WNR3500L v2 Dnsmasq problem

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
itwontbewe
DD-WRT User


Joined: 29 Sep 2020
Posts: 179

PostPosted: Mon Oct 18, 2021 12:15    Post subject: Reply with quote
just throwing out a couple things

doesn't the strict-order conflict with all-servers & possibly another application running your dns?


i don't see a domain in any of the confs posted

would the domain-needed cause an issue with no domain specified?
Sponsor
dpp3530
DD-WRT Guru


Joined: 12 Dec 2007
Posts: 564
Location: Pittsburgh, PA USA

PostPosted: Mon Oct 18, 2021 19:05    Post subject: Reply with quote
kernel-panic69 wrote:
Some of your settings don't make sense to me. You're validating DNS replies, but not caching them or encrypting DNS.


I'm encrypting DNS using Stubby. It was set up using the guide posted by Alozaros on https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=314677&start=30. I changed my DNS servers to 1.1.1.1 and 1.0.0.1, but the rest of the configuration is the same.

I didn't include the Additional DNSMASQ Options in the screenshot, but they may shed some light. I'm using 192.168.6.0/24 rather than the default 192.168.1.0/24 on my home network.

no-resolv
server=127.0.0.1#5453
server=/ntp.org/8.8.8.8
server=/tunnelbroker.net/8.8.8.8
interface=*
dnssec
domain=home.lan,192.168.6.0/24,local
enable-ra
ra-param=br0,10,300
dhcp-range=::150,::1EFF,constructor:br0,ra-names,5m
dhcp-option=option6:dns-server,[::]
dhcp-option=option6:domain-search,home.lan
dhcp-option=option:domain-name,home.lan
dhcp-option=option:domain-search,home.lan
address=/wpad.home.lan/192.168.6.1
address=/myfiosgateway.com/192.168.6.50
address=/wpad/192.168.6.1

_________________
__________________________
Linksys WRT-1900AC
DD-WRT v3.0 STD 48786
Netgear R7000
DD-WRT v3.0 STD 48786
Netgear R7800
DD-WRT v3.0 STD 48786
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12463
Location: Texas, USA

PostPosted: Mon Oct 18, 2021 20:47    Post subject: Reply with quote
This thread is strictly about dnsmasq. Adding stubby into the mix changes the scope of the thread. And again, one server= line is bound to fail; a minimum of two lines is paramount. I use anywhere from six to a dozen resolver addresses.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Evengard
DD-WRT Novice


Joined: 03 Jul 2021
Posts: 15

PostPosted: Wed Oct 20, 2021 20:39    Post subject: Reply with quote
I'm not using Stubby or whatever, only dnsmasq. As I said, I'm using 3 DNS servers (2 of them configured via the DD-WRT GUI, the third one being the one received from WAN).
I can try excluding some config options and testing, but I'm pretty sure it is not about the config per se, as with the exact same config - it all "Just Works" © with an older build.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12463
Location: Texas, USA

PostPosted: Thu Oct 21, 2021 1:55    Post subject: Reply with quote
Are you using static DNS servers on the main setup page, is that what you mean? Because all I see is Google quad 8 and Stubby localhost. We could go 'round and 'round about singular proxies failing and a myriad of variables. But the OP is using a single DNS server to resolve addresses which is bound to fail.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11516
Location: Wherever the wind blows- North America

PostPosted: Wed Oct 27, 2021 14:57    Post subject: Reply with quote
I'm seeing the same issue with newer builds where I can enter a url and it won't find it the first time. Subsequent times it works fine. This is on my main router (R7000) running both bands as APs. I have multiple tabs setup in my browsers (FF and Chrome) and many times the majority of the tabs won't load. I have to go to each one and reload to get the page.

I fall back to 47090 and all is well again. I sometimes get my Firestick to not find links the first try either. Then a second scan and all is well. I've tried changing all the DNS settings, SFE and FA settings, Turned on/off the Ignore ISP DNS setting, I've tried various settings for DNSmasq as well. Nothing seems to help until I go back to 47090.

Not really looking for advice at this point...just making it know that there is an issue with DNS/DNSmasq that seems to be present after the 4709X builds.

redhawk



dnsmasq.jpg
 Description:
 Filesize:  18.76 KB
 Viewed:  1172 Time(s)

dnsmasq.jpg



Setup-Setup.jpg
 Description:
 Filesize:  31.35 KB
 Viewed:  1172 Time(s)

Setup-Setup.jpg


kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12463
Location: Texas, USA

PostPosted: Wed Oct 27, 2021 15:06    Post subject: Reply with quote
@redhawk0: You should probably be using no-resov and server= lines in your additional dnsmasq config instead of the static DNS server enteries. I've *always* had issues using those, whether or not I use encrypt dns/dnssec options. Just my thoughts. I am not experiencing these issues.

I just noticed that you are *also* using Unbound. Collision, perhaps? I didn't know you could have both dns resolvers in use at the same time.

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12463
Location: Texas, USA

PostPosted: Wed Oct 27, 2021 15:25    Post subject: Reply with quote
Dnsmasq was updated in September. I've noticed some commits since 2.86 that fixes issues, but not knowing specifics of failures, I won't speculate that what is broken that required those commits for 2.87test* versions is the problem. BrainSlayer will not commit another dnsmasq update until it reaches 2.87rc* status. AFAIK, dnsmasq automatically updates trust anchors(?). Unbound, however, doesn't seem to, perhaps.

https://www.icann.org/dns-resolvers-updating-latest-trust-anchor

Perhaps this is a configuration-specific hiccup that doesn't affect me personally.

EDIT: Thank you for removing your post before my reply, @itwontbewe.

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
itwontbewe
DD-WRT User


Joined: 29 Sep 2020
Posts: 179

PostPosted: Wed Oct 27, 2021 16:08    Post subject: Reply with quote
apologies kp. i was just trying to throw something out there because i noticed most had dnssec enabled. after i hit send it dawned on me that it working after reverting would rule out experied trust anchors
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11516
Location: Wherever the wind blows- North America

PostPosted: Wed Oct 27, 2021 18:02    Post subject: Reply with quote
kernel-panic69 wrote:
@redhawk0: You should probably be using no-resov and server= lines in your additional dnsmasq config instead of the static DNS server enteries. I've *always* had issues using those, whether or not I use encrypt dns/dnssec options. Just my thoughts. I am not experiencing these issues.

I just noticed that you are *also* using Unbound. Collision, perhaps? I didn't know you could have both dns resolvers in use at the same time.


Well now...I learned something new. (I've never claimed to be an internet configuration guru...haha)

I made some changes to my main router. I removed all the static DNS entries then updated my DNSMasq as seen below. All appeared to be working fine with 47090 so I upgraded back to 47596 again. It seems to have resolved my "reload" issues that I was seeing.

So...Thank you for prompting me to do a little more reading on the configuration settings for DNSMasq. If you see anything amiss...please inform.

much appreciative of the advice.

redhawk



dnsmasq-set.jpg
 Description:
 Filesize:  32.24 KB
 Viewed:  1136 Time(s)

dnsmasq-set.jpg


kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12463
Location: Texas, USA

PostPosted: Wed Oct 27, 2021 19:47    Post subject: Reply with quote
You're welcome. Proof no matter how long we've been here on the forum or have been doing anything related to technology, networking, DD-WRT, or Linux, we can always learn something new. I appreciate your thanks. I don't know everything, I am always learning new things... usually in the process of helping others fix their issues, even. Most of what I've learned about dnsmasq implementation in DD-WRT and configuration has been through my own trial and error and other discussions on the forum that I have directly participated in. The wiki needs some updating / edits, still since some screenshots are outdated at some point. One of those things on the "to-do" list. Again, many thanks for the kind words.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
dTX
DD-WRT User


Joined: 28 Dec 2018
Posts: 83

PostPosted: Wed Oct 27, 2021 20:32    Post subject: Reply with quote
@redhawk0 1.1.1.2 resolves and blocks known malware,along with 1.0.0.2.
1.1.1.1/1.0.0.1 just resolves. So for best results choose one and stick with it.Don't mix and match.
The proper config should be:
server=1.1.1.2
server=1.0.0.2
Wink

P.S. Also bogus-priv is already included automatically in the dnsmasq's own config so can be removed as well.

_________________
Router: ASUS AC1900(RT-AC68U)


Last edited by dTX on Wed Oct 27, 2021 21:07; edited 1 time in total
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12463
Location: Texas, USA

PostPosted: Wed Oct 27, 2021 20:40    Post subject: Reply with quote
Someone removed (or it was removed for them) their post regarding bogus-priv in newer builds being default. I must've missed that. So, that is the only other thing that is "amiss", that should be removed. Wiki definitely needs updating if that is still in it. Thanks for the additional input, @dTX. I wasn't looking too deep into the screenshot, etc. before I replied.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
o2bad455
DD-WRT User


Joined: 08 Oct 2015
Posts: 189

PostPosted: Wed Nov 03, 2021 20:38    Post subject: Reply with quote
thommy181 wrote:

Additional configuration
- no resolv
- server=8.8.8.8
- domain-needed
- expand-hosts
- no-negcache


I see a typo where "no resolv" should be "no-resolv". Hopefully it's just in your post, but I think it could be an issue if also in your config.

GENERAL QUESTION: When usisng DNSmasq, how can I list the current DNS server IPs? That is, not just the one currently in use but any that could be used (such as if my provider managed to reinsert theirs)? Online checks (e.g., ipleak.net) only seem to catch those recently used. The hypothetical scenario would be if ALL of those momentarily failed (and not even all of my server= are shown), what are the other possibilities potentially available to the router for fallback? Is there any single file or buffer that lists them all, or perhaps a small collection of files and buffers that could be dumped?

_________________
My DD-WRT Routers:
Linksys WRT1900ACS - Marvell (2x): r48646
Netgear R7000 - Broadcom (3x): r47720
Netgear R9000 - Atheros (1x): r47608
PC x86-64 VM - Atheros (1x): r46316
Linksys WRT54G/GS - Broadcom (4x): r44715
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 5009
Location: UK, London, just across the river..

PostPosted: Wed Nov 03, 2021 21:08    Post subject: Reply with quote
o2bad455 hypothetically if you use ignore WAN dns, no-resolv and have server= + forced DNS option form basic set up page you should be fine...your ISP can only intercept your DNS hits via the standard ports if they are not encrypted (as they tend to do)...but your router will not use your ISP DNS at all...

Than, your only option to stop ISP form sniffing your DNS hits is, to run encrypted DNS as DNScrypt or Stubby via TLS or Smart DNS via https or tls or Unbound and ect...bear in mind DNScrypt is the only option fully encrypting DNS option, where the others are hop to hop encryption mostly, but they will do as well...

Stubby works as a stub resolver via TLS port 853, it could do 443 as well, but very limited DNS serves to be used...and has few options only, where SmartDNS and Unbound have more options and more complex use...
Personally i use Stubby Wink

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 48646 WAP
TP-Link WR1043NDv2 -DD-WRT 48865 Gateway,DNS,AP Isolation,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 48886 Gateway,DNS,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0b AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 48886 Gateway,DNS,AD-Block,AP&Net Isolation,VLAN's,Firewall,DoT,Vanilla
Netgear R9000 --DD-WRT 48886 Gateway,DNS,AD-Block,AP Isolation,Firewall,Forced DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 48886 Gateway,DNS,AD-Block,Firewall,Forced DNS,VLAN's,DoT,VPN
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum