[Cerowrt-devel] dns failures on cerowrt

Ketan Kulkarni ketkulka at gmail.com
Thu Mar 22 12:43:21 EDT 2012


Thanks Dave.
One liner change in "other.zone" and dnssec worked seamlessly on my home
network!! (except bug 113)

Fix -
1. Add below line to "/etc/chroot/named/etc/bind/default/other.zones"
          "zone "." { type hint; file "/etc/bind/default/root.db"; };"
2. Comment out existing two lines -
            zone "." { type slave ..."
       and
            zone "arpa" { type slave ..."

These two zones have masters explicitly specified as 192.5.5.241 (which
doesnt work here)

f-root (192.5.5.241) is not pingable from my home ISP (but from my office
network). It's really weird.

Thanks,
Ketan


On Fri, Mar 16, 2012 at 12:08 AM, Dave Taht <dave.taht at gmail.com> wrote:

> While I'm at this, I note that we do also include dnsmasq in cerowrt,
> and include the full openwrt gui for such.
>
> You can easily deconfigure bind and replace it with dnsmasq by:
>
> mv /etc/xinetd.d/named /etc/named.old
> killall -1 xinetd
> killall named
> vi /etc/config/dhcp
>
> and change the port 0 line to be port 53
>
> /etc/init.d/dnsmasq restart # or just reboot
>
> and that should enable dnsmasq instead of bind.
>
> I note that what is in 3.3rc7 and later is actually the most
> bleeding-edge-ist
> dnsmasq, which includes (untested, hint, hint) support for dnssec proxying,
> as well as ra announcements and some support for serving up dhcpv6.
>
> dnsmasq is much better integrated into the openwrt gui, as well.
>
> In losing bind, the ability to have split views, act as an internet
> peer, etc, etc
> are all lost, and I'd prefer to keep hacking on bind, but the new dnsmasq
> could
> use some love expended on it too, asI expect the new version to be standard
> are far more cpe than bind ever will be.
>
> This new version of dnsmasq should be out in final form soon.
>
> (and as I side note, because I can't stand vi, I have an emacs clone
> in the build
>  called zile)
>
>
> On Thu, Mar 15, 2012 at 11:19 AM, Dave Taht <dave.taht at gmail.com> wrote:
> > I hope you don't mind, but I prefer to always answer questions like these
> > publicly.
> >
> > On Thu, Mar 15, 2012 at 10:55 AM, Ketan Kulkarni <ketkulka at gmail.com>
> wrote:
> >> Hi Dave,
> >> I bought wndr3800 and now setting up the cerowrt on it.
> >
> > Yea!
> >
> >> I am getting few issues in setting up dns server.
> >> Observation: nslookup from my laptop through cerowrt fails
> >>
> >> Thanks jg for many dns related pointers - still I must have missed
> something
> >> to get it working.
> >>
> >> Few things I tried (few of them really dumb) -
> >> 1. Time and zone is properly set on cerowrt box
> >> 2. Restarted namedprep and named everytime
> >
> > At one level I'm glad we're exposing potential problems with getting
> > dnssec deployed more widely.
> >
> > At another level, it frustrates me.
> >
> >> 3. Also tried modifying
> >> dnssec-validation auto to off;
> >> dnssec-lookaside auto to off; and then restarting named but it didnt
> help
> >> either.
> >
> > To debug these sorts of problems I usually use a command to continuously
> > read the syslog
> >
> > openwrt# logread -f &
> >
> > and then watch stuff like 'killing off the dns server and restarting' go.
> >
> > # killall named
> > # nslookup ::1 # should return localhost after named restarts
> > # rndc validation disable # is a command you can issue to turn off
> validation
> > # host www.lwn.net # repeat a few times
> > # your clock should slew inside of about
> > #
> > Here are the potential problems.
> >
> > 0) Are you on a real ip address or behind levels of nat?
> >
> > 1) If you are behind someone elses firewall, it may be that you cannot
> > get dns through it. In many locations dns packets are blocked, and dns
> > is only available from the local dns server.
> >
> > 2) in some locations dns access to the roots is blocked
> >
> > 3) in some places the local dns server is too lame to recurse properly
> > or handle ipv6
> >
> > 4) in others NTP is blocked
> >
> >>
> >> 4. Added my lan subnet entry in "acls.local.conf" - in vain.
> >
> > It is a good idea that you do so.
> >
> >> 5. added my dns servers in forwarders.conf
> >
> > That should have worked, unless your dns servers were lame.
> >
> > Did you try 8.8.8.8 as a forwarder?
> >
> >> If I configure any open dns server like 8.8.8.8; everything works
> properly
> >> (as expected).
> >>
> >> Waited to catch you - but its almost midnight here - so thought to put
> it in
> >> the mail
> >
> > I went to bed early last night (flu), and woke up late (more flu)
> >
> >>
> >> Appreciate your help.
> >>
> >> Thanks,
> >> Ketan
> >>
> >> p.s. firmware is cerowrt-3.3rc7.2
> >
> >
> >
> > --
> > Dave Täht
> > SKYPE: davetaht
> > US Tel: 1-239-829-5608
> > http://www.bufferbloat.net
>
>
>
> --
> Dave Täht
> SKYPE: davetaht
> US Tel: 1-239-829-5608
> http://www.bufferbloat.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20120322/f38cf14a/attachment-0002.html>


More information about the Cerowrt-devel mailing list