I didn't include the Additional DNSMASQ Options in the screenshot, but they may shed some light. I'm using 192.168.6.0/24 rather than the default 192.168.1.0/24 on my home network.
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Mon Oct 18, 2021 20:47 Post subject:
This thread is strictly about dnsmasq. Adding stubby into the mix changes the scope of the thread. And again, one server= line is bound to fail; a minimum of two lines is paramount. I use anywhere from six to a dozen resolver addresses. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Thu Oct 21, 2021 1:55 Post subject:
Are you using static DNS servers on the main setup page, is that what you mean? Because all I see is Google quad 8 and Stubby localhost. We could go 'round and 'round about singular proxies failing and a myriad of variables. But the OP is using a single DNS server to resolve addresses which is bound to fail. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 04 Jan 2007 Posts: 11563 Location: Wherever the wind blows- North America
Posted: Wed Oct 27, 2021 14:57 Post subject:
I'm seeing the same issue with newer builds where I can enter a url and it won't find it the first time. Subsequent times it works fine. This is on my main router (R7000) running both bands as APs. I have multiple tabs setup in my browsers (FF and Chrome) and many times the majority of the tabs won't load. I have to go to each one and reload to get the page.
I fall back to 47090 and all is well again. I sometimes get my Firestick to not find links the first try either. Then a second scan and all is well. I've tried changing all the DNS settings, SFE and FA settings, Turned on/off the Ignore ISP DNS setting, I've tried various settings for DNSmasq as well. Nothing seems to help until I go back to 47090.
Not really looking for advice at this point...just making it know that there is an issue with DNS/DNSmasq that seems to be present after the 4709X builds.
redhawk
dnsmasq.jpg
Description:
Filesize:
18.76 KB
Viewed:
2163 Time(s)
Setup-Setup.jpg
Description:
Filesize:
31.35 KB
Viewed:
2163 Time(s)
_________________ The only stupid question....is the unasked one.
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Wed Oct 27, 2021 15:06 Post subject:
@redhawk0: You should probably be using no-resov and server= lines in your additional dnsmasq config instead of the static DNS server enteries. I've *always* had issues using those, whether or not I use encrypt dns/dnssec options. Just my thoughts. I am not experiencing these issues.
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Wed Oct 27, 2021 15:25 Post subject:
Dnsmasq was updated in September. I've noticed some commits since 2.86 that fixes issues, but not knowing specifics of failures, I won't speculate that what is broken that required those commits for 2.87test* versions is the problem. BrainSlayer will not commit another dnsmasq update until it reaches 2.87rc* status. AFAIK, dnsmasq automatically updates trust anchors(?). Unbound, however, doesn't seem to, perhaps.
Joined: 29 Sep 2020 Posts: 260 Location: United States
Posted: Wed Oct 27, 2021 16:08 Post subject:
apologies kp. i was just trying to throw something out there because i noticed most had dnssec enabled. after i hit send it dawned on me that it working after reverting would rule out experied trust anchors
Joined: 04 Jan 2007 Posts: 11563 Location: Wherever the wind blows- North America
Posted: Wed Oct 27, 2021 18:02 Post subject:
kernel-panic69 wrote:
@redhawk0: You should probably be using no-resov and server= lines in your additional dnsmasq config instead of the static DNS server enteries. I've *always* had issues using those, whether or not I use encrypt dns/dnssec options. Just my thoughts. I am not experiencing these issues.
I just noticed that you are *also* using Unbound. Collision, perhaps? I didn't know you could have both dns resolvers in use at the same time.
Well now...I learned something new. (I've never claimed to be an internet configuration guru...haha)
I made some changes to my main router. I removed all the static DNS entries then updated my DNSMasq as seen below. All appeared to be working fine with 47090 so I upgraded back to 47596 again. It seems to have resolved my "reload" issues that I was seeing.
So...Thank you for prompting me to do a little more reading on the configuration settings for DNSMasq. If you see anything amiss...please inform.
much appreciative of the advice.
redhawk
dnsmasq-set.jpg
Description:
Filesize:
32.24 KB
Viewed:
2127 Time(s)
_________________ The only stupid question....is the unasked one.
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Wed Oct 27, 2021 19:47 Post subject:
You're welcome. Proof no matter how long we've been here on the forum or have been doing anything related to technology, networking, DD-WRT, or Linux, we can always learn something new. I appreciate your thanks. I don't know everything, I am always learning new things... usually in the process of helping others fix their issues, even. Most of what I've learned about dnsmasq implementation in DD-WRT and configuration has been through my own trial and error and other discussions on the forum that I have directly participated in. The wiki needs some updating / edits, still since some screenshots are outdated at some point. One of those things on the "to-do" list. Again, many thanks for the kind words. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
@redhawk0 1.1.1.2 resolves and blocks known malware,along with 1.0.0.2.
1.1.1.1/1.0.0.1 just resolves. So for best results choose one and stick with it.Don't mix and match.
The proper config should be:
server=1.1.1.2
server=1.0.0.2
P.S. Also bogus-priv is already included automatically in the dnsmasq's own config so can be removed as well. _________________ Router: ASUS AC1900(RT-AC68U)
Last edited by dTX on Wed Oct 27, 2021 21:07; edited 1 time in total
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Wed Oct 27, 2021 20:40 Post subject:
Someone removed (or it was removed for them) their post regarding bogus-priv in newer builds being default. I must've missed that. So, that is the only other thing that is "amiss", that should be removed. Wiki definitely needs updating if that is still in it. Thanks for the additional input, @dTX. I wasn't looking too deep into the screenshot, etc. before I replied. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
I see a typo where "no resolv" should be "no-resolv". Hopefully it's just in your post, but I think it could be an issue if also in your config.
GENERAL QUESTION: When usisng DNSmasq, how can I list the current DNS server IPs? That is, not just the one currently in use but any that could be used (such as if my provider managed to reinsert theirs)? Online checks (e.g., ipleak.net) only seem to catch those recently used. The hypothetical scenario would be if ALL of those momentarily failed (and not even all of my server= are shown), what are the other possibilities potentially available to the router for fallback? Is there any single file or buffer that lists them all, or perhaps a small collection of files and buffers that could be dumped? _________________ My DD-WRT Routers:
Linksys WRT3200ACM - Marvell
Linksys WRT1900ACS - Marvell
Netgear R9000 - Atheros
Netgear R7000 - Broadcom
PC x86-64 VM - Atheros
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Wed Nov 03, 2021 21:08 Post subject:
o2bad455 hypothetically if you use ignore WAN dns, no-resolv and have server= + forced DNS option form basic set up page you should be fine...your ISP can only intercept your DNS hits via the standard ports if they are not encrypted (as they tend to do)...but your router will not use your ISP DNS at all...
Than, your only option to stop ISP form sniffing your DNS hits is, to run encrypted DNS as DNScrypt or Stubby via TLS or Smart DNS via https or tls or Unbound and ect...bear in mind DNScrypt is the only option fully encrypting DNS option, where the others are hop to hop encryption mostly, but they will do as well...
Stubby works as a stub resolver via TLS port 853, it could do 443 as well, but very limited DNS serves to be used...and has few options only, where SmartDNS and Unbound have more options and more complex use...
Personally i use Stubby _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913