[SOLVED] Avoid ISP DNS settings ... / DNS is SLOW?!

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2
View previous topic :: View next topic  
Author Message
jerrytouille
DD-WRT Guru


Joined: 11 Dec 2015
Posts: 1304
PostPosted: Fri May 10, 2019 22:28    Post subject: Reply with quote
or put the pi in dmz if you'd like to keep fw up
Back to top View user's profile Send private message
Sponsor
rnio
DD-WRT User


Joined: 21 Apr 2012
Posts: 94
PostPosted: Fri May 10, 2019 23:09    Post subject: Reply with quote
to put the PI in DMZ is a thought ... but then the PI is a bit exposed ...

Anyhow, after some more debugging ...

If ANY of the Block WAN Requests is tick on, the DNS processings slows down.

All of these are HARD-CODED ... Will look at the source and see what kind of iptable rules etc. they trigger.
Back to top View user's profile Send private message
rnio
DD-WRT User


Joined: 21 Apr 2012
Posts: 94
PostPosted: Sat May 11, 2019 0:42    Post subject: Reply with quote
OK, it turns out the FW is not the sole culprit. Switching OFF the SFE/STP/FW will just extend a "honeymoon" boot up time, where the DNS processing is fairly fast.

Looking at the IP table setup file (/tmp/.ipt) there are two rules defining what do to with DNS request coming through on BR0:

Code:
iptables -A PREROUTING  -i br0 -p udp --dport 53 -j DNAT --to 192.168.99.1
iptables -A PREROUTING  -i br0 -p tcp --dport 53 -j DNAT --to 192.168.99.1


I tried to REPLACE those two rules,

Code:
iptables -R PREROUTING 1 -i br0 -p udp --dport 53 -j DNAT --to 192.168.99.6
iptables -R PREROUTING 2 -i br0 -p tcp --dport 53 -j DNAT --to 192.168.99.6


but any iptables command I issue (REPLACE / INSERT / ADD) ... nothing sticks.

The command "iptables -t nat -vnL --line-numbers " shows NO CHANGE ?!

Any ideas?
Back to top View user's profile Send private message
jerrytouille
DD-WRT Guru


Joined: 11 Dec 2015
Posts: 1304
PostPosted: Sat May 11, 2019 3:03    Post subject: Reply with quote
try the save firewall in admin commands tab
Back to top View user's profile Send private message
rnio
DD-WRT User


Joined: 21 Apr 2012
Posts: 94
PostPosted: Sat May 11, 2019 3:24    Post subject: Reply with quote
Finally ... its working as it should be!

Speed going through RT is no different than using the DNS-Server directly.

Thanks everyone for your help.

SPECIAL Thanks to jerrytouille for helping me solve this riddle.

I put this in as a FW rules set:

Code:
iptables -R PREROUTING 1 -i br0 -p udp --dport 53 -j DNAT --to 192.168.99.6
iptables -R PREROUTING 2 -i br0 -p tcp --dport 53 -j DNAT --to 192.168.99.6
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6870
Location: Romerike, Norway
PostPosted: Sat May 11, 2019 7:37    Post subject: Reply with quote
rnio wrote:
iptables -R PREROUTING 1 -i br0 -p udp --dport 53 -j DNAT --to 192.168.99.6
iptables -R PREROUTING 2 -i br0 -p tcp --dport 53 -j DNAT --to 192.168.99.6


These rules are for redirecting any dns from clients on br0 to the Pi even if another dns server is set.

If you Pi is located on the br0 interface, a routing loop will occur. The request from the Pi will be redirected back to itself. You can solve it by moving the Pi to a separate interface or add a .not Pi IP to the rules.

iptables -I PREROUTING -i br0 -s !192.168.99.6 -p udp --dport 53 -j DNAT --to 192.168.99.6
iptables -I PREROUTING -i br0 -s !192.168.99.6 -p tcp --dport 53 -j DNAT --to 192.168.99.6
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Sat May 11, 2019 10:19    Post subject: Reply with quote
Do not enable "Forced DNS Redirection" on Setup page,

You are doing your own redirection with the firewall rules

Do not enable "No DNS Rebind" on Services page
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
jerrytouille
DD-WRT Guru


Joined: 11 Dec 2015
Posts: 1304
PostPosted: Sat May 11, 2019 14:24    Post subject: Reply with quote
^what he said. so this should work:

disable "Forced DNS Redirection" on Setup page (if any)
disable all dnsmasq options, especially "No DNS Rebind", leave dnsmasq on/enabled
add these:
no-resolv
no-poll
server=<piholeip>
<blank line>
remove all additional firewall commands
save after each step
reboot
Back to top View user's profile Send private message
rnio
DD-WRT User


Joined: 21 Apr 2012
Posts: 94
PostPosted: Sat May 11, 2019 15:27    Post subject: Reply with quote
Thanks again !

This is the CLEANEST setup / working solution to my initial problem.

When I DISABLE the "Forced DNS Redirection" on Setup page, it will remove the first two IPTABLE rules, which redirect all DNS request coming through br0 to the router.

This was slowing the DNS queries and thus required the firewall rules mentioned above to get fixed.

With @jerrytouille settings all is good now.

NICE TO HAVE:

How would I "squeeze in" an ultimate fallback ... just in case my kids drop the PI into the milk?
Back to top View user's profile Send private message
jerrytouille
DD-WRT Guru


Joined: 11 Dec 2015
Posts: 1304
PostPosted: Sat May 11, 2019 15:45    Post subject: Reply with quote
rnio wrote:
How would I "squeeze in" an ultimate fallback ... just in case my kids drop the PI into the milk?

add these static entries on setup page in this order:
<pi hole ip>
1.1.1.1 <or any other public dns>
1.0.0.1
check enable strict order dnsmasq option
remove all additional dnsmasq options
<save each step>
reboot

*ipconfig /flushdns on the clients (optional)
Back to top View user's profile Send private message
rnio
DD-WRT User


Joined: 21 Apr 2012
Posts: 94
PostPosted: Sat May 11, 2019 16:17    Post subject: Reply with quote
Tried you suggestion.

It works ... but it also leaks ...

I can understand WHY; if for whatever reason the RT thinks the PI is gone ... it will start using the other DNS servers ...

Would be nice if there is a way to increase the trigger threshold of the DNS server switch (instead of ~50ms ... make it 500ms). This would slow the DNS resolution down ... but then it would NOT leak my DNS queries as long as my PI is up and running.
Back to top View user's profile Send private message
jerrytouille
DD-WRT Guru


Joined: 11 Dec 2015
Posts: 1304
PostPosted: Sat May 11, 2019 16:57    Post subject: Reply with quote
check dnsmasq man if they have such options
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

btw i've had dns issue myself with ddwrt builds including leaks so i'm using kong openwrt
http://www.desipro.de/openwrt/
Back to top View user's profile Send private message
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum