DNS seems completely broken on my netgear r9000 router

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
elyograg
DD-WRT User


Joined: 11 Jul 2021
Posts: 56

PostPosted: Sat May 27, 2023 22:23    Post subject: Reply with quote
kernel-panic69 wrote:
You have DNSSEC configured, but no check of unsigned replies. Do your configured DNS servers support DNSSEC? Not sure why you have No DNS rebind disabled, nor why no query in strict order. Also, you do not need to pass option 6 to clients as that sends the static entries by default - but there is the use of a non-local server entry, so there is that. The problem is multi-fold, and I agree with what @SurprisedItWorks suggested.


"No DNS rebind" is disabled because my DNS servers DO return private IP addresses. If I enable that, then everything breaks.

My DNS servers do support DNSSEC for queries. The zones they serve are not set up with DNSSEC. But the public versions of those zones in AWS Route53 *are* doing DNSSEC.

It's been a long time since I put option 6 in the DHCP settings. As I recall, I did this because without it, DHCP clients would only get the router address for DNS, and I wanted clients to speak directly to the DNS servers. At this point if I removed that, DNS would break for my whole network because for some reason DD-WRT cannot make DNS requests at the moment.

All these settings are NOT new. They used to work. I do not know when it stopped working, and I am not aware of any changes. Something must have changed.

I purposefully did not use public DNS servers, because they do not know about my internal resources, and will not return private IP addresses for the few resources that they DO know about.

I am not sure why the strict ordering option was disabled. I have enabled it.
Sponsor
elyograg
DD-WRT User


Joined: 11 Jul 2021
Posts: 56

PostPosted: Sat May 27, 2023 22:38    Post subject: Reply with quote
I just fixed it. But I have no idea why the fix works. When running nslookup with an explicit IP address to query, I would not expect /etc/resolv.conf to be involved.

This was the contents of /etc/resolv.conf:

Code:

search elyograg.org
search elyograg.org
nameserver 192.168.217.1


That is the IP address of the router. If I change that to 192.168.217.170 (the VIP that my two servers share), then suddenly everything works.

I don't recall ever changing /etc/resolv.conf on the router before.
elyograg
DD-WRT User


Joined: 11 Jul 2021
Posts: 56

PostPosted: Sat May 27, 2023 22:39    Post subject: Reply with quote
The router's time is now synced with ntp.
elyograg
DD-WRT User


Joined: 11 Jul 2021
Posts: 56

PostPosted: Sat May 27, 2023 22:46    Post subject: Reply with quote
Well, maybe not everything works. The problem shown in the screenshot is annoying, and I would like it to be fixed, but I can live with it for now.

The last two names I pinged that failed are not in /tmp/hosts on the router. They ARE in my pair of DNS servers. The gimli.elyograg.org host is in the router's static DHCP leases, so it is found in /tmp/hosts.
elyograg
DD-WRT User


Joined: 11 Jul 2021
Posts: 56

PostPosted: Sat May 27, 2023 23:35    Post subject: Reply with quote
After a router reboot, my change to /etc/resolv.conf has been reverted.
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Sun May 28, 2023 0:31    Post subject: Reply with quote
Look into

Code:
rebind-localhost-ok
rebind-domain-ok

among other things you are completely missing.

https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

Of COURSE the /etc/resolv.conf file changes will not survive a reboot. We still do not know what you are using for your personal DNS servers, nor their configuration, but your configuration does not make any sense the larger the picture opens up. "IT'S DD-WRT BROKEN!"... 'fraid not. It's a mis-configuration problem.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Sun May 28, 2023 5:56    Post subject: Reply with quote
elyograg wrote:
The router's time is now synced with ntp.
Blank field NTP Client Settings -> Server IP / Name? pool.ntp.org alone is not enough you need additional IP too.

https://www.pool.ntp.org/zone/us ---> https://tf.nist.gov/tf-cgi/servers.cgi ---> https://www.ntppool.org/scores/

Example field pool plus local servers good scores: 2.us.pool.ntp.org 128.138.141.172 132.163.97.2 132.163.96.2
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun May 28, 2023 9:24    Post subject: Reply with quote
so, nothing is broken but rather misconfigured…more likely
if you use an external DNS resolving, let say from another machine on your
network than set it as it should you can use the dns pi hole as an example
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331414
and add an IP in ntp time as all we suggest

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
elyograg
DD-WRT User


Joined: 11 Jul 2021
Posts: 56

PostPosted: Sun May 28, 2023 23:49    Post subject: Reply with quote
This is just bizarre.

With /etc/resolv.conf pointing at the router itself, nslookup to 8.8.8.8 doesn't work. When it is changed to my server VIP at the .170 address, that nslookup suddenly works! This makes no sense to me.

