[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[ColinTaylor]

The reason I say this is, If I have DNS Filter ON , the reason is, some devices have hardcoded Google DNS, which I want them to still use Pihole, the setup you guys (If i understand it correct) it would point these devices to ROUTER, which since it has only 1 DNS under WAN, is going to fwd request to 8.8.8.8 as oppose to Pihole.

Yes this is a limitation of this method that I pointed out in my initial post in the other thread: "2. LAN clients that ignore the DHCP server's DNS list (e.g. Android devices) will be intercepted by DNSFilter and redirected to the router's DNS and then forwarded to 9.9.9.9 instead."

The problem comes from trying to make as many clients as possible go directly to the PiHole rather than via the router and ensure that everything doesn't break if the PiHole is offline.

John posted an alternative approach similar to what you're saying in this post. Although if you leave the LAN DNS servers blank as he suggests the PiHole will see all traffic as coming from the router. So maybe combine both methods. Just make sure you don't end up with your DNS requests going round in an endless loop.

 

[punchsuckr]

Hey John, just wanted to drop by and say thanks for the amount of work you put in to this firmware. My n66u really got a new breath of life for quite a few years with it. I've now changed to an 86u after some 5 years on the 66u.
Keep up the good work.

Cheers!

 

[Raul_77]

Yes this is a limitation of this method that I pointed out in my initial post in the other thread: "2. LAN clients that ignore the DHCP server's DNS list (e.g. Android devices) will be intercepted by DNSFilter and redirected to the router's DNS and then forwarded to 9.9.9.9 instead."

The problem comes from trying to make as many clients as possible go directly to the PiHole rather than via the router and ensure that everything doesn't break if the PiHole is offline.

John posted an alternative approach similar to what you're saying in this post. Although if you leave the LAN DNS servers blank as he suggests the PiHole will see all traffic as coming from the router. So maybe combine both methods. Just make sure you don't end up with your DNS requests going round in an endless loop.

Thanks! Just an update for anyone reading this. This is my current setup and I tested it for 2 days now , taking PiHole offline and so on, and it seems to be working great
LAN DHCP:
DNS 1: PiHole IP
DNS 2: Router IP
*Advertise router IP = NO

WAN:
DNS 1: PiHole IP
DNS 2: 9.9.9.9
NOTE: If you are on MERLIN FW (NOT John Fork) - you need to swap those values
DNS 1: 9.9.9.9
DNS 2: PiHole IP

DNS Filtering Custom #1
DNS 1 Custom: Router IP
Exception: PiHole (No Filter)

Add strict-order to your router
You should also add "strict-order" to your config file
to do this:
1-) Enable SSH on router
2-) SSH into Router and navigate to /jffs/configs then create the file"dnsmasq.conf.add" (vi dnsmasq.conf.add)
3-) Just add 1 line "strict-order" (without the " ") save (ESC / :wq / Enter) and reboot the router
4-) Ensure you have enabled "JFFS custom scripts and configs" under Admin-->System of your router settings. If this was NOT enabled, you need to first enable it, apply changes, then Reboot your router again.

 

[ColinTaylor]

Thanks for the update. Good to know the theory works in practice.

I have NOT done what John suggested, adding strict-order to dnsmasq.conf.add file yet, however, when I tested it, everything seem to work, so not sure if I want to add it, unless someone thinks I should.

I'd still be tempted to add strict-order given its description. I would imagine that in most, if not all, circumstances it would go to the PiHole by preference. But in the case of un-cached requests it might occasionally go to 9.9.9.9 and you probably wouldn't be aware (not that that's a big deal in the scheme of things). You can check this actually by issuing the following commands and checking the number queries sent to 9.9.9.9.

killall -s USR1 dnsmasq
tail -6 /tmp/syslog.log

 

[john9527]

it might occasionally go to 9.9.9.9 and you probably wouldn't be aware

@Raul_77
IIRC without strict-order it will try an alternate server after some number of requests to make sure it's still favoring the 'best' server.

 

[dave14305]

@Raul_77
IIRC without strict-order it will try an alternate server after some number of requests to make sure it's still favoring the 'best' server.

I think it’s every 50 queries or 20 seconds, whichever comes first.

asuswrt-merlin/release/src/router/dnsmasq/src/forward.c at 374.43_2-update · john9527/asuswrt-merlin

Fork of earlier asuswrt-merlin router firmware. Contribute to john9527/asuswrt-merlin development by creating an account on GitHub.

github.com

asuswrt-merlin/release/src/router/dnsmasq/src/config.h at 374.43_2-update · john9527/asuswrt-merlin

Fork of earlier asuswrt-merlin router firmware. Contribute to john9527/asuswrt-merlin development by creating an account on GitHub.

github.com

 

[ColinTaylor]

IIRC without strict-order it will try an alternate server after some number of requests to make sure it's still favouring the 'best' server.

I think it’s every 50 queries or 20 seconds, whichever comes first.

This does appear to be the case. I've just tested this by sending ~1000 un-cached queries to pairs of DNS servers with differing response times and dnsmasq does seem to aggressively favour faster servers.

@Raul_77 John is correct so you should add strict-order to your config file.

Slow server & fast server

server 24.113.32.30#53: queries sent 35, retried or failed 0
server 208.67.222.222#53: queries sent 989, retried or failed 0

Two similar servers but one is quicker

server 1.1.1.1#53: queries sent 71, retried or failed 0
server 9.9.9.9#53: queries sent 955, retried or failed 0

Two almost identical servers.

server 8.8.4.4#53: queries sent 632, retried or failed 0
server 8.8.8.8#53: queries sent 393, retried or failed 0

My ISP's servers. I'm pretty sure this is actually one server with two IP addresses.

server 194.168.4.100#53: queries sent 554, retried or failed 0
server 194.168.8.100#53: queries sent 479, retried or failed 0

strict-order

server 8.8.4.4#53: queries sent 1008, retried or failed 0
server 8.8.8.8#53: queries sent 0, retried or failed 0

 

[Raul_77]

Thanks @ColinTaylor , So this is getting interesting.
In my /jffs/configs I created a file "dnsmasq.conf.add" and added just 1 line on it, "strict-order" saved and reboot the router, ssh back to ensure the file and content there.

Then I ran the commands you told me:

killall -s USR1 dnsmasq
tail -6 /tmp/syslog.log

and here is the result:

Aug 12 10:41:39 dnsmasq[359]: server 192.168.1.2#53: queries sent 8204, retried or failed 7
Aug 12 10:41:39 dnsmasq[359]: server 9.9.9.9#53: queries sent 5051, retried or failed 23

could that 5051 queries be the ones sent in the past?

 

[ColinTaylor]

could that 5051 queries be the ones sent in the past?

No, those stats are since dnsmasq was last started.

Check that /etc/dnsmasq.conf actually contains strict-order.

 

[john9527]

In my /jffs/configs I created a file "dnsmasq.conf.add" and added just 1 line on it, "strict-order" saved and reboot the router

You need to restart dnsmasq after this change...for ssh session
service restart_dnsmasq
or
reboot the router

 

[Raul_77]

No, those stats are since dnsmasq was last started.

Check that /etc/dnsmasq.conf actually contains strict-order.

@ColinTaylor
I do NOT have strict-order in this file, I just checked, I have it on /jffs/configs in a file "dnsmasq.conf.add"

You need to restart dnsmasq after this change...for ssh session
service restart_dnsmasq
or
reboot the router

@john9527
I SSH and did Service restart_dnsmas
here is the output now: Seems to still be sending it to 9.9.9.9

Aug 12 11:36:38 dnsmasq[2429]: server 192.168.1.2#53: queries sent 75, retried or failed 0
Aug 12 11:36:38 dnsmasq[2429]: server 9.9.9.9#53: queries sent 10, retried or failed 0

 

[ColinTaylor]

@ColinTaylor
I do NOT have strict-order in this file, I just checked, I have it on /jffs/configs in a file "dnsmasq.conf.add"

Try this:

dos2unix /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
grep strict-order /etc/dnsmasq.conf

 

[Raul_77]

Try this:

dos2unix /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
grep strict-order /etc/dnsmasq.conf

admin@RT-N66U-8EF8:/tmp/home/root# dos2unix /jffs/configs/dnsmasq.conf.add
admin@RT-N66U-8EF8:/tmp/home/root# service restart_dnsmasq

Done.
admin@RT-N66U-8EF8:/tmp/home/root# grep strict-order /etc/dnsmasq.conf
admin@RT-N66U-8EF8:/tmp/home/root#

I still dont have it on /etc/dnsmasq.conf

 

[ColinTaylor]

Have you set "Enable JFFS custom scripts and configs" to Yes at Administration - System ?

 

[Raul_77]

Have you set "Enable JFFS custom scripts and configs" to Yes at Administration - System ?

Oh man, I feel like an idiot!!! lol that was it. enabled it, and now 0 going to 9.9.9.9 ... Thank you so much buddy! really appreciate the help.

 

[john9527]

A new development version has been posted....45D5

Microsoft OneDrive

1drv.ms

@ColinTaylor has been keeping me busy finding some problems that have been there forever and have been fixed in this release...
As always thanks to him for the feedback!

- Made the 'top' process memory report work
- Fixed problem with time setting on the Network Services Filter iptables rules
- Stop the watchdog for the watchdog during reboot to avoid unnecessarily trying to restart some services
- Make services-start and services-stop blocking scripts to avoid potential nvram errors
- Fix for 5G auto bandwidth mode on ARM routers not set correctly

In addition
- Updates dnsmasq to 2.82 final
- Applies a getdns update for name compression
- Adds a new custom script 'lan-start' executed after the lan (wired and wireless) is configured.
This may be a good place for those using working with vlans and ebtables. Placing commands here avoids losing ebtables setup when changing some settings in the gui, such as wireless setup, lan and wan configuration changes.
- Fixed a potential security exposure in GoogleDNS DDNS support not specifying certificate checking

 

[dave14305]

A new development version has been posted....45D5

Microsoft OneDrive

1drv.ms

@ColinTaylor has been keeping me busy finding some problems that have been there forever and have been fixed in this release...
As always thanks to him for the feedback!

- Made the 'top' process memory report work
- Fixed problem with time setting on the Network Services Filter iptables rules
- Stop the watchdog for the watchdog during reboot to avoid unnecessarily trying to restart some services
- Make services-start and services-stop blocking scripts to avoid potential nvram errors
- Fix for 5G auto bandwidth mode on ARM routers not set correctly

In addition
- Updates dnsmasq to 2.82 final
- Applies a getdns update for name compression
- Adds a new custom script 'lan-start' executed after the lan (wired and wireless) is configured.
This may be a good place for those using working with vlans and ebtables. Placing commands here avoids losing ebtables setup when changing some settings in the gui, such as wireless setup, lan and wan configuration changes.
- Fixed a potential security exposure in GoogleDNS DDNS support not specifying certificate checking

The folder name is Update-45D4, but the contents are D5.

Never happened.

 

[john9527]

The folder name is Update-45D4, but the contents are D5.

Oops....fixed. Thanks!

 

[Meshkoff]

Hi all

I have a script that emails me when my ASUS RT-N66W get connected to the WAN.
This script uses my secondary Gmail account, created especially for such things.
I turned on "Allow less secure apps" option in Gmail security preferences that allows account being accessed by this script.

The problem is what Gmail automatically turns off that feature every few weeks. I read articles about this, like this:
https://9to5google.com/2019/12/17/g-suite-less-secure-apps/

Google Security Page also says:
For the security of your account, Google will automatically deny this access when not in use.

So it's just uncomfortable turning back on this feature every time, the whole purpose of automation is lost. If i get it right, Google constantly moves away from that feature, someday its gone completely and i need some app with "OAuth" authorization technology to be able using my Gmail account.
How can i achieve this with Merlin firmware? Or i need consider moving to another email service?

 

[dev_null]

How can i achieve this with Merlin firmware? Or i need consider moving to another email service?

Seems a little off topic, but I'll bite: cron job with a periodic "proof of life" message? Or a test message that you create a filter to automatically delete? Or if you're running Diversion, email yourself the weekly report? Pretty much anything that makes Google consider the access "active"...