New Kong Test Build: DD-WRT v3.0-r39855M kongac (05/25/19)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
novaspin
DD-WRT Novice


Joined: 23 May 2019
Posts: 5

PostPosted: Tue May 28, 2019 2:55    Post subject: Reply with quote
Router: Asus RT-AC5300
Firmware: DD-WRT v3.0-r39855M kongac (05/25/19)
Kernel: Linux 4.4.180 #662 SMP Sat May 25 15:26:57 CEST 2019 armv7l
Previous: stock
Status: Working
Reset: Yes
Errors: All SSIDs set to Security Mode WPA2-PSK but one of the 5 GHZ is broadcasting as WEP

I saw this same issue reported in the new build thread for build 33657M, and it was noted that other builds had it as well.

Is there a solution or a build appropriate for the AC5300 that doesn't have this?

Really appreciate the work of the builders.
Sponsor
misosoup7
DD-WRT Novice


Joined: 24 Dec 2014
Posts: 18

PostPosted: Tue May 28, 2019 5:33    Post subject: Reply with quote
egc wrote:

1. DNS leak see: http://svn.dd-wrt.com/ticket/6020


I see the same "issue" where my isp's dns servers are listed in resolv.dnsmasq. But using no-resolv ignores the resolv file as intended. Only server listed in additional dnsmasq options are used.

In fact, running this:
Code:
tcpdump -n -s 1500 -i eth0 udp port 53


I couldn't see any requests to my isp's dns servers. Only the two server's I specified. If you need more proof, you can block your specified DNS servers. I did this (I put Google's servers in the commands here):

Code:
iptables -I INPUT -s 8.8.8.8 -j DROP
iptables -I INPUT -s 8.8.4.4 -j DROP


Running:
Code:
tcpdump -n -s 1500 -i eth0 udp port 53


This shows caused dnsmasq still trying to query both specified server and none of the isp servers. and in theory if it was still using my isp's dns, it should then try to query them, but instead, it led to no internet on my network as no connected devices would get dns results.

Cleaning up after the test was running:
Code:
iptables -D INPUT -s 8.8.8.8 -j DROP
iptables -D INPUT -s 8.8.4.4 -j DROP
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6934
Location: Netherlands

PostPosted: Tue May 28, 2019 16:00    Post subject: Reply with quote
I do a somewhat simpler test:
In Static DNS 1 I enter 10.0.0.1
In static DNS 2 I enter 10.0.0.2
In static DNS 3 I enter 10.0.0.3

Of course those are all non existent DNS servers

Reboot router
Reboot Windows client

I have normal internet with the DNS server from my provider, which is the fourth entry in resolv.dnsmasq

When I telnet to the router and watch the DNS queries with:
Code:
watch -tn5 "cat /proc/net/ip_conntrack | grep ' dport=53 ' | sort -nrk3"


I can see all four! DNS servers being queried

I would call that a DNS leak Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
dun4cheap
DD-WRT User


Joined: 14 Mar 2012
Posts: 250

PostPosted: Tue May 28, 2019 17:31    Post subject: Reply with quote
novaspin wrote:
Router: Asus RT-AC5300
Firmware: DD-WRT v3.0-r39855M kongac (05/25/19)
Kernel: Linux 4.4.180 #662 SMP Sat May 25 15:26:57 CEST 2019 armv7l
Previous: stock
Status: Working
Reset: Yes
Errors: All SSIDs set to Security Mode WPA2-PSK but one of the 5 GHZ is broadcasting as WEP

I saw this same issue reported in the new build thread for build 33657M, and it was noted that other builds had it as well.

Is there a solution or a build appropriate for the AC5300 that doesn't have this?

Really appreciate the work of the builders.


I am not seeing this on any of my AC5300's. Maybe do an erase nvram or nvram erase

Router ModelAsus RT-AC5300
Firmware Version DD-WRT v3.0-r37900M kongac (12/03/1Cool
Kernel VersionLinux 4.4.166 #616 SMP Mon Dec 3 01:16:12 CET 2018 armv7l

Router ModelAsus RT-AC5300
Firmware Version DD-WRT v3.0-r37900M kongac (12/03/1Cool
Kernel VersionLinux 4.4.166 #616 SMP Mon Dec 3 01:16:12 CET 2018 armv7l

Router ModelAsus RT-AC5300
Firmware Version DD-WRT v3.0-r39715M kongac (05/09/19)
Kernel VersionLinux 4.4.179 #658 SMP Thu May 9 10:24:44 CEST 2019 armv7l

Router ModelAsus RT-AC5300
Firmware Version DD-WRT v3.0-r39345M kongac (04/03/19)
Kernel VersionLinux 4.4.177 #650 SMP Wed Apr 3 20:04:03 CEST 2019 armv7l

_________________
Please Fix The Following Bugs:
EOIP Settings not applied automatically after FW upgrade or reboot. http://svn.dd-wrt.com/ticket/4061

The port 80 forwarding bug with out reapplying settings appears to have been fixxed.