I reboot my router once a week, Sunday at 4 AM. So /etc/resolv.conf got reset again.
elyograg
DD-WRT User


Joined: 11 Jul 2021
Posts: 56

PostPosted: Sun May 28, 2023 23:55    Post subject: Reply with quote
That seems to indicate that nslookup is ignoring the destination.

A packet capture confirms this ... the request is NOT going to 8.8.8.8, it is going to the IP address in /etc/resolv.conf.

Code:
root@orthanc:~# tcpdump -nni br0 port 53 and host orthanc
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:54:04.028158 IP 192.168.217.1.36024 > 192.168.217.170.53: 18300+ PTR? 8.8.8.8.in-addr.arpa. (38)
17:54:04.028705 IP 192.168.217.170.53 > 192.168.217.1.36024: 18300 1/0/0 PTR dns.google. (62)
17:54:04.028932 IP 192.168.217.1.40721 > 192.168.217.170.53: 51980+ A? google.com. (28)
17:54:04.028966 IP 192.168.217.1.40721 > 192.168.217.170.53: 52600+ AAAA? google.com. (28)
17:54:04.029406 IP 192.168.217.170.53 > 192.168.217.1.40721: 51980 1/0/0 A 172.217.15.238 (44)
17:54:04.029452 IP 192.168.217.170.53 > 192.168.217.1.40721: 52600 0/0/0 (28)
17:54:04.029621 IP 192.168.217.1.47421 > 192.168.217.170.53: 11995+ PTR? 238.15.217.172.in-addr.arpa. (45)
17:54:04.030047 IP 192.168.217.170.53 > 192.168.217.1.47421: 11995 1/0/0 PTR slc09s01-in-f14.1e100.net. (84)
elyograg
DD-WRT User


Joined: 11 Jul 2021
Posts: 56

PostPosted: Mon May 29, 2023 0:39    Post subject: Reply with quote
That suggests that the nslookup that's included in busybox does not process commandline arguments in the same way as the full nslookup binary.

The DNS server running on the router itself is not working. If it were, then the router's address in /etc/resolv.conf would work correctly.

`lsof -Pn -i :53` shows that dnsmasq is bound to UDP and TCP port 53. How do I troubleshoot dnsmasq?

If I restart the dnsmasq service this is what it puts in /var/log/messages:

Code:
May 28 18:33:40 orthanc user.info : [dnsmasq] : daemon trying to stop
May 28 18:33:40 orthanc daemon.info dnsmasq[1772]: exiting on receipt of SIGTERM
May 28 18:33:40 orthanc user.info : [dnsmasq] : daemon successfully stopped
May 28 18:33:40 orthanc user.info : _evalpid:dnsmasq -u root -g root -C /tmp/dnsmasq.conf
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: started, version 2.89 cachesize 4096
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua no-TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC loop-detect inotify no-dumpfile
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: DNSSEC validation enabled
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: configured with trust anchor for <root> keytag 20326
May 28 18:33:40 orthanc daemon.warn dnsmasq[3942]: warning: ignoring resolv-file flag because no-resolv is set
May 28 18:33:40 orthanc daemon.info dnsmasq-dhcp[3942]: DHCP, IP range 192.168.217.100 -- 192.168.217.149, lease time 1h
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using nameserver 127.0.0.1#6053
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for test
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for onion
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for localhost
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for local
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for invalid
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: using only locally-known addresses for bind
May 28 18:33:40 orthanc daemon.info dnsmasq[3942]: read /etc/hosts - 20 names
May 28 18:33:40 orthanc user.info : [dnsmasq] : successfully started


If I do a `host` lookup from another machine pointing at the router, it can resolve names in the router's /etc/hosts but is unable to resolve google.com. Not everything works, though. There are two SERVFAIL messages after the successful lookup.

Code:
root@gimli:~# host google.com 192.168.217.1
Using domain server:
Name: 192.168.217.1
Address: 192.168.217.1#53
Aliases:

Host google.com not found: 2(SERVFAIL)
root@gimli:~#
root@gimli:~# host legolas.elyograg.org 192.168.217.1
Using domain server:
Name: 192.168.217.1
Address: 192.168.217.1#53
Aliases:

legolas.elyograg.org has address 192.168.217.165
Host legolas.elyograg.org not found: 2(SERVFAIL)
Host legolas.elyograg.org not found: 2(SERVFAIL)
elyograg
DD-WRT User


Joined: 11 Jul 2021
Posts: 56

PostPosted: Mon May 29, 2023 0:49    Post subject: Reply with quote
This is the contents of /tmp/dnsmasq.conf:

