Disabling your router's provisioning of DNS services

[sfx2000]

Under powered for what exactly? Pretty much every consumer router has a multi-core processor that's idle 99.9% of the time and unlikey to ever break a sweat in a typical consumer use case. The suggestion they're under powered is kind of silly.

Yes - they are underpowered, and much of this is actually a software limitation - and under the hood, most of them run the same underlying code...

I won't belabor the point, but I've got good background in this area, having developed routers myself...

 

[Wutikorn]

In running GRC's DNS Benchmark, in Conclusions & Recommendations one result is:

System has only ONE (router based) nameserver configured.
It appears that only one local (router gateway) DNS nameserver, with the IP address of [192.168.1.1], is currently providing all DNS name resolution services to this system. This configuration is not recommended because most consumer-grade routers provide inefficient and under-powered DNS resolution services.​

How can you disable the router's provisioning of DNS services in Merlin? I have a RT-AC68U and running 380.63_2

It can true that some home routers are underpowered when people buy a cheap one about $20 for home networking; however, all AsusWRT-Merlin supported routers seem to be more than capable of doing basic networking processes. If you want to combine both ideas from GRC and RMerlin, you could try setting your PC to have your router(which use ISP's DNS servers) as primary servers and a public DNS server(such as Google DNS) as your PC's secondary DNS server. In this case, if your router fails you as it says, your PC will have public DNS Server as backup.

 

[ColinTaylor]

you could try setting your PC to have your router(which use ISP's DNS servers) as primary servers and a public DNS server(such as Google DNS) as your PC's secondary DNS server. In this case, if your router fails you as it says, your PC will have public DNS Server as backup.

The problem with this suggestion is that you're trying to predict increasingly unlikely failure scenarios. Remember that Windows will only use the 2nd DNS server when the first one is completely unresponsive. In this situation it's quite possible that entire router (rather then just dnsmasq) has crashed (or become unresponsive). As the router is also your gateway device that means you've lost all connectivity to the internet anyway, irrespective of any DNS settings.

I'm not saying it can't happen, just that it's incredibly unlikely. And if by chance dnsmasq on your router (and only dnsmasq) was being attacked;

a) I'd want to know it was happening so I could identify the reason. If there were an automatic failover I might not be aware of the problem for quite some time.
b) Instinctively, I'd probably just reboot the router. Much less work than manually setting DNS entries on every client device.

 

[tomsk]

Just how vulnerable to attack is dnsmasq? Its operating behind a firewall and should only be responding to DNS requests from clients on its own network right?..... if you have an intruder or a compromised client on your network, i think you have bigger problems.

 

[RMerlin]

Just how vulnerable to attack is dnsmasq? Its operating behind a firewall and should only be responding to DNS requests from clients on its own network right?..... if you have an intruder or a compromised client on your network, i think you have bigger problems.

Asus keeps dnsmasq up-to-date, so from a security point of view, Asuswrt's dnsmasq is very secure.

Same cannot be said for other manufacturers however, some are using 6+ years old versions of dnsmasq, which probably have a few known exploits available.

Anyway, the only risk would be of there's a known exploit that's based on DNS replies. Chances are very, very low of compromising a router this way, since it would require you to resolve a compromised record, from a compromised DNS server - and the attack would have to be specifically built against your router's architecture, as it's all passively done. Or, to have a compromised client on your LAN.

 

[tomsk]

Asus keeps dnsmasq up-to-date, so from a security point of view, Asuswrt's dnsmasq is very secure.

Same cannot be said for other manufacturers however, some are using 6+ years old versions of dnsmasq, which probably have a few known exploits available.

Anyway, the only risk would be of there's a known exploit that's based on DNS replies. Chances are very, very low of compromising a router this way, since it would require you to resolve a compromised record, from a compromised DNS server - and the attack would have to be specifically built against your router's architecture, as it's all passively done. Or, to have a compromised client on your LAN.

Having a look at the DNSmasq changelog the most recent exploit stands out that was patched was in version 2.73

"Fix crash on receipt of certain malformed DNS requests.
Thanks to Nick Sampanis for spotting the problem.
Note that this is could allow the dnsmasq process's
memory to be read by an attacker under certain
circumstances, so it has a CVE, CVE-2015-3294"

You don't mention updates to DNSmasq in your change log...i assume thats because the updates come as part on a GPL change (i think i read somewhere that Asus runs a modified version of dnsmasq). What version are we at with the most recent Merlin releases?

 

[john9527]

What version are we at with the most recent Merlin releases?

dnsmasq is at 2.76

 

[tomsk]

dnsmasq is at 2.76

latest and greatest!

 

[sfx2000]

You don't mention updates to DNSmasq in your change log...i assume thats because the updates come as part on a GPL change (i think i read somewhere that Asus runs a modified version of dnsmasq). What version are we at with the most recent Merlin releases?

Keep in mind that the fix was available to back-port into earlier versions - so someone might be running an older version of dnsmasq, but a patched version of it.

https://security-tracker.debian.org/tracker/CVE-2015-3294

 

[tomsk]

Keep in mind that the fix was available to back-port into earlier versions - so someone might be running an older version of dnsmasq, but a patched version of it.

https://security-tracker.debian.org/tracker/CVE-2015-3294

Yes looking at the page you linked and backing up a bit, i see theres a later patchable exploit in pre 2.76 versions of dnsmasq
https://security-tracker.debian.org/tracker/CVE-2015-8899
This must be the exploit that @RMerlin was referring to in his earlier post. When i looked at the 2.76 changelog and read about this fix, it didn't strike me as a bug that was particularly exploitable..... still i guess where there a hole, theres going to be someone who will try to use it.