3 Buffalo WZR-1750DHP - DD-WRT v3.0-r29218 std (03/07/16)


6 Buffalo WZR-HP-G300NH2
DD-WRT v3.0-r29218 std (03/07/16)

all in eoip configurations, some with vlans running wep and wpa.

Some with proftp enabled and smb enabled. Mixed ISP from Timewarner cable, Cox Cable and AT&T Uverse.
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1516
Location: WCentral Indiana USA

PostPosted: Tue May 28, 2019 19:02    Post subject: Reply with quote
egc wrote:
When I telnet to the router and watch the DNS queries with:
Code:
watch -tn5 "cat /proc/net/ip_conntrack | grep ' dport=53 ' | sort -nrk3"


Thank You for this! A much better way than I was using to check if stubby is working on the 7800. Change dport=853 and nf_conntrack.

_________________
STUBBY DoT install guide----Forum Guide Lines (Please read!) --- How to get help the right way----PIA Setup Guide by egc----Reports
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7610
Location: Texas, USA

PostPosted: Tue May 28, 2019 20:28    Post subject: Reply with quote
egc wrote:
I do a somewhat simpler test:
In Static DNS 1 I enter 10.0.0.1
In static DNS 2 I enter 10.0.0.2
In static DNS 3 I enter 10.0.0.3

Of course those are all non existent DNS servers

Reboot router
Reboot Windows client

I have normal internet with the DNS server from my provider, which is the fourth entry in resolv.dnsmasq

When I telnet to the router and watch the DNS queries with:
Code:
watch -tn5 "cat /proc/net/ip_conntrack | grep ' dport=53 ' | sort -nrk3"


I can see all four! DNS servers being queried

I would call that a DNS leak Smile


Are you using 'all-servers'? That should be the only way it queries all of them at once AFAIK. And I thought a DNS leak would be if it were querying your ISP dns servers... I guess I've misunderstood the problem. Also, checking my E4200 on r39800 BS build, with my current configs, I see no bogus queries, or queries going to ISP dns servers. Yes, whatever you put in static with all-servers is going to be queried. I do not consider that a 'leak', but I can see your point.
spaceghost
DD-WRT User


Joined: 08 Jun 2010
Posts: 105
Location: New Zealand

PostPosted: Wed May 29, 2019 3:22    Post subject: Reply with quote
Has anyone tested IPSec on this version to see if it is stil having issues with the 'No such file or directory' error in Syslog?
_________________
rt-ac3200 & RT-AC68U on Kong, RT-AC66U Brainslayer
rnio
DD-WRT User


Joined: 21 Apr 2012
Posts: 94

PostPosted: Wed May 29, 2019 6:23    Post subject: Reply with quote
egc wrote:

Code:
watch -tn5 "cat /proc/net/ip_conntrack | grep ' dport=53 ' | sort -nrk3"



Thanks, that was helpful Smile

BTW, I gave up ... trying to "hide" my DNS-requests/answers.

The ISP will be able to see not only my queries, but also where I end up going with the DNS results anyhow ... so there is NO point in trying to hide!

What people should be concerned about is the VALIDITY of the DNS results. (Can they be trusted, WHO said so etc.)

I ended up using UNBOUND and have DNSSEC enabled. For privacy I use a VPN.

Just my $0.02
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6934
Location: Netherlands

PostPosted: Wed May 29, 2019 7:48    Post subject: Reply with quote
@kp69 That is exactly what is going on, my ISP DNSserver is used and I did not want it.

The ISP DNS server is automatically added to the specified DNS servers you specify in Static DNS 1,2,3.
But this is only the case if WAN connection type is set on automatic DHCP, not on static. I have not tested other WAN connection types.
You can just telnet to your router and do:
cat /tmp/resolv.dnsmasq

Mine looks like this (mind you the first three entries are the ones I specified, the fourth is my ISP's which is automatically added):
Code:
root@R6400v1:~# cat /tmp/resolv.dnsmasq
nameserver 9.9.9.9
nameserver 8.8.8.8
nameserver 1.1.1.1
nameserver 89.101.251.228


I do not use any DNSMasq directive. DNSMasq will query all specified DNS server and uses the quickest or if you have specified strict order it will start with using the first one and if it fails the second etc.
So specifying strict order will give you some protection but if all your specified DNS servers fail it will use your ISP's.

