[Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues?

[Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues?

[Aristar]

Sorry if this is a dumb question but I'm not sure what's changed since
3.7.5 but I can't get DNS working. my resolv.conf says 127.0.0.1, the
/tmp/resolv.conf.auto has valid dns servers and I can't resolve
anything locally on the router via ssh or on any client device. I CAN
get dns LOCAL only if I add a dns server to /etc/resolv.conf but
clients using nameserver 172.30.42.1 can't

Any ideas? I did a fresh install/clean configs and it isn't working
out of the box or with any GUI or manual editing I've tried.

Re: [Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues?

[Aristar]

Okay I figured it out. It was DNSSEC I didn't realize it was enabled
by default so I had to comment out the lines in /etc/dnsmasq.conf but
I still had to manually specify a nameservers in a separate config
under LUCI Network>DHCP and DNS>Resolv and Hosts Files>"Resolve file"
and all is well again.

Now to set up dnscrypt-proxy again which actually has a repository now
and instructions for building from source. (Seems more reliable than
DNSSEC anyways, though I have not read too much on DNSSEC).

src/gz exopenwrt http://exopenwrt.and.in.net/ar71xx/packages

https://forum.openwrt.org/viewtopic.php?id=36380&p=1


On Fri, May 9, 2014 at 5:34 AM, Aristar <LeetMiniWheat@gmail.com> wrote:
> Sorry if this is a dumb question but I'm not sure what's changed since
> 3.7.5 but I can't get DNS working. my resolv.conf says 127.0.0.1, the
> /tmp/resolv.conf.auto has valid dns servers and I can't resolve
> anything locally on the router via ssh or on any client device. I CAN
> get dns LOCAL only if I add a dns server to /etc/resolv.conf but
> clients using nameserver 172.30.42.1 can't
>
> Any ideas? I did a fresh install/clean configs and it isn't working
> out of the box or with any GUI or manual editing I've tried.

Re: [Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues?

[Robert Bradley]

[-- Attachment #1: Type: text/plain, Size: 1125 bytes --]

On 09/05/2014 17:17, Aristar wrote:
> Okay I figured it out. It was DNSSEC I didn't realize it was enabled
> by default so I had to comment out the lines in /etc/dnsmasq.conf but
> I still had to manually specify a nameservers in a separate config
> under LUCI Network>DHCP and DNS>Resolv and Hosts Files>"Resolve file"
> and all is well again.
>
> Now to set up dnscrypt-proxy again which actually has a repository now
> and instructions for building from source. (Seems more reliable than
> DNSSEC anyways, though I have not read too much on DNSSEC).
>
> src/gz exopenwrt http://exopenwrt.and.in.net/ar71xx/packages
>
> https://forum.openwrt.org/viewtopic.php?id=36380&p=1
>
>

Out of interest, which upstream DNS servers were you using when DNSSEC
was blocked?  I noticed fairly recently that some Wi-Fi networks (Global
Gossip, using filtered OpenDNS upstream) refused all dnssec-enabled
requests with NXDOMAIN.  This was testing with a custom-built dnsmasq
2.70 on Ubuntu, but the same setup works fine behind both CeroWRT and
other DNSSEC-capable servers that I tried.

-- 
Robert Bradley



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]

Re: [Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues?

[Aristar]

I didn't specify any DNS servers so I guess it was using my ISP's dns
servers (verizon FiOS). As I said I didn't realize DNSSEC was enabled
by default now. but even with it disabled it doesn't seem to work out
of the box anymore without a manually set resolv file.

dnscrypt-proxy is working great though (without needing a resolv
file), it runs as a daemon and sets up an encrypted connection to
OpenDNS servers which you then specifcy 127.0.0.1#2053 for dns
forwarding. I suggested this be added to CeroWRT awhile ago but there
wasn't much interest, nor any official packages available, though that
thread I linked above in this thread has a repository and a maintainer
in the forum thread with a source repo.

>Out of interest, which upstream DNS servers were you using when DNSSEC
>was blocked?  I noticed fairly recently that some Wi-Fi networks (Global
>Gossip, using filtered OpenDNS upstream) refused all dnssec-enabled
>requests with NXDOMAIN.  This was testing with a custom-built dnsmasq
>2.70 on Ubuntu, but the same setup works fine behind both CeroWRT and
>other DNSSEC-capable servers that I tried.
>
>--
>Robert Bradley

On Fri, May 9, 2014 at 12:17 PM, Aristar <LeetMiniWheat@gmail.com> wrote:
> Okay I figured it out. It was DNSSEC I didn't realize it was enabled
> by default so I had to comment out the lines in /etc/dnsmasq.conf but
> I still had to manually specify a nameservers in a separate config
> under LUCI Network>DHCP and DNS>Resolv and Hosts Files>"Resolve file"
> and all is well again.
>
> Now to set up dnscrypt-proxy again which actually has a repository now
> and instructions for building from source. (Seems more reliable than
> DNSSEC anyways, though I have not read too much on DNSSEC).
>
> src/gz exopenwrt http://exopenwrt.and.in.net/ar71xx/packages
>
> https://forum.openwrt.org/viewtopic.php?id=36380&p=1
>
>
> On Fri, May 9, 2014 at 5:34 AM, Aristar <LeetMiniWheat@gmail.com> wrote:
>> Sorry if this is a dumb question but I'm not sure what's changed since
>> 3.7.5 but I can't get DNS working. my resolv.conf says 127.0.0.1, the
>> /tmp/resolv.conf.auto has valid dns servers and I can't resolve
>> anything locally on the router via ssh or on any client device. I CAN
>> get dns LOCAL only if I add a dns server to /etc/resolv.conf but
>> clients using nameserver 172.30.42.1 can't
>>
>> Any ideas? I did a fresh install/clean configs and it isn't working
>> out of the box or with any GUI or manual editing I've tried.

Re: [Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues?

[Sebastian Moeller]

Hi Aristar,


On May 9, 2014, at 18:17 , Aristar <LeetMiniWheat@gmail.com> wrote:

> Okay I figured it out. It was DNSSEC I didn't realize it was enabled
> by default so I had to comment out the lines in /etc/dnsmasq.conf but
> I still had to manually specify a nameservers in a separate config
> under LUCI Network>DHCP and DNS>Resolv and Hosts Files>"Resolve file"
> and all is well again.

	I think Dave changed the default for 3.10.38-2 to avoid the negative proof checks, and that, at least on my system, made automatic DNS configuration though my upstream router functional again. I had the same issues as you with 3.10.38-1 and some earlier ones. So you might want to test the latest cerowrt to see whether that solves the issue. (I think there was some discussion of how DNS recurs or work differently with DNSSEC than dnsmasq, which operates as a forwarder.)

Best Regards
	Sebastian

> 
> Now to set up dnscrypt-proxy again which actually has a repository now
> and instructions for building from source. (Seems more reliable than
> DNSSEC anyways, though I have not read too much on DNSSEC).
> 
> src/gz exopenwrt http://exopenwrt.and.in.net/ar71xx/packages
> 
> https://forum.openwrt.org/viewtopic.php?id=36380&p=1
> 
> 
> On Fri, May 9, 2014 at 5:34 AM, Aristar <LeetMiniWheat@gmail.com> wrote:
>> Sorry if this is a dumb question but I'm not sure what's changed since
>> 3.7.5 but I can't get DNS working. my resolv.conf says 127.0.0.1, the
>> /tmp/resolv.conf.auto has valid dns servers and I can't resolve
>> anything locally on the router via ssh or on any client device. I CAN
>> get dns LOCAL only if I add a dns server to /etc/resolv.conf but
>> clients using nameserver 172.30.42.1 can't
>> 
>> Any ideas? I did a fresh install/clean configs and it isn't working
>> out of the box or with any GUI or manual editing I've tried.
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel

Re: [Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues?

[Aristar]

Didn't see any release notes for anything newer than 3.10.38-1 so I
presumed they might be untested builds, so I didn't want to risk it on
my main gateway router. I've been waiting for a stable release but the
recent security vuln made 3.7.5 unviable.

