But although I can make it, the big Kahuna has to endorse it, so no guarantee (and as I am busy the upcoming week, it can take some time)
Well that was faster than I expected
@egc and @Alozaros: big security risk:
I have a question about your example here:
Code:
root@EA8500:/tmp# cat smartdns.conf
bind :6053
prefetch-domain yes
serve-expired yes
log-size 64K
log-num 1
log-level error
log-file /tmp/smartdns.log
server 1.0.0.1
server 9.9.9.9
server 192.168.0.1
#test smartdns
#options
You're appending the text on the textarea to the config file. Now what about lines like:
Code:
server 1.0.0.1
server 9.9.9.9
server 192.168.0.1
Appending the textarea config means SmartDNS it would still be using those insecure servers that people might dislike. There would be no way to remove those from the config... Or am I missing something?
If there's text in the textarea we could replace the default config entirely instead of appending. With that said the translation would have to say something like "Custom SmartDNS Resolver Configuration".
In SmartDNS if you've multiple lines saying server x, server y it will use both servers. Appending the custom config will do that. So there's effectively no way to override settings. _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Those servers are the ones you yourself have set.
So set other servers if you want other servers.
Seeing that you also have set 192.168.0.1 (probably the routers IP address) it might be even be possible that you have made a setup error and set the routers IP address as Local DNS (which is wrong if the router is in normal Gateway mode)
I was just using egc's config as an example. So you're saying those servers are populated from Setup > Basic Setup > Network Setup? If nothing is set there it shouldn't add any server to the config?
What about Static DNS 1-3? Those are passed to DHCP clients and they also seem to be added to the SmartDNS config. Here's my config:
Maybe the Static DNS servers shouldn't be added to the SmartDNS config? _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Tue May 03, 2022 16:42 Post subject:
hmmm to use SmartDNS ....only...you'd need those lines in additional DNSmasq config box
no-resolv
cache-size=0
server=127.0.0.1#6053
to use SmartDNS ipv6 DNS option you have to disable DNSmasq as a resolver...
"..Note: if you need to support IPV6, you can set the worke-mode to 2, this will disable the DNS service of dnsmasq, and smartdns run as the primary DNS server. Change SMARTDNS_WORKMODE in the file config file or i guess directly in this new config box
SMARTDNS_WORKMODE="2"
lots of useful details https://github.com/pymumu/smartdns/blob/master/ReadMe_en.md#configuration-parameter _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
hmmm to use SmartDNS ....only...you'd need those lines in additional DNSmasq config box
no-resolv
cache-size=0
server=127.0.0.1#6053
to use SmartDNS ipv6 DNS option you have to disable DNSmasq as a resolver...
"..Note: if you need to support IPV6, you can set the worke-mode to 2, this will disable the DNS service of dnsmasq, and smartdns run as the primary DNS server. Change SMARTDNS_WORKMODE in the file config file or i guess directly in this new config box
Let's put aside IPv6 and DNSmasq for now. What you saw is what my router generates by default for SmartDNS:
Code:
server-name XXXX
bind [::]:6053
serve-expired yes
log-size 64K
log-num 1
log-level error
log-file /tmp/smartdns.log
server 172.21.1.1
server 2606:4700:4700::1001
server 2606:4700:4700::1111
According to the documentation:
Quote:
server Upstream UDP DNS server
SmartDNS will use 172.21.1.1, 2606:4700:4700::1001 and 2606:4700:4700::1111 to resolve DNS queries.
I know that 2606:4700:4700::1001/2606:4700:4700::1111 are coming from the IPv6 tab (ignoring for now), but what about 172.21.1.1??
It doesn't seem useful to have something that comes from the "Static DNS servers" / LAN DHCP settings to be copied over to SmartDNS.
It can also create a loop because: lan computer asking for a DNS record > dnsmasq (server=127.0.0.1#6053) > smartdns (server 172.21.1.1) > points back to dnsmasq... _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
the Static DNS are for upstream servers whether used by DNSMasq or by SmartDNS
If that's the case how can one set the DNS servers advertised via DHCPD to the LAN computers?
Up until now I was under the impression that:
- Network Setup > Local DNS: upstream servers whether used by DNSMasq or by SmartDNS
- Network Address Server Settings (DHCP) > Static DNS 1-4: DNS servers to be advertised to your LAN via DHCP.
After all it is placed inside Network Address Server Settings (DHCP). _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
@ho1Aetoo what you described was by idea of it, however:
ho1Aetoo wrote:
The clients query dnsmasq on the router
Im my observation if I set the "Static DNS 1" to "1.1.1.1" my LAN machines will get 1.1.1.1 as their DNS server, a complete bypass of the router's dnsmasq and the rest of the pipeline...
ho1Aetoo wrote:
and if you disable dnsmasq in the GUI then the clients get directly the "static DNS servers" via DHCP.
I'll test it again but this is undocumented behaviour that is hard to understand for the majority of people.
It is not about "not knowing the basics" it just doesn't make sense to have something into the DHCPD section and then it doesn't get used because we've another setting somewhere turned on. If it says "DHCP Server Settings" one expects it always advertises those IPs.
Wasn't it easier to just have it working like this:
- Network Setup > Local DNS: upstream servers whether used by DNSMasq or by SmartDNS
- Network Address Server Settings (DHCP) > Static DNS 1-4: DNS servers to be advertised to your LAN via DHCP.
the option is called "use DNSMasq for DNS" (WebIF > Setup)
if you activate the option dnsmasq is used as DNS cache / fowarder etc and the clients get the IP address of the router (dnsmasq) via DHCP
and if you deactivate the option they get directly the address of the upstream DNS server
but you can also control manually what the clients get via DHCP
WebIF > Services > additional dnsmasq option
dhcp-option=br0,6,xxx.xxx.xxx.xxx
(br0 is the interface ..)
and yes this is a bit advanced and you have to deal with it a bit
but there are some stickies in the forum where this is discussed and the necessary settings are shown or explained
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Tue May 03, 2022 19:03 Post subject:
adding a private address to DNS box is not the best option and can be a reason for mess...
as the other said you can use either:
-direct link to DNS servers...(no DNSmasq or SmartDNS)
-DNS via DNSmasq + SmartDNS
-DNSmasq or SmartDNS stand-alone...
my advise is stick to commands and DNS specified in advanced DNSmsaq box
or either use one of the 3 options above...
best bet is DNSmasq + SmartDNS so add those 2 lines in advanced DNSmasq rules:
no-resolv
server=127.0.0.1#6053
and using DNS resolvers only specified in SmartDNS config...
do not add DNS in those 3-4 static DNS box's even if you add any they must be out-ruled by no-resolv command... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I was just testing this and it does seem to work like you described. I'm 90% certain however that in some old build not setting my router as Static DNS 1 would leave my DHCP clients without a DNS server.
My current setup in a r47822 router looks like this and works:
DHCP client is getting the router IP as DNS server:
So effectively the options you mentioned @Alozaros are there. This way there are no insecure servers in SmartDNS and the implementation by @egc should work.
Thank you all. _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Just installed r48786 and everything works as expected!
Thank you very much for the implementation @egc and the rest of you for the patience and eventually an explanation of what's really going on behind the scenes in the DHCP Server section.
Maybe this posts can be moved to https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323896 in order to complement the rest of the guides and discussion? _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).