Posted: Fri Apr 03, 2020 21:38 Post subject: RESOLV.CONF has Router/Gateway Adrs, Not DNS ! in CB/RB
in CB/RB mode the /tmp/resolv.conf contains secondary router/gateway address
as a DNS "nameserver 192.168.1.251" address !
it is not what i have specified in Local-DNS box in BASIC < SETUP
in router ip-adrs config gui/web interface/webpage !
DDWRT > SETUP > BASIC SETUP:
Local IP Address: 192.168.1.251<-- my DDWRT "Router" (RTR-2)
Subnet mask: 255.255.255.0
Gateway: 192.168.1.1<-- ip-adrs of WiFi "Gateway" router (RTR-1) DNS: 192.168.1.253
and DDWRT RTR-2 /tmp/resolv.conf now has:
nameserver 192.168.1.251<-- error+bug
it suppose to be below DNS ip-adrs:
nameserver 192.168.1.253
even if i overwrite /tmp/resolv.conf with 192.168.1.253 (manually
or by using a script), it auto REVERT backs-to 192.168.1.251,
after few seconds or after few minutes !!
how to keep/remain /etc/resolv.conf set with my DNS 192.168.1.253 & 192.168.1.252 ?
is there a file which i can overwrite/change during startup by using the STARTUP-SCRIPT
to MANUALLY specify DNS/NAMESERVERs for br0 or LAN network-interface ?
how can i specify/configure network-interfaces with info shown here /etc/config/network?
Currently DHCP working for WL1.2 wifi users/clients, can get DHCP
allotment from RTR-2 bridge br1 provided by the DNSMASQ app)
DNS-resolving is NOT-WORKING inside the ddwrt RTR-2 or for any wifi(WL1.2) or wired(vlan12) client-devices
DHCP not-working for RTR-2 vlan12 clients
( only "vlan1"(wired "LAN-4" connected) client-devices in RTR-2
can (wirelessly) get dhcp+dns from RTR-1 )
EXTRA-INFO:
Before i switched the DDWRT router RTR-2 into CB(Client-Bridge)/RB(Repeater-Bridge) mode,
in earlier i configured DDWRT to use below two DNS-servers,
under DHCP config in SETUP > BASIC-SETUP webpage:
DHCP/LAN IP ... 192.168.1.251
Subnet-mask(SM): 255.255.255.0 (aka, CIDR /24)
DNS1: 192.168.1.253
DNS2: 192.168.1.252
DNS3: 0.0.0.0
after above settings were done+saved+applied+rebooted,
then i switched RTR-2 into CB/RB mode,
and then, above DHCP-section disappeared from BASIC-SETUP page.
but that DNS-settings still remained in DNSMASQ RESOLV.config file,
in /tmp/resolv.dnsmasq:
nameserver 192.168.1.253
nameserver 192.168.1.252
even earlier (before i switched into CB/RB mode),
i have created a BRIDGE br4, its address is set to 192.168.1.253
its functioning as one of the DNS-server.
( i have also created a bridge br1, and joined WiFI VAP WL1.2 under br1,
br1 has different subnet 192.168.20.x/24, and DHCP-Service is enabled,
VAP wifi users can get DHCP allotments from bridge br1 via WL1.2,
dhcp/gw ip is 192.168.20.1 )
i have also changed one of the physical network-switch/port
(externally marked-as "LAN-3", and internally shown-as "Port-2")
from default-"vlan1"-group into "vlan12",
by using the DDWRT gui/web > SETUP > SWITCH-CONFIG(vlan.asp)
then selected "Unbridged" (in "Networking" config webpage),
and specified 192.168.1.252 as its ip-address, & 255.255.255.0 is SM.
this is functioning as 2nd DNS server.
to configure DDWRT, i connect ( into LAN-3 port = vlan12 of DDWRT router ) with my laptop.
my laptop has multiple network adapters.
in laptop i use static/fix ip-adrs 192.168.1.201, gw 192.168.1.1 with 1 nic.
i can access ddwrt RTR-2 web config via https://192.168.1.251/
i want wifi vap WL1.2 users & direct computers connected with vlan12,
to use those two DNS-Servers running in RTR-2:
192.168.1.253 (br4) & 192.168.1.252 (vlan12)
i have created DHCP-SERVICEs (in "Networking" config webpage) for br4 & vlan12:
br4 ip-adrs 192.168.1.253 , dhcp-range 192.168.1.240-to-249
vlan12 ip-adrs 192.168.1.252 , dhcp-range 192.168.1.230-to-239
when computers connect with vlan1 (physical network-switch/port "LAN-4"),
then they get DHCP allotted ip-adrs from RTR-1 bcuz of CB/RB mode.
But when computers connect with vlan12 ("LAN-3") they suppose to get DHCP allotted
ip-adrs/etc from RTR-2, but now they are not
( i have to find out why , i guess a different SM/cidr needs to be used in RTR-2 side, ... )
CB/RB mode creates the br0, and joins eth1,eth2,vlan1,etc under br0,
and CB/RB mode also links vlan1-group under WL0.
in my-side i have configured RTR-2 to perform/function in CB/RB mode,
in any of the CB or RB mode, the WL0 wifi (internal)-device inside RTR-2
can be configured to wirelessly connect (via WiFi) with a remote WiFI AP,
i connected with my WiFi router RTR-1,
and the 2nd WiFi (internal)-device WL1 inside RTR-2 is configured to
create WiFi (virtual)-AP WL1.2, WL1.1 for my-side client-devices, near the RTR-2.
in my side/case in RTR-2, br3 is a bridge which does not need any DHCP or DNS services from DNSMASQ.
tun1 is used when OpenVPN-client app connects with remote VPN server,
DNSMASQ also does-not need to listen for DHCP/DNS service request from tun1 interface ip-adrs.
in my case, br2 is a bridge which is used by WL1.1 users to get DHCP ip/etc (not DNS),
WL1.1 users reach internet via VPN-tunnel by using "Policy-Based-Routing" in OpenVPN-Client,
so it uses a remote DNS-Server 10.10.53.1 which is inside the VPN-tunnel.
To use my those two DNS-SERVERS, this is what i've specified
(via "Services" config webpage) for Additional-DNSMASQ settings:
Quote:
# ---- Below Options Added By DDWRT-USER
# Lines that begins with # symbol, are disabled lines, aka "comment line",
# such lines are not-needed, remove them before saving into your router.
#
# Allow DNSMASQ to Listen both DHCP & DNS:
#interface=br0,br1,br2
#interface=br0,br1,br2,br4,vlan12
# Do Not Allow DNSMASQ to Listen for DHCP or DNS:
except-interface=br3,tun1
# Allow DNSMASQ to Listen only DNS, no DHCP:
#no-dhcp-interface=br4,vlan12
#
log-dhcp
#
# Listen-addresses:
listen-address=192.168.1.253,192.168.1.252,192.168.1.251,192.168.20.1,127.0.0.1
#
# Allow other NameServer on same machine, (other than ip-adrs of DNSMASQ running machine)
bind-interfaces
#bind-dynamic
#
#dns-loop-detect
#
# Enable DNSSEC based DNS-Record Validating DNS-resolver:
dnssec
#trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
# Allow DNS-Replies which r not DNSSEC signed but may still be legitimate (bcuz domain is unsigned), or may be forgeries.
dnssec-check-unsigned
#
dhcp-option=option:ntp-server,USE.IP.NEAR.UR.ROUTER
#
# Override default route to below (with option3), instead of ip-adrs of machine running dnsmasq
dhcp-option=3,192.168.1.1
# Override default DNS to below (with option6), instead of ip-adrs of machine running dnsmasq
dhcp-option=6,192.168.1.253,192.168.1.252
#
dhcp-option=br1,3,192.168.20.1
dhcp-option=br1,6,192.168.1.253,192.168.1.252,192.168.20.1
#
dhcp-option=br2,3,192.168.30.1
dhcp-option=br2,6,10.10.53.1
#
dhcp-option=br4,6,192.168.1.253,192.168.1.252
#
dhcp-option=vlan12,6,192.168.1.253,192.168.1.252
my-side DNSMASQ settings:
Quote:
Dnsmasq: ◉ Enable ◎ Disable.
Cache DNSSEC data: ◎ Enable ◉ Disable.
Local DNS: ◉ Enable ◎ Disable.
No DNS Rebind: ◎ Enable ◉ Disable.
Query DNS in Strict Order: ◉ Enable ◎ Disable.
Add Requestor MAC to DNS Query: ◎ Enable ◉ Disable.
RFC4039 Rapid Commit support: ◎ Enable ◉ Disable.
Maximum Cached Entries: 1500.
for testing purpose i have kept dnssec-caching disabled,
so that it pull records directly each time,
once DNS resolving is working back, then i will enable it.
i have noticed after i enabled "vlan12" in my side,
that "default" route changes into vlan12 interface!
so i have specified these (via Startup-script) to override+fix:
Quote:
...
ifconfig br4 192.168.1.253 netmask 255.255.255.0 broadcast 192.168.1.255
ifconfig vlan12 192.168.1.252 netmask 255.255.255.0 broadcast 192.168.1.255
ip route delete default via 192.168.1.1 dev vlan12
ip route add default via 192.168.1.1 dev br0
route add -net 192.168.20.1 netmask 255.255.255.0 gw 192.168.1.1
...
( btw, my actual gateway/router/dns adrs in RTR-2 are different,
i'm using shown above addresses as example )
vlan12 is unbridged ( i've specified it in extra-info)
cc = 192.168
cc.1.1 = 192.168.1.1
does "vlan12" being "unbridged" or being "bridged/default" affect the DDWRT-firmware
to use RTR ip-adrs(cc.1.251) as DNS-adrs in resolv.conf ?
i think, because of "vlan12" being unbridged & that its being assigned
ip-adrs from same subnet as br0,
is causing the router/LAN-side's default route to switch from br0 into vlan12 device,
so i have applied routing commands to fix that,
shown in previous EXTRA-INFO.
should i specify another private (class-b) ip-adrs (i.e) 172.16.1.252
for the "vlan12" ( or br4 ) ?
EXTRA-INFO-2:
( sorry, some are repeat info )
vlan12 ip-adrs: cc.1.252, it is used as 2nd DNS-server in RTR-2.
br4 ip-adrs: cc.1.253, this is used as 1st DNS-server inside RTR-2.
br4 has no device/interface attached under it.
Some changes i have done now:
* removed DHCP service/ranges from both br4 & vlan12.
* added the line "no-dhcp-interface=br4,vlan12" in additional-dnsmasq settings,
so DHCP-service from DNSMASQ is disabled
& DNS-service from DNSMASQ is kept enabled,
for br4 & vlan12 net-interface.
Some changes i have done earlier, even before switching into CB/RB wireless-mode :
* changed/assigned LAN-1 physical switch-port to vlan4,
* changed/assigned LAN-2 physical switch-port to vlan3.
* changed/assigned LAN-3 physical switch-port to vlan12.
( by default all LAN switch-ports are pre-assigned to "vlan1"-group initially )
( so only LAN-4 physical-switch-port remained pre-assigned to "vlan1" )
now, inside the RTR-2:
ping to (i.e) 9.9.9.9 (ip-adrs on internet) still works, (like earlier).
ping to (i.e) dns9.quad9.net still does not work, (like earlier).
nslookup cannot resolve dns9.quad9.net, (also like earlier).
resolv.conf still auto reverting back to RTR-2 ip-adrs,
instead of specified-Local-DNS-in-GUI !
SSH/telnet/GUI connection from my Laptop to Router:
* sometime (externally-marked) LAN-1 ethernet switch/port (vlan4<->br1<->br0) works,
& sometime does-not.
* sometime (externally-marked) LAN-3 ethernet switch/port (vlan12) works,
& sometime does-not.
now, DHCP-service from DNSMASQ is not-working
so DHCP allotment via vlan4/WL1.2 <-> from br1, is not-working
but with a manual static ip for laptop, in br1 subnet,
laptop can connect/ssh with RTR-2 & gui access also works.
but ping into domain-name, nslookup of domain-name,etc
into internet, does not work from laptop.
Joined: 08 May 2018 Posts: 14835 Location: Texas, USA
Posted: Sat Apr 04, 2020 3:06 Post subject:
I don't think dnsmasq even functions in bridged modes? I am testing CB on my E4200 and it is using the DNS servers from the upstream router, which is ISP provided. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
RESOLV.CONF is still reverting/changing back to Router/Gateway ip-adrs automatically,
instead of remaining on specified local-DNS.
i found out, when CB/RB mode is enbaled, then br0/vlan1/wl0 changes/reverts the "resolv.conf"
auto into Router/Gateway IP-adrs, instead of using the
user-specified LOCAL-DNS address.
When CB/RB mode is off/disabled/not-selected,
then changes done by user/script into "resolv.conf" remains intact.
Per Yngve Berg , Thanks , i've used smaller subnets, this helped,
i needed (for more testing) to connect with br0 ip-adrs via
entering the LAN-3/port(vlan12/br4), while still in sub-subnet
of RTR-1 or RTR-2-br0 subnet.
kernel-panic69 , sorry i could not understand what you meant.
i was able to use DNS+DHCP for+from bridge provided by DNSMASQ.
EXTRA-INFO:
my problem is now partially-solved by using OTHER way/solution,
where RESOLV.CONF will remain in (mentioned-above) wrong settings:
* i have reset the DDWRT router RTR-2 again.
* connected RTR-2-WAN nif with wire with another Secondary-wifi-router
(which is also in Client-Bridge/Repeater-Bridge wireless-mode,
under my primary router RTR-1).
* i have done DDWRT BASIC-SETUP of RTR-2 with a smaller subnet in same net :
as RTR-1 is using 192.168.1.0/24 subnet,
& RTR-1 allots fixed/static-ip-adrs 192.168.1.250 to RTR-2-WAN net-interface,
& allots fixed/static-ip-adrs 192.168.1.251 to RTR-2-WLAN-5GHz-WL0 net-interface,
so i have chosen a /28 smaller subnet ID,
FOR-EXAMPLE: Subnet-ID: 192.168.1.240, host range: 192.168.1.241 - 192.168.1.254,
broadcast: 192.168.1.255, subnet-mask: 255.255.255.240 ( /28 )
(So i had to re-adjust/assign IP-Adrs from RTR-1 accordingly).
* "Gateway" in RTR-2 is set with 192.168.1.1 (it is RTR-1 LAN side gateway ip-adrs),
Local-DNS in RTR-2 is same, 192.168.1.1
* Under DHCP, the DNS1 DNS2 DNS3 remained as 0.0.0.0, changed dhcp begin-ip-adrs
as (192.168.1.)240 , max host: 12
* created 4 bridges: br0 (specified it's ip-adrs 192.168.1.251 / 24 in BASIC-SETUP),
in NETWORKING page: br1 (192.168.20.1 /24), br2 (192.168.30.1 /24), br3(192.168.31.1 /24),
br4 has different smaller subnet (192.168.1.17 /29)
subnet-ID: 192.168.1.16 /29 , usable IP begins with cc.1.17 & ends with cc.1.22 (total usable IP: 6,
total IP: 8 , broadcast 192.168.1.23 )
* re-assigned physical-ethernet-LAN-port-1 to "vlan4", LAN-2 to "vlan3", LAN-3 to "vlan12",
& LAN-4 remained with "vlan1" (default-group).
* "unbridged" the "vlan12" & assigned ip-adrs 192.168.1.18 /29 in NETWORKING page,
* created 3 DHCP-services: br1 , br2 , br4
* created 2 VAP "WL1.1" , "WL1.2" under WL1 WiFi radio.
* assigned "vlan4" & vap "WL1.2" to "br4" , assigned "vlan3" & vap "WL1.1" to "br3",
assigned "vlan12" to "br4" bridge.
* below dnsmasq additional-settings were added:
Quote:
# ---- Below Options Added By DDWRT-USER ----
# Remove Comment-Lines Which Starts With # symbol, Before SAVING into Router
#
# Allow DNSMASQ to Listen both DHCP & DNS:
#interface=br0,br1,br2,br4
# Do Not Allow DNSMASQ to Listen for DHCP or DNS:
except-interface=br3,tun1,teql0
# Allow DNSMASQ to Listen only DNS, no DHCP:
#no-dhcp-interface=br5
#
log-dhcp
#
listen-address=192.168.1.17,192.168.1.18,192.168.1.251,192.168.20.1,127.0.0.1
#
# Allow other NameServer on same machine, (other than ip-adrs of DNSMASQ running machine)
#bind-interfaces
#bind-dynamic
#
#dns-loop-detect
#
#dnssec
# trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
#trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
#trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
# Allow DNS-Replies which r not DNSSEC signed but may still be legitimate (bcuz domain is unsigned), or may be forgeries.
#dnssec-check-unsigned
#
dhcp-option=option:ntp-server,USE.IP.NEAR.UR.RTR
#
# Override default route to below (with option3), instead of ip-adrs of machine running dnsmasq
#dhcp-option=3,192.168.1.1
#dhcp-option=br0,3,192.168.1.1
dhcp-option=6,192.168.1.17,192.168.1.18
#dhcp-option=br0,6,192.168.1.17,192.168.1.18
#
# Below 2-lines are default, so no need to enable them:
#dhcp-option=br1,3,192.168.20.1
#dhcp-option=br1,6,192.168.20.1
# I will use above default values, so not enabling below line:
#dhcp-option=br1,6,192.168.1.17,192.168.1.18
#
# Overriding DNS with option-6, sending into DNS inside VPN-Tunnel
dhcp-option=br2,3,192.168.30.1
dhcp-option=br2,6,10.10.5.1
#
# Below 2-Lines are default, so no need to enable them:
#dhcp-option=br4,3,192.168.1.17
#dhcp-option=br4,6,192.168.1.17
# I will use above default values, so not enabling below line:
#dhcp-option=br4,6,192.168.1.17,192.168.1.18
#
* Disbaled DNSSEC in dnsmasq additional settings,
( when it was enabled/specified then DNSMASQ stopped working,
so DNS & DHCP services turned off )
* set RTR-2 into "Router" operating-mode from "Advanced-Routing" page
etc
DNS resolving functionality (from DNSMASQ), internet-access/ping, etc etc
works inside the DDWRT router RTR-2,
and also worked from computers/client-devices under DDWRT router RTR-2.
The WAN appears as "vlan2" in "ip route show" command,
& shows "default via 192.168.1.1 dev vlan2"
Client-devices can get DHCP allotments from RTR-2,
SSH/Telnet into DDWRT works, DDWRT config GUI works, etc.
* Setup the WL0 WiFi-radio in DDWRT router RTR-2 to connect with RTR-1 WAP 5GHz,
in Repeater-Bridge or in Client-Bridge wireless-mode.
* rebooted RTR-2
inside the DDWRT router RTR-2:
no default route is shown in "ip route show" command !
"ping dns9.quad9.net -c 2" <-- does not work !
* Changed the subnet mask from /28 into /24 in BASIC-SETUP.
* reboot.
after that, default route is now shown in "ip route show" command:
default via 192.168.1.1 dev br0
and default route did not change into or attached with vlan12, like b4
But even after above,
initially the "ping dns9.quad9.net -c 2" <-- does not work !
But after waiting a while, while trying ping/etc/etc , again:
the "ping 192.168.1.1 -c 2" <-- works !
the "ping 1.1.1.1 -c 2" <-- works !
the "ping one.one.one.one -c 2" <-- also works
nslookup one.one.one.one 192.168.1.17 (br4) works
nslookup dns9.quad9.net 192.168.1.18 (vlan12) works
Reboot . test again.
main functions work inside ddwrt RTR-2.
In computer/client-devices (which are connected with RTR-2 vlan12(LAN-3-ethernet-port),
ping/nslookup does not-work no internet access
but ping can show resolved-ip in 1st-line when a domain-name is given,
but ping/ICMP net-packet itself does not succeed !
client-devices can obtain DHCP settings/allotments correctly,
so DNSMASQ is working in RTR-2.
so some portions(functionalities) inside the DDWRT is working
& some portions are not.
At this point to test DNSSEC when i enabled DNSSEC related 4-lines
in DNSMASQ, then DNS functionality stopped working
so now dnssec is still kept disabled.
Dnsmasq is using rtr-1 dns 192.168.1.1 as primary DNS in RTR-2,
and 192.168.1.1 is not DNSSEC enabled.
At some point, i was able to keep DNS working in RTR-2 while DNSSEC options were also still enbaled,
then i've noticed ISC/BIND dig command can show signed resource-record,
but they are not-validated/not-authenticated (the "AD" bit is not present/shown)
another problem is DDWRT/firmware's DNSMASQ keeps adding back the 192.168.1.1 DNS
as a 3rd DNS-server even when i specify two public domain dnssec enabled DNS-servers !
so DNSSEC-disabled 192.168.1.1 will/can create problem... DNSSEC related AD/etc bit
will be missing incorrectly, etc.
So we/USER need to be able to specify+use their CHOICE of DNS-SERVER(s)
in "resolv.conf" & "resolv.dnsmasq" without being overwritten/changed by DDWRT firmware+apps".
To enable internet-access for external client-devices...
Specified below firewall/iptables rules in ddwrt:
( i want to access DDWRT router RTR-2 thru SSH, web-browser(HTTPS/443) easily + directly
via LAN-3 (vlan12<->br4), so above firewall reflects those expectations+needs,
br2 & nifs under it, are for VPN usage,
br4+vlan12 is for direct-access & local DNS/nameserver,
br1 is for my wifi+wired devices,
vlan1/br0 is used by my wired computer (to connect to RTR-1 directly),
br3 is in middle of br2 & br0, VPN's tun1 uses Policy-based-Routing to intercept from br2,
etc )
Now internet-access, DNS, ping, nslookup, etc works inside the DDWRT router RTR-2
and, those also works from computers/client-devices which are connected to/with RTR-2
Attempting to use Local DNS in network and dnsmasq continues to revert /tmp/resolv.conf to the routers IP. I have the new "Ignore WAN DNS" checked, Local DNS field populated, and "Use DNSMasq for DNS" unchecked.
The router is serving the correct DNS address via DHCP to clients, I am attempting to resolve names on the router itself via the specified local DNS address. When I update /tmp/resolv.conf manually it works fine, when dnsmasq is restarted /tmp/resolv.conf reverts back to the routers IP which doesn't have a DNS service running.
Do you have anything besides quad zeros in the static DNS server entries on the Setup->Basic Setup page?
I don't, static DNS is all zeros. Fixing resolv.conf in the startup command section corrects the issue temporarily but dnsmasq and a few other services restart themselves once an hour for some reason. Is that normal?
Side note, I reverted back to 41874 and this issue does not occur.