Looking for the most stable release possible (without security vulns)
if anyone has any suggestions

On Sun, May 11, 2014 at 7:54 AM, Sebastian Moeller <moeller0@gmx.de> wrote:
> Hi Aristar,
>
>
> On May 9, 2014, at 18:17 , Aristar <LeetMiniWheat@gmail.com> wrote:
>
>> Okay I figured it out. It was DNSSEC I didn't realize it was enabled
>> by default so I had to comment out the lines in /etc/dnsmasq.conf but
>> I still had to manually specify a nameservers in a separate config
>> under LUCI Network>DHCP and DNS>Resolv and Hosts Files>"Resolve file"
>> and all is well again.
>
>         I think Dave changed the default for 3.10.38-2 to avoid the negative proof checks, and that, at least on my system, made automatic DNS configuration though my upstream router functional again. I had the same issues as you with 3.10.38-1 and some earlier ones. So you might want to test the latest cerowrt to see whether that solves the issue. (I think there was some discussion of how DNS recurs or work differently with DNSSEC than dnsmasq, which operates as a forwarder.)
>
> Best Regards
>         Sebastian
>
>>
>> Now to set up dnscrypt-proxy again which actually has a repository now
>> and instructions for building from source. (Seems more reliable than
>> DNSSEC anyways, though I have not read too much on DNSSEC).
>>
>> src/gz exopenwrt http://exopenwrt.and.in.net/ar71xx/packages
>>
>> https://forum.openwrt.org/viewtopic.php?id=36380&p=1
>>
>>
>> On Fri, May 9, 2014 at 5:34 AM, Aristar <LeetMiniWheat@gmail.com> wrote:
>>> Sorry if this is a dumb question but I'm not sure what's changed since
>>> 3.7.5 but I can't get DNS working. my resolv.conf says 127.0.0.1, the
>>> /tmp/resolv.conf.auto has valid dns servers and I can't resolve
>>> anything locally on the router via ssh or on any client device. I CAN
>>> get dns LOCAL only if I add a dns server to /etc/resolv.conf but
>>> clients using nameserver 172.30.42.1 can't
>>>
>>> Any ideas? I did a fresh install/clean configs and it isn't working
>>> out of the box or with any GUI or manual editing I've tried.
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>

Re: [Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues?

[Robert Bradley]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/05/14 13:15, Robert Bradley wrote:
> I noticed fairly recently that some Wi-Fi networks (Global Gossip, using filtered OpenDNS upstream)
refused all dnssec-enabled requests with NXDOMAIN. This was testing with
a custom-built dnsmasq 2.70 on Ubuntu, but the same setup works fine
behind both CeroWRT and other DNSSEC-capable servers that I tried.

I eventually tracked this down to issues with 208.67.222.222 and EDNS. 
If you disable dnssec on dnsmasq, it resorts to standard-length DNS
queries and name resolution works.  This seems to be network-specific
though; requests from home seem to get through fine.  As an aside, this
was a pain to debug since Ubuntu's dig defaults to EDNS-enabled
requests.  These all fail even if you have "working" dnsmasq and route
queries via that...

- -- 
Robert Bradley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTb++2AAoJEGK/UXZZ8Ak6jHYP/3cJ6CHWAuJw0e+XwDGeScRW
uNx2qhBmQUZQIKSToep5fUiLidcOvOZ5+t2QUEtc5f8fIuhtooKlJqTNQEVQ/lNT
ideHNjgL7Ca0Lsurvx04RqFiHLRkuJCO/ql4WTvTebunVX4pdDEMz1jz+WoIGZJq
SbTQ/poATRUuQwdpet9PHOkPwxxyeS4uWYaFFBxwGzH/f6ha2vnnwvmUWC+qT3WI
/0MBtXK65aMD6sUkbhI8A2CrddBCq9VLTc+V9KMK0JHNXyRYBROK88kgVr/n3TJC
NTJuJN/+RwbSsJYJtRasB7hejnKtiWz6eiIAV0oDYV4AbBx8ZQT00htezXOkIjMD
9tJaHJLVzfUyJB6pxJM53tpOwIcmu/gkKsjAYBOiK6jOgIC4qL06/zQBv+IqsJEw
3WSs2cOXNCmzkZ2QZwxM1kCU6M6P21+vj+64EBwWCs+ltSVQkTMZwxojBTOXpZud
9KzrBODhx6ksHKgXTslS4ljMFMGQbOekcWyXQL89ZxGyzT7SbwmFBnPSP4LNpkn9
c7DKowWPaJY5NxtSJoYM8ImI2ut28SLpHgsTY6hmYpCWvJy8J2H/HCsSJwLb36qt
FNmCSZfx2KRKFI7k0L+babXfl7lMgIwVo59OmBAXT8hDtMEWDyxOQ8tdcTk3VArJ
6/kMuPtkDLsvH80LQMAe
=HVAh
-----END PGP SIGNATURE-----

Re: [Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues?

[Robert Bradley]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/05/14 13:15, Robert Bradley wrote:
>
> I noticed fairly recently that some Wi-Fi networks (Global
> Gossip, using filtered OpenDNS upstream) refused all dnssec-enabled
> requests with NXDOMAIN.  This was testing with a custom-built dnsmasq
> 2.70 on Ubuntu, but the same setup works fine behind both CeroWRT and
> other DNSSEC-capable servers that I tried.
>

I eventually tracked this down to issues with 208.67.222.222 and EDNS.
If you disable dnssec on dnsmasq, it resorts to standard-length DNS
queries and name resolution works.  This seems to be network-specific
though; requests from home seem to get through fine.  As an aside, this
was a pain to debug since Ubuntu's dig defaults to EDNS-enabled
requests.  These all fail even if you have "working" dnsmasq and route
queries via that...


- -- 
Robert Bradley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTb/AvAAoJEGK/UXZZ8Ak62pkQAJbibqqn7zUSB8tjsCDZcbW/
dP8SwYHsO3igsyQEbQuJsFuhZd/hY5Hp18twEa9xlmzNAMBuHRlVxR8ii3twqoov
y6fP6wNwbRCbpyV5vHRLX/LeGuAz6WkkftJKRWj2eNpQ1D72qtfVRTCoY6dvQD8+
YiieRl2oeyqRT81X0NQhHr6SKlzydOiPCxudSzNPLhLCNy3YmGFLs5peeVlbNEcI
5vcryX4NOwrP4prry6WuZLJd0CTavy5zMNb/aD+Bihf6a39rUo5EOskmvpsdFnYV
hVpa3uBSken5hOrDkjFWJ3p0gbw8L7L6nhFEyimh7uu3s+BVQcuPwGQxkI7yeqUA
zQyWCNnkJSWVwsWRZz0LJ74cPcJImR3aV8ARfhxN5dcQLkFUCp3Y045LleIwEPQb
F+FcOl9HJEjWobWmZkka3f3kEzDFFk31iiC5RCuj9UW29W1ShuqG8F41a3/RHhUb
EbuNXx1QhdsJhx0t+DtBVIl8Oq34MjFNdanGO4LKtdqYM8RHEeQE8RWJy1O7m8Ri
TtpUjg4T62sZ6EpA9VieBfI2Z/xtZCNXwE5hiS/GmZhwaT0OSKjsPWumT0l4AkrB
NoC0PstOb4e1TTELV1uw24krZ7hGJWrci3Nv3jijBiZQ47xi+88kcWIeVzH0GWYs
MdyTLHUqBM6NTsrUPyUF
=VWWv
-----END PGP SIGNATURE-----

Re: [Cerowrt-devel] Upgraded to 3.10.38-1, DNS issues?

[Maciej Soltysiak]

On Sat, May 10, 2014 at 8:42 PM, Aristar <LeetMiniWheat@gmail.com> wrote:
> dnscrypt-proxy is working great though (without needing a resolv
> file), it runs as a daemon and sets up an encrypted connection to
> OpenDNS servers which you then specifcy 127.0.0.1#2053 for dns
> forwarding. I suggested this be added to CeroWRT awhile ago but there
> wasn't much interest, nor any official packages available, though that
> thread I linked above in this thread has a repository and a maintainer
> in the forum thread with a source repo.
I think I expressed my interest too. I have dnscrypt-proxy running for
quite a while on Cero.
Not on latest cero though.

I consider it to be a very nice setup:
- dnsmasq handles dhcp and static assignments, acts faux authoritative
for domains I want to return NXDOMAIN  and acts as local cache
- dnsmasq fowards everything else to local dnscrypt-proxy which sends
encrypted queries to a dnscrypt resolver at the other end (somewhere
over the cloud, 8ms away) which I control and which resolves queries
via unbound. Supports DNSSEC, keeps no logs and has experimental
support for Namecoin's .bit domains.
- I plug the DNS hole in cero's iptables so that no unencrypted DNS
traffic leaves the box.

I thought I've seen a github commit to add dnscrypt-proxy to cero, did
I see wrong?

Best regards,
Maciej