Posted: Wed Feb 20, 2019 21:34 Post subject: DNSMASQ to cause failure for lookup after few days or hours
So I am having an issue where DNSMASQ is causing an issue where it would cause failure on look-up on certain sites ... sometimes in a few days sometimes within a few hours
I know it is DNSMASQ because if I do a stopservice dnsmasq && startservice dnsmasq it then works perfectly fine. Until a few hours or days later.
most of the time it fails to look up gmail.com. sometimes facebook.com. But it could be anything at any time. Anyone know what might cause this issue with dnsmasq just suddenly unable to look up certain sites? _________________ ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
I don't have the answer for you, but I know some folks have complained about DNSMasq dying in more recent build in the Atheros SOC sub-forum as well.
Maybe peruse that forum to see if you find any answers? _________________ Netgear R7500v2, DD-WRT v3.0-r37845M kongat
Netgear R7000, DD-WRT v3.0-r37715M kongac
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Thu Feb 21, 2019 2:22 Post subject:
Is this on wired or wi-fi? I still have random issues over wi-fi with dnsmasq last I checked, and I suspect it's related to the AP isolation always being active issue. I haven't checked the current build yet to see if it's still flaky.
I have the same issue and I founded that by adding in Additional DNSMasq Options - "min-cache-ttl=800" helps mitigate the issue, I do find if the internet speed drop below a threshold the failure rate jumps.
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Fri Feb 22, 2019 15:07 Post subject:
@Redback813, thanks for that, will test that as things still seem flaky for me, mainly over wi-fi in r38840M. Pretty sure there's some other additional configs I could probably try as well, but I kind of gave up a while back. If it works, it works, if not, ho-hum. I have other APs working just fine. I'm sure if the latest git were merged and a few other things happened, maybe the issues would disappear...
min-cache-ttl=800 is set too high as this can cause Can not resolve issue, lower it to 600 more stable however still get Can not resolve issue from time to time, something else is causing the issue, too bad pi-hole not available.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Fri Mar 01, 2019 16:11 Post subject:
i guess it could be down to your DNS servers used...
i use 9.9.9.9 or 1.1.1.1 and never had any complains so far so good...
also to avoid any ISP DNS leak i use...
no-resolv
server=9.9.9.9
server=1.1.1.1
min-cache-ttl=800 this command is regarding for how long local DNS will keep those cached routes so in case
ov you sat it too high as a value as well cache size then this could be an issue too...
personally i used to set it up to 5000 min-cache-ttl=600 but after few builds i realised on BS builds cache size is fixed to 1500 lines and min-cache-ttl does nothing so i stopped use any settings regarding it..
finally there is a chance DNSmasq to be broken too but i haven't noticed anything yet... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Fri Mar 01, 2019 17:50 Post subject:
Redback813 wrote:
min-cache-ttl=800 is set too high as this can cause Can not resolve issue, lower it to 600 more stable however still get Can not resolve issue from time to time, something else is causing the issue, too bad pi-hole not available.
I wasn't sure if I needed to go higher or lower, had tested 3600 and was at around 13-15 hours between lookup failures. Will test 600 and see if that makes it better or worse. Again, thank you for that little bit of info!
Trying the min-cache-ttl for the last 24hrs, pages load faster, however still get the Can not resolve issue which is less than previous, added an extra dns-forward-max to see if help and it seems to have helped but will watch.
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Sat Mar 02, 2019 15:44 Post subject:
Redback813 wrote:
Trying the min-cache-ttl for the last 24hrs, pages load faster, however still get the Can not resolve issue which is less than previous, added an extra dns-forward-max to see if help and it seems to have helped but will watch.
min-cache-ttl=3600
dns-forward-max=250
This will probably make no sense, but I also filled in ALL THREE static DNS server IPs on the main setup page as well -- which has helped A LOT. The 600 setting seems to have been working fine yesterday when I changed it and rebooted. Will keep monitoring it and see if I need to change back and add the dns-forward-max config.
Something I should have add early which will help speed up the DNS Cache and DNS request.
# use all DNS servers, use the first returned.
all-servers
# don't forward non-routable (local) addresses
bogus-priv
# don't forward incomplete hostnames (names without dots)
domain-needed
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Sat Mar 02, 2019 20:21 Post subject:
in case you use
all-servers
than it will refer to those 3 on the basic settings tab + ISP dns
to see all-servers in use type
cat /tmp/resolv.dnsmasq
and you will see the ISP DNS at the end after those 3 you sat
in that case
no-resolv will not work if you use all-servers as well
in general there was a discussion that if you use the 3 DNS
set on the basic tab there ware DNS leaks to ISP
so when no-resolv is used instead and DNSmasq takes over with what is set there as a DNS, no ISP leaks...
server=1.1.1.1 or 9.9.9.9 and ect. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
@Alozaros you half right and half wrong on this one.
If you use:
all-servers
no-resolv
server=....
server=....
There will be no DNS leak as dnsmasq will not use anything from /tmp/resolv.dnsmasq but it will still rotate the server=... entries.
If you use:
all-servers
server=...
server=...
Then there will be DNS leak as dnsmasq will use whatever is in /tmp/resolv.dnsmasq along with the server=... entries.And will rotate them all the time(i tested this one)
The thing is that i was playing with it in the past week and to be honest using strict-order instead of all-servers every page opens much faster and also strict-order will prevent any DNS leaks no matter the combination you using due to the ISP servers are always placed at the bottom and possibility to start using them is tiny to zero. _________________ Router: ASUS AC1900(RT-AC68U)