
mrjcd wrote:
At least your DNS queries should always get to where they are meant to go ....but just because they can't be redirected don't mean they can't be seen......that is where DNSCrypt comes in.


If I'm using my ISP's DNS, it shouldn't be possible to snoop, should it? Unless someone is on the line between my computer and ISP's servers...

The ISP is what most are concerned about Twisted Evil
Everyone has their own opinions about things and I will just say, as I have a few times over the years, no one can setup your network to suit you but your own self.

No one is going to capture your DNS queries and wreck havoc on your life .....unless you may be doing something highly illegal and if so you probably have more to worry about than just DNS.
Most people simply don't like anyone knowing their private bussiness ....well, if you ever use any type smartphone then what you do with it and how you use it is known and not much you can do about it....
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Sun Jan 28, 2018 3:31    Post subject: Reply with quote
mrjcd wrote:
The ISP is what most are concerned about  Twisted Evil


Haha, valid point. I somewhat trust my ISP not to be evil, but again, I think it's better to remove the need to trust at all, as much as possible.

So, to conclude, the recommended DNSmasq settings seem to be as in mwchang's config image, except with "Query DNS in strict order" enabled.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum