Posted: Fri May 26, 2023 6:57 Post subject: DNS seems completely broken on my netgear r9000 router
My DD-WRT router (build on 2023-05-24, hardware is netgear r9000) is failing all DNS lookups. I noticed it first when I saw that the date was January 3rd 1970, and looking at syslog, it is not able to resolve pool.ntp.org.
Using nslookup via ssh, it's not even able to resolve a name when pointed at working DNS servers in my network or on the Internet. If I run the exact same nslookup commands on a desktop system, they work.
I am not sure how long this problem has been going on. I found it on the 2023-05-23 release and just upgraded it to 2023-05-24 with no change.
Joined: 16 Nov 2015 Posts: 5896 Location: UK, London, just across the river..
Posted: Fri May 26, 2023 7:13 Post subject:
there is a positive post about the last update 52671
so the problem is either in your set up or ISP...update and reset via button (do not reset when update option via GUI) and than rebuild your settings manually..do not load ot settings file...
for NTP time use either IP or just select your time zone or capital...
216.239.35.4 google NTP time server
162.159.200.123 cloudflare NTP time server _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 52459 WAP
TP-Link WR1043NDv2 -DD-WRT 52869 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN
TP-Link WR1043NDv2 -DD-WRT 52459 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN(no-wifi)
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 52869 Gateway/DoT,AD-Block,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 52459 Gateway/Stubby DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 52869 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Why is there a local DNS server set to a local subnet IP?
Why are two of your static DNS entries set to local subnet IPs?
Why do you not have Forced DNS Redirection and Forced DNS Redirection and DoT checked?
Are those local subnet IPs Pi-Holes? Looks like an overly unnecessarily complicated setup. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 16 Nov 2015 Posts: 5896 Location: UK, London, just across the river..
Posted: Fri May 26, 2023 10:15 Post subject:
dale_gribble39 wrote:
Why is there a local DNS server set to a local subnet IP?
Why are two of your static DNS entries set to local subnet IPs?
Why do you not have Forced DNS Redirection and Forced DNS Redirection and DoT checked?
Are those local subnet IPs Pi-Holes? Looks like an overly unnecessarily complicated setup.
yep i didn't see those...fix those live happy life ...
Alozaros wrote:
....so the problem is either in your set up or....
...for NTP time use either IP or just select your time zone or capital...
216.239.35.4 google NTP time server
162.159.200.123 cloudflare NTP time server
_________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 52459 WAP
TP-Link WR1043NDv2 -DD-WRT 52869 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN
TP-Link WR1043NDv2 -DD-WRT 52459 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN(no-wifi)
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 52869 Gateway/DoT,AD-Block,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 52459 Gateway/Stubby DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 52869 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Posted: Fri May 26, 2023 22:12 Post subject: Re: DNS seems completely broken on my netgear r9000 router
elyograg wrote:
Using nslookup via ssh, it's not even able to resolve a name when pointed at working DNS servers in my network or on the Internet. If I run the exact same nslookup commands on a desktop system, they work.
Even if his dns settings are all wrong and his local servers are broken, the use of the google servers should have worked. Did you try looking up other addresses? Maybe there was something wrong with ntp.org at that time (works for me now on 5/15 build r52569). Is there anywhere where the firewall is blocking or re-routing DNS requests or requests for particular servers?
Use of Google's DNS server IP should have worked, and did not. Why? We don't
know because we don't have the full picture. In short, "l33t $h1t bR0k3n".... _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
NTP Client Settings -> Server IP / Name -> see the "blank" settings, and understand the reasons for IP addresses.
If choosing to specify an ntp pool it is now expected to add two or three NTP server IP or just leave the field blank.
Posted: Fri May 26, 2023 23:36 Post subject: Re: DNS seems completely broken on my netgear r9000 router
dale_gribble39 wrote:
Use of Google's DNS server IP should have worked, and did not. Why? We don't
know because we don't have the full picture. In short, "l33t $h1t bR0k3n"....
Do you need anything more than this screenshot shows? Those lookups are made from the shell on the router. Even if I had DD-WRT's DNS settings all wrong for my network, that shouldn't affect these requests from the router itself using nslookup pointed at a public DNS server on the Internet.
DNS lookups made by my dd-wrt don't work no matter where the request is sent.
All these nslookup commands work if I try them on anything else in my network. All those machines are using this router to get to the Internet.
FYI, DNS works just fine on all my hosts, it's just broken on DD-WRT itself. Internal hosts are given the IP addresses of my servers by DHCP.
Also, I used to be able to send DNS requests to the router from internal hosts and it would work. Now it doesn't.
Aside from DNS everything betwork-related to be working on dd-wrt. If I don't use the -n on traceroute then it hangs forever on each line trying and failing to look up reverse DNS.
Aside from Setup -> Basic Setup that you've shown, what are your other DNS / dnsmasq related configurations in DD-WRT? It is quite obvious that reverse DNS lookup is broken because of your configuration (which breaks nslookup, too). No previous questions successfully answered yet. Your configured DNS servers, we need further information to troubleshoot your problem. So many details still a mystery. Have you tried removing your local DNS server, and local IP static entries and entering known good public DNS servers? _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 16 Nov 2015 Posts: 5896 Location: UK, London, just across the river..
Posted: Sat May 27, 2023 9:37 Post subject:
as blkt noted above check if your configuration is able to reach NTP time..as some ISP's are blocking those requests or firewall misconfiguration may happen too...so, yes we need more details...
As well, what commands you have in your firewall, that my prevent from NTP time to be obtained...(common mistake)..
So, no NTP time no fun..no more details, help will go down to 0 (zero), as nobody can guess the reason..
My R9000 is up and running so, no firmware error.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 52459 WAP
TP-Link WR1043NDv2 -DD-WRT 52869 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN
TP-Link WR1043NDv2 -DD-WRT 52459 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN(no-wifi)
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 52869 Gateway/DoT,AD-Block,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 52459 Gateway/Stubby DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 52869 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Aside from Setup -> Basic Setup that you've shown, what are your other DNS / dnsmasq related configurations in DD-WRT? It is quite obvious that reverse DNS lookup is broken because of your configuration (which breaks nslookup, too). No previous questions successfully answered yet. Your configured DNS servers, we need further information to troubleshoot your problem. So many details still a mystery. Have you tried removing your local DNS server, and local IP static entries and entering known good public DNS servers?
Can you be much more specific about exactly where I need to go to get what you want to see? I've added DNS settings from the Services tab.
Is there anything in the DD-WRT config that can affect nslookup working from the commandline?
Alozaros talked about a firewall... the only firewall in play is DD-WRT itself. I cannot remember doing anything to the firewall other than some port forwarding, and none of the firewall settings have changed at all recently. Definitely not since the last time accessed things by name from the router shell. Not that I can remember when that was...
Joined: 04 Aug 2018 Posts: 1404 Location: Appalachian mountains, USA
Posted: Sat May 27, 2023 20:44 Post subject:
DNSMasq can pretty easily break completely if you get setup stuff wrong, so it's really a bad idea to "smoke test" a pile of DNS-related stuff all at one time. So were I you, I'd for the moment remove all the local-network IPs for DNS servers, in both places, and I'd leave the NTP server field empty, as dd-wrt defaults it well. DNS 1 and DNS 2 you can set to known solid external servers like 1.1.1.1 (Cloudflare), 8.8.8.8 (Google), or 9.9.9.9 (Quad9). Get that basic config working, then start twiddling things one at a time if you need something special. Then at least you'll know what setting broke things!
I also agree with the earlier comment that Forced DNS Redirection is basic and should be checked for most people, but it's not going to make or break things either way. _________________ Netgear XR500 on 52369, 4x Linksys WRT1900ACSv2 on 51530: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 08 May 2018 Posts: 13463 Location: Texas, USA
Posted: Sat May 27, 2023 20:53 Post subject:
You have DNSSEC configured, but no check of unsigned replies. Do your configured DNS servers support DNSSEC? Not sure why you have No DNS rebind disabled, nor why no query in strict order. Also, you do not need to pass option 6 to clients as that sends the static entries by default - but there is the use of a non-local server entry, so there is that. The problem is multi-fold, and I agree with what @SurprisedItWorks suggested. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... At some point, people just get plain tired of this place. Because they are tired of bottom-feeders and the same old hat.
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
