You have DNSSEC configured, but no check of unsigned replies. Do your configured DNS servers support DNSSEC? Not sure why you have No DNS rebind disabled, nor why no query in strict order. Also, you do not need to pass option 6 to clients as that sends the static entries by default - but there is the use of a non-local server entry, so there is that. The problem is multi-fold, and I agree with what @SurprisedItWorks suggested.
"No DNS rebind" is disabled because my DNS servers DO return private IP addresses. If I enable that, then everything breaks.
My DNS servers do support DNSSEC for queries. The zones they serve are not set up with DNSSEC. But the public versions of those zones in AWS Route53 *are* doing DNSSEC.
It's been a long time since I put option 6 in the DHCP settings. As I recall, I did this because without it, DHCP clients would only get the router address for DNS, and I wanted clients to speak directly to the DNS servers. At this point if I removed that, DNS would break for my whole network because for some reason DD-WRT cannot make DNS requests at the moment.
All these settings are NOT new. They used to work. I do not know when it stopped working, and I am not aware of any changes. Something must have changed.
I purposefully did not use public DNS servers, because they do not know about my internal resources, and will not return private IP addresses for the few resources that they DO know about.
I am not sure why the strict ordering option was disabled. I have enabled it.
I just fixed it. But I have no idea why the fix works. When running nslookup with an explicit IP address to query, I would not expect /etc/resolv.conf to be involved.
Well, maybe not everything works. The problem shown in the screenshot is annoying, and I would like it to be fixed, but I can live with it for now.
The last two names I pinged that failed are not in /tmp/hosts on the router. They ARE in my pair of DNS servers. The gimli.elyograg.org host is in the router's static DHCP leases, so it is found in /tmp/hosts.
Of COURSE the /etc/resolv.conf file changes will not survive a reboot. We still do not know what you are using for your personal DNS servers, nor their configuration, but your configuration does not make any sense the larger the picture opens up. "IT'S DD-WRT BROKEN!"... 'fraid not. It's a mis-configuration problem. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Sun May 28, 2023 9:24 Post subject:
so, nothing is broken but rather misconfigured…more likely
if you use an external DNS resolving, let say from another machine on your
network than set it as it should you can use the dns pi hole as an example
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331414
and add an IP in ntp time as all we suggest _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
With /etc/resolv.conf pointing at the router itself, nslookup to 8.8.8.8 doesn't work. When it is changed to my server VIP at the .170 address, that nslookup suddenly works! This makes no sense to me.
I reboot my router once a week, Sunday at 4 AM. So /etc/resolv.conf got reset again.
That suggests that the nslookup that's included in busybox does not process commandline arguments in the same way as the full nslookup binary.
The DNS server running on the router itself is not working. If it were, then the router's address in /etc/resolv.conf would work correctly.
`lsof -Pn -i :53` shows that dnsmasq is bound to UDP and TCP port 53. How do I troubleshoot dnsmasq?
If I restart the dnsmasq service this is what it puts in /var/log/messages:
Code:
May 28 18:33:40 orthanc user.info : [dnsmasq] : daemon trying to stop
May 28 18:33:40 orthanc daemon.info dnsmasq[1772]: exiting on receipt of SIGTERM
May 28 18:33:40 orthanc user.info : [dnsmasq] : daemon successfully stopped
May 28 18:33:40 orthanc user.info : _evalpid:dnsmasq -u root -g root -C /tmp/dnsmasq.conf
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: started, version 2.89 cachesize 4096
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua no-TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC loop-detect inotify no-dumpfile
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: DNSSEC validation enabled
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: configured with trust anchor for <root> keytag 20326
May 28 18:33:40 orthanc daemon.warn dnsmasq[3942]: warning: ignoring resolv-file flag because no-resolv is set
May 28 18:33:40 orthanc daemon.info dnsmasq-dhcp[3942]: DHCP, IP range 192.168.217.100 -- 192.168.217.149, lease time 1h
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using nameserver 127.0.0.1#6053
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for test
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for onion
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for localhost
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for local
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for invalid
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for bind
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: read /etc/hosts - 20 names
May 28 18:33:40 orthanc user.info : [dnsmasq] : successfully started
If I do a `host` lookup from another machine pointing at the router, it can resolve names in the router's /etc/hosts but is unable to resolve google.com. Not everything works, though. There are two SERVFAIL messages after the successful lookup.
Attached is a screenshot of the whole "services" page. I have enabled the smart resolver and a few options under the dnsmasq config that were not enabled before.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Mon May 29, 2023 7:12 Post subject:
the contents of /tmp/dnsmasq.conf: looks messy to me...
strict-order
server=127.0.0.1#6053
dhcp-option=6,192.168.217.200,192.168.217.202
yep, not serendipitously DNSmasq is using TCP&UDP port 53 by default..as those are the default ports..
But in your case, it seams you are using SmartDNS, that uses server=127.0.0.1#6053
as well you have dhcp-option=6,192.168.217.200,192.168.217.202
This is the default SmartDNS port (6053)and if you use DNSmasq all requests to port 53 are "dns UNREPLIED", but forwarded to server=127.0.0.1#6053 instead, which in this case is forwarding to the SmartDNS resolver...specified servers, if any..otherwise it will use the default DNS servers specified in x3 DNS boxes, or if any in DNSmasq advanced box, spelled correctly..
i guess as i look at your DNSmasq field, you created a loop...that will go nowhere...i believe...
So, turn SmartDNS off, or use it as its intended to be used as in your case..it cannot work and reach internal servers like those you specified in DNSmasq box..."i believe"
Validate DNS Replies (DNSSEC) - Disable - (Always turn off when you turn on SmartDNS)
Check Unsigned DNS replies - - Disable - as you dont have DNSSEC
If i use SmartDNS, I also disable DNSmasq cache, as it has its own caching, if it configured correctly..
I would ve suggest:
-turn off SmartDNS
-add to Advanced DNSmasq box:
no-resolv dhcp-option=6,192.168.blabla what ever
-turn off Query in strict order (as you have only one line option)
-(optional) turn WAN traffic counter off (disabled)
I guess..gandalf and smeagul are your DNS servers..(i hope they are not pointed back to the routers DNS resolving capabilities..)
Make sure, the server you point out, its not the internal router address..it must be your external DNS resolving device, that is in the range of your network, or reachable...at least
I've no idea why someone would like to use, SmartDNS over DNSmasq, pointed to external DNSresolver...
Good job you didn't decide to turn on encrypt DNS, to accomplish the full mess aground... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913