@rnio you are absolutely right that DNSSEC is the better choice but it does not always work reliably yet Sad
Regarding VPN, there another form of DNS leak can be possible if you are using PBR.
See my signature, in the Simple-PBR thread there is a paper regarding DNS leaks and how to mitigate that (second post).

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7610
Location: Texas, USA

PostPosted: Wed May 29, 2019 9:07    Post subject: Reply with quote
@egc,

Fortunately, for me, I have access to my ISP-provided modem/router and have set it in DNS bypass mode and specified OpenDNS servers, and it's firmware doesn't allow for more than those specified in the webUI. The only 'leak' for me is DD-WRT using the OpenDNS servers specified by the ISP hardware config, because of how I've configured it. There are still upstream commits to dnsmasq not present in DD-WRT AFAIK, at least not in BS builds. While the flexibility to specify a larger number of DNS servers is nice, it just seems that this 'feature' is problematic, or the implementation of dnsmasq in DD-WRT is in need of some tweaking to fix this. There are options in FreshTomato to negate this kind of behavior, to explicitly ignore the ISP-provided-via-DHCP DNS server entries, if I am not mistaken. I need to double-check and take a look at that again to verify, but.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6934
Location: Netherlands

PostPosted: Wed May 29, 2019 9:15    Post subject: Reply with quote
What you describe: "to explicitly ignore the ISP-provided-via-DHCP DNS server entries" is exactly what I like to be added Smile
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7610
Location: Texas, USA

PostPosted: Wed May 29, 2019 9:38    Post subject: Reply with quote
egc wrote:
What you describe: "to explicitly ignore the ISP-provided-via-DHCP DNS server entries" is exactly what I like to be added Smile


I am not 100% sure if the 'no-resolv' custom dnsmasq config directive accomplishes this, but I use it along with 'server=w.x.y.z' entries in the custom config section, which seems to help mitigate the issue. I will look and double-check the FT configs later and verify if I am correct on what I said earlier.
blaser
DD-WRT Guru


Joined: 16 Jul 2006
Posts: 514

PostPosted: Wed May 29, 2019 16:57    Post subject: Reply with quote
spaceghost wrote:
Has anyone tested IPSec on this version to see if it is stil having issues with the 'No such file or directory' error in Syslog?


Not sure but ipsec vpn is still not working

_________________
Dlink 890L
technoside2
DD-WRT User


Joined: 25 Oct 2018
Posts: 64

PostPosted: Thu May 30, 2019 16:54    Post subject: EA6350 V2 Reply with quote
Router/Version: Linksys EA6350 v2
Firmware: DD-WRT v3.0-r39855M (05/25/19)
Kernel: Linux 4.4.180 #662 SMP Sat May 25 15:26:57 CEST 2019 armv7l
Previous: DD-WRT v3.0-r39715M kongac (05/09/19 )
Mode/Status: Gateway : Up and running
Reset: yes, "nvram erase" before and after update
Issues/Errors: None so far

Upgrade method: Putty into router and perform "nvram erase" then used web GUI to web flash/ upgrade. Then "nvram erase" again after upgrade. Then re-setup manually. So far so good !

Thank you Kong and BS for all the hard work you do.

_________________
WRT54GL v1.1 - Flashed
Linksys WRT54G2 v1 - Flashed
EA6350 v2 - Flashed
novaspin
DD-WRT Novice


Joined: 23 May 2019
Posts: 5

PostPosted: Thu May 30, 2019 23:28    Post subject: Reply with quote
dun4cheap wrote:
novaspin wrote:
Router: Asus RT-AC5300
Firmware: DD-WRT v3.0-r39855M kongac (05/25/19)
Kernel: Linux 4.4.180 #662 SMP Sat May 25 15:26:57 CEST 2019 armv7l
Previous: stock
Status: Working
Reset: Yes
Errors: All SSIDs set to Security Mode WPA2-PSK but one of the 5 GHZ is broadcasting as WEP

I saw this same issue reported in the new build thread for build 33657M, and it was noted that other builds had it as well.

Is there a solution or a build appropriate for the AC5300 that doesn't have this?

Really appreciate the work of the builders.


I am not seeing this on any of my AC5300's. Maybe do an erase nvram or nvram erase



I did another reset and nvram erase, and it didn't resolve anything. I had to shut off the second 5 GHz radio. If I use all three, one of them always shows as WEP.

Looking for an earlier build that hopefully won't have this issue.
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum