From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yk0-x234.google.com (mail-yk0-x234.google.com [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 60F0321F374 for ; Sat, 10 May 2014 11:43:19 -0700 (PDT) Received: by mail-yk0-f180.google.com with SMTP id q9so4587412ykb.11 for ; Sat, 10 May 2014 11:43:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=aarxS+CSg3UAJ9hjEJI/zY/k7Lr0slV0ydaS6UJO1rQ=; b=ByxZA4Lq53otcSFKhbz652UXqTlv2LNDKsC562YtjiAhbiu7qzfuwHG3Rd2HCwe0R0 cw4goB6k6otyZIKUnJaUAtKjAvJ3HeYb78UBgPP7of9DLygf06i6cPsBJIP9q+xS/+Aa GDAwGo3pbqI5+HIixesWJmnClud/rMpMITI5s2tE8h5OJc6l/Bn+CPbiB2W8ovAhx3KJ yEkPxlwEVai2POLkCROUCtADflMGAe0dUr9FPpMu2i/1mVp2QOhmQ1YYMyPlagJDYz0T 8jFCI5FodR2DFw+J1yMwVlIvr7L089EFn4qoIus24f0MTTAQGaabyUmuIxb73hOtGbiF skaA== X-Received: by 10.236.108.176 with SMTP id q36mr27265233yhg.18.1399747397599; Sat, 10 May 2014 11:43:17 -0700 (PDT) MIME-Version: 1.0 Sender: white.phoenix@gmail.com Received: by 10.170.114.208 with HTTP; Sat, 10 May 2014 11:42:46 -0700 (PDT) In-Reply-To: References: From: Aristar Date: Sat, 10 May 2014 14:42:46 -0400 X-Google-Sender-Auth: 7PnD6l999wgm9WiXp20mcqqBX6Q Message-ID: To: cerowrt-devel , robert.bradley1@gmail.com Content-Type: text/plain; charset=UTF-8 Subject: Re: [Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2014 18:43:20 -0000 I didn't specify any DNS servers so I guess it was using my ISP's dns servers (verizon FiOS). As I said I didn't realize DNSSEC was enabled by default now. but even with it disabled it doesn't seem to work out of the box anymore without a manually set resolv file. dnscrypt-proxy is working great though (without needing a resolv file), it runs as a daemon and sets up an encrypted connection to OpenDNS servers which you then specifcy 127.0.0.1#2053 for dns forwarding. I suggested this be added to CeroWRT awhile ago but there wasn't much interest, nor any official packages available, though that thread I linked above in this thread has a repository and a maintainer in the forum thread with a source repo. >Out of interest, which upstream DNS servers were you using when DNSSEC >was blocked? I noticed fairly recently that some Wi-Fi networks (Global >Gossip, using filtered OpenDNS upstream) refused all dnssec-enabled >requests with NXDOMAIN. This was testing with a custom-built dnsmasq >2.70 on Ubuntu, but the same setup works fine behind both CeroWRT and >other DNSSEC-capable servers that I tried. > >-- >Robert Bradley On Fri, May 9, 2014 at 12:17 PM, Aristar wrote: > Okay I figured it out. It was DNSSEC I didn't realize it was enabled > by default so I had to comment out the lines in /etc/dnsmasq.conf but > I still had to manually specify a nameservers in a separate config > under LUCI Network>DHCP and DNS>Resolv and Hosts Files>"Resolve file" > and all is well again. > > Now to set up dnscrypt-proxy again which actually has a repository now > and instructions for building from source. (Seems more reliable than > DNSSEC anyways, though I have not read too much on DNSSEC). > > src/gz exopenwrt http://exopenwrt.and.in.net/ar71xx/packages > > https://forum.openwrt.org/viewtopic.php?id=36380&p=1 > > > On Fri, May 9, 2014 at 5:34 AM, Aristar wrote: >> Sorry if this is a dumb question but I'm not sure what's changed since >> 3.7.5 but I can't get DNS working. my resolv.conf says 127.0.0.1, the >> /tmp/resolv.conf.auto has valid dns servers and I can't resolve >> anything locally on the router via ssh or on any client device. I CAN >> get dns LOCAL only if I add a dns server to /etc/resolv.conf but >> clients using nameserver 172.30.42.1 can't >> >> Any ideas? I did a fresh install/clean configs and it isn't working >> out of the box or with any GUI or manual editing I've tried.