From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vb0-f43.google.com (mail-vb0-f43.google.com [209.85.212.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 87CC8200627 for ; Thu, 22 Mar 2012 09:43:22 -0700 (PDT) Received: by vbbfq11 with SMTP id fq11so2401436vbb.16 for ; Thu, 22 Mar 2012 09:43:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2BVZJOenhRk5ZPW+S56tHqaTvk5ZZxMnvc6Fe5AHTMg=; b=Qa0bwciCzwRrBU4jqI+WYNxDi8+xcEMZUPuxISJB5fb+YJvFlyzOve3lfgxWEKnTER zBqkMBE0INcLxjNNnHlrBvOJfwXa7Gv4q3KwiSX5+IbCoqGSwWOidlhz2fsKfHaLXePN 2MXrdExuaOUfO3FqYgCGBmcXTxJM592g+TDE+yFMUVI1GVNvAK81knVj2PTllO4RQjIw 0DceL8InKRq3bBlKOtS8WkMRSLvrHQ0T5iOZ806uEH4cs+CmNbW0SAx7CHJxk9Ph4Cu9 Lfhyy6zV6C42AiNSm2n3zMm0v0ymBcc+EuMmh/60XzybLzjq3RLsXzTscDxHzv7qzlDt Vckg== MIME-Version: 1.0 Received: by 10.220.116.7 with SMTP id k7mr4121894vcq.13.1332434601053; Thu, 22 Mar 2012 09:43:21 -0700 (PDT) Received: by 10.220.172.199 with HTTP; Thu, 22 Mar 2012 09:43:21 -0700 (PDT) In-Reply-To: References: Date: Thu, 22 Mar 2012 22:13:21 +0530 Message-ID: From: Ketan Kulkarni To: Dave Taht Content-Type: multipart/alternative; boundary=f46d0438942b15106404bbd79b14 Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] dns failures on cerowrt X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2012 16:43:22 -0000 --f46d0438942b15106404bbd79b14 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thanks Dave. One liner change in "other.zone" and dnssec worked seamlessly on my home network!! (except bug 113) Fix - 1. Add below line to "/etc/chroot/named/etc/bind/default/other.zones" "zone "." { type hint; file "/etc/bind/default/root.db"; };" 2. Comment out existing two lines - zone "." { type slave ..." and zone "arpa" { type slave ..." These two zones have masters explicitly specified as 192.5.5.241 (which doesnt work here) f-root (192.5.5.241) is not pingable from my home ISP (but from my office network). It's really weird. Thanks, Ketan On Fri, Mar 16, 2012 at 12:08 AM, Dave Taht wrote: > While I'm at this, I note that we do also include dnsmasq in cerowrt, > and include the full openwrt gui for such. > > You can easily deconfigure bind and replace it with dnsmasq by: > > mv /etc/xinetd.d/named /etc/named.old > killall -1 xinetd > killall named > vi /etc/config/dhcp > > and change the port 0 line to be port 53 > > /etc/init.d/dnsmasq restart # or just reboot > > and that should enable dnsmasq instead of bind. > > I note that what is in 3.3rc7 and later is actually the most > bleeding-edge-ist > dnsmasq, which includes (untested, hint, hint) support for dnssec proxyin= g, > as well as ra announcements and some support for serving up dhcpv6. > > dnsmasq is much better integrated into the openwrt gui, as well. > > In losing bind, the ability to have split views, act as an internet > peer, etc, etc > are all lost, and I'd prefer to keep hacking on bind, but the new dnsmasq > could > use some love expended on it too, asI expect the new version to be standa= rd > are far more cpe than bind ever will be. > > This new version of dnsmasq should be out in final form soon. > > (and as I side note, because I can't stand vi, I have an emacs clone > in the build > called zile) > > > On Thu, Mar 15, 2012 at 11:19 AM, Dave Taht wrote: > > I hope you don't mind, but I prefer to always answer questions like the= se > > publicly. > > > > On Thu, Mar 15, 2012 at 10:55 AM, Ketan Kulkarni > wrote: > >> Hi Dave, > >> I bought wndr3800 and now setting up the cerowrt on it. > > > > Yea! > > > >> I am getting few issues in setting up dns server. > >> Observation: nslookup from my laptop through cerowrt fails > >> > >> Thanks jg for many dns related pointers - still I must have missed > something > >> to get it working. > >> > >> Few things I tried (few of them really dumb) - > >> 1. Time and zone is properly set on cerowrt box > >> 2. Restarted namedprep and named everytime > > > > At one level I'm glad we're exposing potential problems with getting > > dnssec deployed more widely. > > > > At another level, it frustrates me. > > > >> 3. Also tried modifying > >> dnssec-validation auto to off; > >> dnssec-lookaside auto to off; and then restarting named but it didnt > help > >> either. > > > > To debug these sorts of problems I usually use a command to continuousl= y > > read the syslog > > > > openwrt# logread -f & > > > > and then watch stuff like 'killing off the dns server and restarting' g= o. > > > > # killall named > > # nslookup ::1 # should return localhost after named restarts > > # rndc validation disable # is a command you can issue to turn off > validation > > # host www.lwn.net # repeat a few times > > # your clock should slew inside of about > > # > > Here are the potential problems. > > > > 0) Are you on a real ip address or behind levels of nat? > > > > 1) If you are behind someone elses firewall, it may be that you cannot > > get dns through it. In many locations dns packets are blocked, and dns > > is only available from the local dns server. > > > > 2) in some locations dns access to the roots is blocked > > > > 3) in some places the local dns server is too lame to recurse properly > > or handle ipv6 > > > > 4) in others NTP is blocked > > > >> > >> 4. Added my lan subnet entry in "acls.local.conf" - in vain. > > > > It is a good idea that you do so. > > > >> 5. added my dns servers in forwarders.conf > > > > That should have worked, unless your dns servers were lame. > > > > Did you try 8.8.8.8 as a forwarder? > > > >> If I configure any open dns server like 8.8.8.8; everything works > properly > >> (as expected). > >> > >> Waited to catch you - but its almost midnight here - so thought to put > it in > >> the mail > > > > I went to bed early last night (flu), and woke up late (more flu) > > > >> > >> Appreciate your help. > >> > >> Thanks, > >> Ketan > >> > >> p.s. firmware is cerowrt-3.3rc7.2 > > > > > > > > -- > > Dave T=E4ht > > SKYPE: davetaht > > US Tel: 1-239-829-5608 > > http://www.bufferbloat.net > > > > -- > Dave T=E4ht > SKYPE: davetaht > US Tel: 1-239-829-5608 > http://www.bufferbloat.net > --f46d0438942b15106404bbd79b14 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thanks Dave.
One line= r change in "other.zone" and dnssec worked seamlessly on my home = network!! (except bug 113)

Fix -
1. Add below line to "/etc/chr= oot/named/etc/bind/default/other.zones"
=A0=A0=A0=A0=A0=A0=A0=A0= =A0 "zone "." { type hint; file "/etc/bind/default/root= .db"; };"
<= span style=3D"font-family:courier new,monospace">2. Comment out existing tw= o lines -
=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0 zone "." { type slave ..."
=A0=A0=A0=A0=A0=A0 and
=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0 zone "arpa" { type slave ..."

These two zones ha= ve masters explicitly specified as 192.5.5.241 (which doesnt work here)

f-= root (192.5.5.241) is not pingable from my home ISP (but from my office net= work). It's really weird.

Thanks,
Ketan


On Fri, Mar 16, 2012 at 12:08 AM,= Dave Taht <dave.taht@gmail.com> wrote:
While I'm at this, I note that we do also include dnsmasq in cerowrt, and include the full openwrt gui for such.

You can easily deconfigure bind and replace it with dnsmasq by:

mv /etc/xinetd.d/named /etc/named.old
killall -1 xinetd
killall named
vi /etc/config/dhcp

and change the port 0 line to be port 53

/etc/init.d/dnsmasq restart # or just reboot

and that should enable dnsmasq instead of bind.

I note that what is in 3.3rc7 and later is actually the most bleeding-edge-= ist
dnsmasq, which includes (untested, hint, hint) support for dnssec proxying,=
as well as ra announcements and some support for serving up dhcpv6.

dnsmasq is much better integrated into the openwrt gui, as well.

In losing bind, the ability to have split views, act as an internet
peer, etc, etc
are all lost, and I'd prefer to keep hacking on bind, but the new dnsma= sq could
use some love expended on it too, asI expect the new version to be standard=
are far more cpe than bind ever will be.

This new version of dnsmasq should be out in final form soon.

(and as I side note, because I can't stand vi, I have an emacs clone in the build
=A0called zile)


On Thu, Mar 15, 2012 at 11:19 AM, Dave Taht <dave.taht@gmail.com> wrote:
> I hope you don't mind, but I prefer to always answer questions lik= e these
> publicly.
>
> On Thu, Mar 15, 2012 at 10:55 AM, Ketan Kulkarni <ketkulka@gmail.com> wrote: >> Hi Dave,
>> I bought wndr3800 and now setting up the cerowrt on it.
>
> Yea!
>
>> I am getting few issues in setting up dns server.
>> Observation: nslookup from my laptop through cerowrt fails
>>
>> Thanks jg for many dns related pointers - still I must have missed= something
>> to get it working.
>>
>> Few things I tried (few of them really dumb) -
>> 1. Time and zone is properly set on cerowrt box
>> 2. Restarted namedprep and named everytime
>
> At one level I'm glad we're exposing potential problems with g= etting
> dnssec deployed more widely.
>
> At another level, it frustrates me.
>
>> 3. Also tried modifying
>> dnssec-validation auto to off;
>> dnssec-lookaside auto to off; and then restarting named but it did= nt help
>> either.
>
> To debug these sorts of problems I usually use a command to continuous= ly
> read the syslog
>
> openwrt# logread -f &
>
> and then watch stuff like 'killing off the dns server and restarti= ng' go.
>
> # killall named
> # nslookup ::1 # should return localhost after named restarts
> # rndc validation disable # is a command you can issue to turn off val= idation
> # host www.lwn.net # repeat a few times
> # your clock should slew inside of about
> #
> Here are the potential problems.
>
> 0) Are you on a real ip address or behind levels of nat?
>
> 1) If you are behind someone elses firewall, it may be that you cannot=
> get dns through it. In many locations dns packets are blocked, and dns=
> is only available from the local dns server.
>
> 2) in some locations dns access to the roots is blocked
>
> 3) in some places the local dns server is too lame to recurse properly=
> or handle ipv6
>
> 4) in others NTP is blocked
>
>>
>> 4. Added my lan subnet entry in "acls.local.conf" - in v= ain.
>
> It is a good idea that you do so.
>
>> 5. added my dns servers in forwarders.conf
>
> That should have worked, unless your dns servers were lame.
>
> Did you try 8.8.8.8 as a forwarder?
>
>> If I configure any open dns server like 8.8.8.8; everything works = properly
>> (as expected).
>>
>> Waited to catch you - but its almost midnight here - so thought to= put it in
>> the mail
>
> I went to bed early last night (flu), and woke up late (more flu)
>
>>
>> Appreciate your help.
>>
>> Thanks,
>> Ketan
>>
>> p.s. firmware is cerowrt-3.3rc7.2
>
>
>
> --
> Dave T=E4ht
> SKYPE: davetaht
> US Tel: 1-239-829-5608
> http://www.bu= fferbloat.net



--
Dave T=E4ht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferb= loat.net

--f46d0438942b15106404bbd79b14--