Code:
root@orthanc:/var/log# cat /tmp/dnsmasq.conf
interface=br0
resolv-file=/tmp/resolv.dnsmasq
strict-order
server=127.0.0.1#6053
no-resolv
domain=elyograg.org
dhcp-leasefile=/tmp/dnsmasq.leases
dhcp-lease-max=67
dhcp-option=br0,3,192.168.217.1
dhcp-authoritative
dhcp-range=br0,192.168.217.100,192.168.217.149,255.255.255.0,60m
dhcp-host=00:19:DB:20:6A:03,frodo,192.168.217.198,180m
dhcp-host=54:10:EC:69:2A:04,legolas,192.168.217.165,180m
dhcp-host=B8:27:EB:4E:68:E2,gimli,192.168.217.166,180m
dhcp-host=30:9C:23:62:72:C2,glados,192.168.217.222,180m
dhcp-host=0c:37:96:2f:00:f1,sheisey-dell-lp,192.168.217.219,180m
dhcp-host=16:8b:32:b9:4b:55,smeagol,192.168.217.200,180m
dhcp-host=78:45:58:4f:ed:be,eregion,192.168.217.13,180m
dhcp-host=52:54:00:26:6d:5a,unifi-vm,192.168.217.180,180m
dhcp-host=2E:8B:81:68:44:88,gandalf,192.168.217.202,180m
dhcp-host=be:3f:67:fc:ce:6b,sheisey-desktop,192.168.217.210,180m
dhcp-host=C4:0A:CB:F0:BE:41,rivendell,192.168.217.10,180m
dhcp-host=18:FB:7B:9B:A6:45,smeagol-idrac,192.168.217.201,180m
dhcp-host=9E:09:9D:D0:DC:F4,sauron,192.168.217.199,180m
dhcp-host=14:cb:19:3b:c0:d2,hp6000e,192.168.217.250,180m
dhcp-host=52:54:00:58:46:55,openwrt,192.168.217.207,180m
dhcp-host=52:54:00:1b:4d:8e,boromir,192.168.217.208,180m
dhcp-host=52:54:00:05:c5:0b,meriadoc,192.168.217.206,180m
bogus-priv
conf-file=/etc/rfc6761.conf
clear-on-reload
conf-file=/etc/trust-anchors.conf
dnssec
dnssec-check-unsigned
proxy-dnssec
dhcp-rapid-commit
dhcp-option=252,"\n"
cache-size=4096
dns-forward-max=150
dhcp-option=121,0.0.0.0/0,192.168.217.1,192.168.57.0/24,192.168.217.10
dhcp-option=6,192.168.217.200,192.168.217.202


Attached is a screenshot of the whole "services" page. I have enabled the smart resolver and a few options under the dnsmasq config that were not enabled before.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon May 29, 2023 7:12    Post subject: Reply with quote
the contents of /tmp/dnsmasq.conf: looks messy to me...
strict-order
server=127.0.0.1#6053
dhcp-option=6,192.168.217.200,192.168.217.202

yep, not serendipitously DNSmasq is using TCP&UDP port 53 by default..as those are the default ports..

But in your case, it seams you are using SmartDNS, that uses server=127.0.0.1#6053
as well you have dhcp-option=6,192.168.217.200,192.168.217.202

This is the default SmartDNS port (6053)and if you use DNSmasq all requests to port 53 are "dns UNREPLIED", but forwarded to server=127.0.0.1#6053 instead, which in this case is forwarding to the SmartDNS resolver...specified servers, if any..otherwise it will use the default DNS servers specified in x3 DNS boxes, or if any in DNSmasq advanced box, spelled correctly..
i guess as i look at your DNSmasq field, you created a loop...that will go nowhere...i believe...

So, turn SmartDNS off, or use it as its intended to be used as in your case..it cannot work and reach internal servers like those you specified in DNSmasq box..."i believe"

Validate DNS Replies (DNSSEC) - Disable - (Always turn off when you turn on SmartDNS)
Check Unsigned DNS replies - - Disable - as you dont have DNSSEC
If i use SmartDNS, I also disable DNSmasq cache, as it has its own caching, if it configured correctly..

I would ve suggest:
-turn off SmartDNS
-add to Advanced DNSmasq box:

no-resolv
dhcp-option=6,192.168.blabla what ever

-turn off Query in strict order (as you have only one line option)
-(optional) turn WAN traffic counter off (disabled)

save, apply, reboot

(or use SmartDNS as it should be configured..correctly)
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323896&start=240

I guess..gandalf and smeagul are your DNS servers..(i hope they are not pointed back to the routers DNS resolving capabilities..) Laughing

Make sure, the server you point out, its not the internal router address..it must be your external DNS resolving device, that is in the range of your network, or reachable...at least

I've no idea why someone would like to use, SmartDNS over DNSmasq, pointed to external DNSresolver...Rolling Eyes

Good job you didn't decide to turn on encrypt DNS, to accomplish the full mess aground... Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum