What's new

Beta Asuswrt-Merlin 3004.388.6_x test builds (dnsmasq 2.90)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.

RMerlin

Asuswrt-Merlin dev
Staff member
Hi everyone,

I've uploaded Asuswrt-Merlin 3004.388.6_1 test builds that include dnsmasq 2.90 (which contains two security fixes related to DNSSEC).


Please give these builds a try, both with and without DNSSEC enabled. Let me know if there are any new issues related to DNS (I am not interested in feedback relative to anything else at this time).
 
Are we at risk if we have DNSECC enabled with the current .6 firmware?

CC
 
Upgraded RT-AX86U to 3004.388.6_1 and all is good. I don't run DNSSEC to provide the no DNSSEC view.
 
Upgraded to 3004.388.6_1-g7c86063034 from 3004.388.6. For me it works with and without DNSSEC enabled.
 
Thanks for keeping us with the security fix! I upgrade my RT-AX88U from 3004.388.6 to the new beta firmware 5 hours ago without any issue, and it works nicely with DNSSEC enabled.
Edited to add that no "limit exceeded" message found after 15 hours of running.
 
Last edited:
Upgraded my AX88U Pro - anytime a new dnsmasq version comes out - I'm eager to test.

System is running fine, no DNSSEC enabled.

I do still see the kernel report a dnsmasq Tainted error on startup. Its been there since dnsmasq 2.6 (usually after YazDHCP starts).

Code:
Feb 16 07:26:01 kernel: CPU: 3 PID: 2362 Comm: dnsmasq Tainted: P           O      4.19.183 #1

But, system is stable - not going to worry about it at this time.
 
cautiously did it on one AX86U. DNSSec still works and confirmed by test tools. IPv4 network (ISP). No issues so far, remote apps still work etc. and I use DNS over TLS too.

18/02/2024 - UPDATE:
Done the update on two other remote AX86U and all seems to be OK.
I read Merlin tried js7k.com didn't work, and I also didn't get it to work either.
 
Last edited:
Installed on RT-AX88U. Not using DNSSec directly, but I am using unbound (script by @Martineau) and I assume (but don't know) that this leverages whatever DNSSec is installed by default.

Nothing unexpected in logs files, DNScheck looks normal, no obvious issue with the other installed scripts and remote access via WireGuard working fine.
 
Good to stay ahead of threats. Installed just fine, no complaints from DNSSEC and fine with it off too.
 

Attachments

  • Screenshot_2024-02-16-18-43-39-98_3aea4af51f236e4932235fdada7d1643.jpg
    Screenshot_2024-02-16-18-43-39-98_3aea4af51f236e4932235fdada7d1643.jpg
    48.1 KB · Views: 133
Last edited:
Keep an eye out for any new dnsmasq syslog messages saying “limit exceeded” (with DNSSEC enabled). That could suggest that the new dnsmasq option dnssec-limits needs to be adjusted.
 
I do still see the kernel report a dnsmasq Tainted error on startup. Its been there since dnsmasq 2.6 (usually after YazDHCP starts).
Nothing tainted about dnsmasq. Let me re-divide this line to make it clearer what it means exactly:

Code:
CPU: 3
PID: 2362
Comm: dnsmasq
Tainted: P O

"Tainted" is the heading for the P and O flags that follows it. It says the kernel is considered tainted because it runs non-GPL Proprietary modules ("P") and it also includes modules compiled Outside of the kernel tree ("O"ut of Tree).

What this says is that dnsmasq crashed. If it does when YazDHCP starts then it might be doing something triggering it.

dnsmasq is monitored by the watchdog and should automatically get restarted.
 
I did a dirty update from 0.6 about 4 hrs ago. Seems to be OK, although I have seen some weirdness when loading the GUI. My DNSMASQ setting is OFF. I too am using Unbound.
 
Dirty update from 3004.388.6_0 to 3004.388.6_1. Programs that reach out to an external server to check for updates have not been able to connect. If I go back to 3004.388.6_0 the programs work fine.
 
Programs that reach out to an external server to check for updates have not been able to connect.
Can you elaborate? Is it failing to connect, or to resolve the address of the server?
 
Keep an eye out for any new dnsmasq syslog messages saying “limit exceeded” (with DNSSEC enabled). That could suggest that the new dnsmasq option dnssec-limits needs to be adjusted.

@RMerlin
Please care to pay attention to that, not sure what its true importance.

Upgraded my router only, DNSSec is enabled.
No issues popped, tried my VPN (Instand Guard), DDNS, and normal browsing.

Nothing to worry about.
 
Updated from 3004.388.6_1 to this fix release. Everything running fine whether DNSSEC is enabled or not. No "limit exceeded" messages in my Syslog.

Thanks RMerlin!
 
Last edited:
Status
Not open for further replies.

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top