XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
Privacy Policy
It is currently Sun Oct 21, 2018 9:40 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 44 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Thu Sep 27, 2018 3:13 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10135
Location: Caught between the moon and NYC
If you set servers in advanced/dns then you should use no-resolv (in advanced/dns). This would preclude you from using dnscrypt.


Top
 Profile  
 
PostPosted: Thu Sep 27, 2018 4:36 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6264
Location: NYC
MonkeyBoy wrote:
If you set servers in advanced/dns then you should use no-resolv (in advanced/dns). This would preclude you from using dnscrypt.

Yeah, looking through old screenshots from '17, see that all the servers + no-resolve were commented out. Since I had dnscypt.eu set then + OpenDNS in Static DNS in reserve, didn't (and don't now) need any set there. Think they were leftover from before using dnscrypt. Kept them around just in case, I suppose.


Top
 Profile  
 
PostPosted: Mon Oct 01, 2018 1:45 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6264
Location: NYC
Just a small update: until I unchecked Intercept DNS port in Advanced>DNS, had been getting some curious behavior with various items (including, from SophosScan (on-access), even whenever an external drive was mounted--not shown in screenshots below) wanting to connect to OpenDNS:

Image

Image

From the Notes on the Advanced>DNS page:
Quote:
Intercept DNS port - Any DNS requests/packets sent out to UDP/TCP port 53 are redirected to the internal DNS server

...Use internal DNS - Allow dnsmasq to be your DNS server on LAN.


Image

Don't really understand why those OpenDNS servers (entered in Static DNS) become the internal DNS server. (Plus no servers entered now in Dnsmasq.) Perhaps you can explain just what Internal DNS means.

Not 100% certain of this, but pretty sure I had Intercept DNS port (used to say port 53) checked in the old Shibby version with the same OpenDNS #s in Static DNS and never had that happen. But whatever, unchecking that seems to have stopped that behavior. Hope I'm not jinxing mysef, but everything seems to be working fine now.


Top
 Profile  
 
PostPosted: Tue Oct 02, 2018 1:06 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10135
Location: Caught between the moon and NYC
Internal DNS means to run a DNS server on the router itself. If you don't run a DNS server on the router then systems have to connect to the DNS servers on the internet. If you previously had adjusted settings on the router to disable the DNS server on the router then it's possible one or more clients may have picked up and kept that configuration after you changed the setting back. Simply way to avoid that is to toggle ethernet or wifi on the clients so it drops the internet connection and re-establishes it, which does a fresh dhcp query for that interface. Sometimes just doing a dhcp renew won't refresh all settings.

Intercept DNS redirects queries made to internet DNS servers to the DNS server on the router itself. It's just an iptables rule that says if a connection is trying to be made over UDP to port 53 going out the WAN to redirect that connection to the router. It doesn't handle TCP 53 which is used for DNSSEC, which can create some headaches (very few processes use DNSSEC at this point, in part because very few domains have implemented DNSSEC).

If you don't run an internal DNS server then whatever DNS servers are assigned to the router get handed out to clients to use as their DNS servers.


Top
 Profile  
 
PostPosted: Wed Oct 03, 2018 7:13 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6264
Location: NYC
Thanks MB, will have to digest all that as it applies to my settings. I had no intention of going down any more rabbit holes, until I went to http://dnssec.vs.uni-due.de/ just out of curiosity to check that I was still getting the validation with the new settings with Static DNS included. Had only gone there after the first setup without Static DNS, with "no-resolve" still in Dnsmasq, and saw that dnscrypt.eu was indeed DNSSEC validated.

But yesterday, with current settings, got the thumbs down for DNSSEC. Played around with various settings in Advanced>DNS, with and without using "no-resolve." The only way I could get the thumbs up from that site for DNSSEC was if "no-resolve" was included. But then, if I temporarily disabled dnscrypt-proxy, couldn't connect any longer, since it didn't default to the OpenDNS servers any longer--the whole point of setting Static DNS if dnscrypt.eu happened to go down.

So first question, how important is DNSSEC validation? Does it really matter? And second question, since the dnscrypt.eu server does indeed employ DNSSEC validation, even if I get the thumbs down with these current settings, does that necessarily mean that DNSSEC is no longer working for dnscrypt.eu for validating DNS--or is that thumbs down irrelevant and DNSSEC is still being employed, regardless of whether that site says so or not¿

As usual, if you get some free time, no rush at all: But just in case you might be able to spot something that could use changing or might explain the issue with DNSSEC.

My current settings in Advanced>DNS, WAN>DNS, and latest logs.

Attachment:
Advanced>DNS.png [164.3 KiB]
Not downloaded yet


Attachment:
WAN> DNS.png
WAN> DNS.png [ 44.36 KiB | Viewed 128 times ]


Logs (If I remember correctly, I noticed that if "no-resolve" was set then there were no longer any appearances of "using nameserver 208.67.220.220#53/208.67.220.222#53". So I suppose that might explain why if dnscrypt-proxy is disabled, it no longer falls back to OpenDNS)


Oct 3 10:31:34 unknown daemon.info dnsmasq[1529]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper no-auth no-DNSSEC no-ID loop-detect no-inotify no-dumpfile
Oct 3 10:31:34 unknown daemon.info dnsmasq[1529]: asynchronous logging enabled, queue limit is 10 messages
Oct 3 10:31:34 unknown daemon.info dnsmasq-dhcp[1529]: DHCP, IP range 192.168.1.2 -- 192.168.1.51, lease time 1d
Oct 3 10:31:34 unknown daemon.info dnsmasq[1529]: using nameserver 127.0.0.1#40
Oct 3 10:31:34 unknown daemon.info dnsmasq[1529]: reading /etc/resolv.dnsmasq
Oct 3 10:31:34 unknown daemon.info dnsmasq[1529]: using nameserver 127.0.0.1#40
Oct 3 10:31:34 unknown daemon.info dnsmasq[1529]: using nameserver 208.67.220.220#53
Oct 3 10:31:34 unknown daemon.info dnsmasq[1529]: using nameserver 208.67.220.222#53
Oct 3 10:31:34 unknown daemon.info dnsmasq[1529]: read /etc/hosts - 14 addresses
Oct 3 10:31:34 unknown daemon.info dnsmasq[1529]: read /etc/dnsmasq/hosts - 3 addresses
Oct 3 10:31:34 unknown daemon.info dnsmasq[1529]: read /etc/dnsmasq/dhcp-hosts - 0 addresses
Oct 3 10:31:34 unknown daemon.info dnsmasq-dhcp[1529]: read /etc/dnsmasq/hosts
Oct 3 10:31:34 unknown daemon.info dnsmasq-dhcp[1529]: read /etc/dnsmasq/dhcp-hosts
Oct 3 10:31:34 unknown daemon.notice dnscrypt-proxy[1549]: Starting dnscrypt-proxy 1.9.5
Oct 3 10:31:34 unknown daemon.info dnscrypt-proxy[1549]: Generating a new session key pair
Oct 3 10:31:34 unknown daemon.info dnscrypt-proxy[1549]: Done
Oct 3 10:31:34 unknown daemon.notice dnscrypt-proxy[1551]: Starting dnscrypt-proxy 1.9.5
Oct 3 10:31:34 unknown daemon.info dnscrypt-proxy[1551]: Generating a new session key pair
Oct 3 10:31:34 unknown daemon.info dnscrypt-proxy[1551]: Done
Oct 3 10:31:34 unknown daemon.info dnscrypt-proxy[1549]: Server certificate with serial #153xxxx04 received
Oct 3 10:31:34 unknown daemon.info dnscrypt-proxy[1549]: This certificate is valid
Oct 3 10:31:34 unknown daemon.info dnscrypt-proxy[1549]: Chosen certificate #1538547404 is valid from [2018-10-03] to [2018-10-04]
Oct 3 10:31:34 unknown daemon.info dnscrypt-proxy[1549]: Using version 2.0 of the DNSCrypt protocol
Oct 3 10:31:34 unknown daemon.info dnscrypt-proxy[1549]: Server key fingerprint is 172D:1D73:xxxxxxxxxxxxxxxxxxD285:5EFD:DB87:xxxxxxxxxxxxxxxxxxxxxxxxx:4404:AFD6:7D53
Oct 3 10:31:34 unknown daemon.notice dnscrypt-proxy[1549]: Proxying from 127.0.0.1:40 to 176.56.237.171:443


Top
 Profile  
 
PostPosted: Wed Oct 03, 2018 3:33 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10135
Location: Caught between the moon and NYC
Just so you know, dnssec and dnscrypt are completely different things. If you implement dnscrypt you're probably not going to be able to implement dnssec. Its going to take some work to do it.

Virtually nobody has implemented DNSSEC besides large sites like Google. It's a good idea in theory but a lot of work to implement which is why almost nobody has done it. I actually go out of my way to block it on the public networks I have to maintain because otherwise I get a lot of hysteria from people who don't actually know what they're doing and get really upset because it doesn't work the way they think it should work (in part because we do DNS-based filtering so whatever step by step guide they're using will always false positive a MITM attack).

Here's a little inkling into what's involved, though it's for PiHoles and not Tomato. PiHoles are based on Debian/Ubuntu (I forget) but use dnsmasq and dnscrypt like Tomato so a lot of the same configuration and logic applies:
https://discourse.pi-hole.net/t/the-tru ... nssec/1694

If you were just doing dnssec it'd be relatively simple. Its that you want to do both that makes it complicated.

At home I don't use DNSSEC. However I'm going to eventually transition to an ER-X (probably after Ubiquiti releases v2.0) so who knows what the future holds. Whatever it is, it's going to involve learning Vyatta configuration files. :(


Top
 Profile  
 
PostPosted: Wed Oct 03, 2018 4:30 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6264
Location: NYC
I thought I understood the difference between dnscrypt and DNSSEC. In fact, before I set up Static DNS and made some other changes, the config I was using (now temporarily restored just to produce screenshot below) was also using dnscrypt-proxy, and I was able to get a positive result from https://dnssec.vs.uni-due.de/

Something else? Not what you meant?

Image


Top
 Profile  
 
PostPosted: Wed Oct 03, 2018 6:26 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10135
Location: Caught between the moon and NYC
No offense intended, during the past couple weeks I've been only been getting a couple hours of sleep on workdays which makes my head really foggy, plus I get grumpy easily (a couple hours ago I swore a blue streak at my system for refusing to mount backup drives).

DNSSEC is one of those commonly discussed topics online and there's a lot of conflicting and bad information out there that just frustrates me, especially when students get ahold of it and get on a warpath like it's going to solve the problem they think they're having (when I show up and walk through basic steps like clearing caches or restarting to install updates for the first time in 6+ months the problems always go away without charging at DNSSEC windmills).

I'll have to read up myself on how the dnssec proxy works in dnsmasq, my memories are fuzzy and while reading that resource I linked some of it seemed like new information I hadn't heard before. You don't have to install a bleeding edge dnsmasq on your own but configuration changes need to be made, and some of those options were new to me so I'll have to read how they and DNSSEC interact. No version of Tomato is going to work out of the box with DNSSEC, at least not without being hit and miss (though more like hit and miss miss miss miss miss, etc.), though I've read of people who made configuration changes and got it working reliably.


Top
 Profile  
 
PostPosted: Wed Oct 03, 2018 6:45 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6264
Location: NYC
Maybe some misunderstanding from what I've been writing? I wasn't saying that this version of Tomato itself, or any version, for that matter, provides DNSSEC validation, but rather the resolver I'm using, dnscrypt.eu, by which the DNSSEC signature is able to be validated. In my case, at least, nothing I've set in Dnsmasq, although I don't pretend to understand everything I have entered there. EDIT: and apparently nothing in the logs re. DNSSEC.

I have to go to that outside site I linked above that shows a thumbs up in my screenshot in order to see if it's validated or not. Certainly was never getting that thumbs up with dnscrypt proxy to Cisco/OpenDNS, no matter the Tomato settings or version I used.

dnscrypt.eu (and maybe a few others I haven't tried) appears to be kind of unique in this regard.


Top
 Profile  
 
PostPosted: Sat Oct 06, 2018 2:47 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10135
Location: Caught between the moon and NYC
Crap. I meant to bring home an N12 that's in my office to test last weekend and forgot this weekend too. The WiFi freaks out and turns itself off after a couple days which is why its been sitting in my office for... a while... thinking about what its done. Or at least I'm too much of a cheap bastard to throw it away (I'll probably end up using it as a wired-only router for some events). Anyway, it's a great candidate for experimentation because the only one who'd notice it was missing is me.

Have I mentioned I write a lot when I'm tired?


Top
 Profile  
 
PostPosted: Sat Oct 06, 2018 2:28 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6264
Location: NYC
Get some rest. Nothing urgent, my questions can wait.


Top
 Profile  
 
PostPosted: Sat Oct 06, 2018 2:57 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 15134
Yeah MB, get some rest if you can... we all worry about you. :emphatic-eek:


Top
 Profile  
 
PostPosted: Mon Oct 08, 2018 2:26 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6264
Location: NYC
Total shot in the dark: Just as an experiment, set "No-Resolve" instead of "Strict-Order" in the Priority dropdown below dnscrypt.eu-nl in Basic>Network (choices: Strict-Order, No-Resolve, None), and now when I go to https://dnssec.vs.uni-due.de/ I'm now getting the thumbs up to acknowledge that resolver dnscrypt.eu is validating DNSSEC signatures.

Attachment:
Screen Shot 2018-10-08 at 6.28.39 PM.png [109.74 KiB]
Not downloaded yet


Still really no idea what no-resolve is supposed to accomplish, either in Dnsmasq custom (not using it there, if I do it messes things up) or in this location for dnscrypt-proxy>Resolver, where it makes the DNSSEC validation work, but all I know is that it's working now.

Attachment:
screenshot.png [169.48 KiB]
Not downloaded yet


Top
 Profile  
 
PostPosted: Mon Oct 08, 2018 5:09 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10135
Location: Caught between the moon and NYC
no-resolv basically means ignore any generated resolv.conf entries and only use the entries that are defined in the dnsmasq configuration.

Normally this means if you have your WAN set to DHCP then it will ignore the DNS servers given to it. Those would normally get placed in /etc/resolv.conf as DNS servers to be used by the router, so the no resolv option says to ignore whatever's in resolv.conf, just use what we define in dnsmasq.

When you select items on the Tomato website you're essentially generating dnsmasq configuration options. When you define the WAN DNS servers, for instance, you're creating server= entries in dnsmasq. Which order everything goes in in requires reviewing the source because it's not documented anywhere else. And I have it on pretty good authority that Tomato's code can give people nightmares.

(yawn) I remembered to put the router in my bag, though I have to get in early tomorrow so I probably won't futz with it tonight. Unless I can't sleep. Which is possible.


Top
 Profile  
 
PostPosted: Tue Oct 09, 2018 1:43 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6264
Location: NYC
Quote:
no-resolv basically means ignore any generated resolv.conf entries and only use the entries that are defined in the dnsmasq configuration.

Normally this means if you have your WAN set to DHCP then it will ignore the DNS servers given to it. Those would normally get placed in /etc/resolv.conf as DNS servers to be used by the router, so the no resolv option says to ignore whatever's in resolv.conf, just use what we define in dnsmasq.

More than a little confused, and not even certain the following makes any sense: I don't have any DNS servers entered in Dnsmasq, not at least in Dnsmasq custom, nor "no-resolve" there either. Just trying to understand why setting "no-resolve" in the Priority dropdown below dnscrypt.eu-nl in Basic>Network (second screenshot in post above) not in Dnsmasq>Custom allowed DNSSEC validation to suddenly start working, where the earlier setting there "strict-order" kept it from working.

And are you saying that entries are getting defined in Dnsmasq configuration even without any servers entered in Custom? That that stands apart from Custom? And which entries are getting defined there? I have DNS for both dnscrypt-proxy (dnscrypt.eu) and Static DNS (OpenDNS.) Which ones are getting ignored by setting "no-resolve" in that particular location?*

* I suppose some of this might become a liittle clearer if I could see and even begin to understand the underlying file system, not just the UI -- which I believe requires telnetting in via some kind of program. But not ready to go down that path.


Top
 Profile  
 
PostPosted: Tue Oct 09, 2018 2:55 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10135
Location: Caught between the moon and NYC
When you select items like dnscrypt or enter custom dns servers for the wan connection it counts as creating entries under advanced->dns/dhcp.

If you had your WAN configured for dhcp and you used the dns servers handed down to it (didn't define your own servers), and then used dnscrypt without no-resolv, it would use both dnscrypt and the dhcp'd wan dns because dhcp DNS normally gets put in /etc/resolv.conf (not dnsmasq). no-resolv tells dnsmasq to ignore anything in resolv.conf. You could place your own entries in resolv.conf if you want but it requires shell scripting. Think of resolv.conf as living below dnsmasq, a fallback dnsmasq uses if nothing in its configuration specifies dns servers (or will get used in addition to the defined servers). DNSMasq is a DHCP & DNS server, which is why unticking the use internal dns causes clients to use the internet for dns resolution - that box disables the dns server part of dnsmasq.

Strict order likely didn't work because as I mentioned the order that the configuration options appear matter, but especially matter for strict order. So some other dns server was listed in the generated dnsmasq configuration file above dnscrypt (assuming dnscrypt is why it works) when it doesn't work with strict order selected.

Everything you enter in advanced -> dhcp/dns is in addition to entries generated elsewhere in Tomato. If those entries generate dnsmasq configuration entries by selecting options elsewhere in Tomato then those entries are still used even if you use no-resolv or strict-order or whatever. Its actually quite hard to make dnsmasq solely use your own custom configuration file and nothing generated, at least in Tomato. It can be done but it requires shell scripting to keep dnsmasq running with a custom configuration file, as dnsmasq will periodically get restarted by Tomato with its own Tomato generated configuration file.

Sorry if any of this is gobbledigook I got zero sleep last night then caught a couple hours on the floor of my office today. They laid a few people off today so I had to get in early and since I knew about it ahead of time I couldn't sleep. Getting ready to go home and get some real sleep. :(


Top
 Profile  
 
PostPosted: Tue Oct 09, 2018 8:56 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6264
Location: NYC
Thanks for writing all that out. Will have to read through carefully, but damn, you really have to find some way not to let that job keep you so overworked. I remember what you went through before you landed that position, but thay have to understand that there's just so much you can do. And you too! Not worth it if it ends up ruining your health.


Top
 Profile  
 
PostPosted: Wed Oct 10, 2018 11:00 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6264
Location: NYC
Thinking about what I wrote late last night: might have come off as a bit overbearing. Sorry about that, but your exhaustion set off some alarm bells here. Hope you got some decent sleep finally.


Top
 Profile  
 
PostPosted: Wed Oct 10, 2018 11:18 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10135
Location: Caught between the moon and NYC
Nothing I haven't thought about myself. Its nice to have a job that I generally can't get fired from (I could but I'd have to seriously screw up) because they desperately need someone with my skill set but at the same time because its education the pay is less than stellar. For the most part its not that stressful but the lack of resources tends to create pain for me.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 44 posts ]  Go to page Previous  1, 2

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group