Intermittent DNS failures

[sbsnb]

I've been having trouble with intermittent DNS failures over the years, but I just chalked it up to issues with my dnscrypt-proxy setup. However, I've been running without it for the last few days and I am still experiencing the issue.

The symptoms are that occasionally a well-known domain will fail to resolve and I get the browser error message that the name couldn't be resolved. Pressing reload usually just gives the error again. Pressing reload 4 or 5 times gets the domain to load. When it's happening running nslookup from a client yields the same problem: instant error. The error is so fast that there's no way it's an actual failure because it's instantaneous. It's not a timeout.

I don't even know how to troubleshoot because it only lasts for about 10-15 seconds when it happens, which is about every day or two.

 

[dave14305]

What error does nslookup give you, if not a timeout?

 

[bbunge]

First upgrade to Merlin 386.5.

Second, dump DNSCrypt-Proxy and try DoT to a secure DNS upstream resolver such as Quad9. Start without DNSSEC enabled. When you have better DNS function enable DNSSEC. Also use DNS Filter.

It is possible that other addons are causing issues. You may want to factory reset and run 386.5 without addons for a bit.

 

[sbsnb]

First upgrade to Merlin 386.5.

Is Asus still nagging about not using HTTPS? I don't intend to use any firmware that's intentionally designed to annoy me into participating in their security theater.

Second, dump DNSCrypt-Proxy and try DoT to a secure DNS upstream resolver such as Quad9. Start without DNSSEC enabled. When you have better DNS function enable DNSSEC. Also use DNS Filter.

That's what I'm using now and still experience the issue.

It is possible that other addons are causing issues. You may want to factory reset and run 386.5 without addons for a bit.

It may come to that, although sometimes I can go a month or more without issue and then other times it's multiple times a day. I don't know how long I'd have to go without the error to conclusively call it fixed.

 

[sbsnb]

What error does nslookup give you, if not a timeout?

It will say:

Server:  RT-AX86U-AB41.router.lan
Address:  192.168.1.1

*** RT-AX86U-AB41.router.lan can't find google.com: Non-existent domain

It almost makes me think that sometimes a cache miss is interpreted as an NXDOMAIN.

EDIT - Since this was an issue in my RT-AC88U and my RT-AX86U, I don't think there's any hardware issue or anything in any model-specific code.

 

[bbunge]

Is Asus still nagging about not using HTTPS? I don't intend to use any firmware that's intentionally designed to annoy me into participating in their security theater.

Do not know what you are talking about. I have at times enabled http and https access but mostly use http. But I never enable WAN access like some do.

 

[sbsnb]

Do not know what you are talking about.

This:

Release - Asuswrt-Merlin 386.4 is now available

Dirty update from previous release on AC88U. Everything's fine except Time Machine, I have the following message when I try to select the AC88U usb drive as Time machine drive (that I just formatted): The version of the server you are trying to connect to is not supported. Edit: Time Machine...

www.snbforums.com

Release - Asuswrt-Merlin 386.4 is now available

Dirty update from previous release on AC88U. Everything's fine except Time Machine, I have the following message when I try to select the AC88U usb drive as Time machine drive (that I just formatted): The version of the server you are trying to connect to is not supported. Edit: Time Machine...

www.snbforums.com

Release - Asuswrt-Merlin 386.4 is now available

Dirty update from previous release on AC88U. Everything's fine except Time Machine, I have the following message when I try to select the AC88U usb drive as Time machine drive (that I just formatted): The version of the server you are trying to connect to is not supported. Edit: Time Machine...

www.snbforums.com

 

[OzarkEdge]

This:

Release - Asuswrt-Merlin 386.4 is now available

Dirty update from previous release on AC88U. Everything's fine except Time Machine, I have the following message when I try to select the AC88U usb drive as Time machine drive (that I just formatted): The version of the server you are trying to connect to is not supported. Edit: Time Machine...

www.snbforums.com

Release - Asuswrt-Merlin 386.4 is now available

Dirty update from previous release on AC88U. Everything's fine except Time Machine, I have the following message when I try to select the AC88U usb drive as Time machine drive (that I just formatted): The version of the server you are trying to connect to is not supported. Edit: Time Machine...

www.snbforums.com

Release - Asuswrt-Merlin 386.4 is now available

Dirty update from previous release on AC88U. Everything's fine except Time Machine, I have the following message when I try to select the AC88U usb drive as Time machine drive (that I just formatted): The version of the server you are trying to connect to is not supported. Edit: Time Machine...

www.snbforums.com

Are you seeing this HTTPS 'nag' on your router?

OE

 

[sbsnb]

Are you seeing this HTTPS 'nag' on your router?

I haven't installed those versions because I don't intend to see those nags.

 

[ColinTaylor]

I haven't installed those versions because I don't intend to see those nags.

I've never seen such a message.

 

[dave14305]

I've never seen such a message.

There’s some odd combination of nvram that results in the https messages:

asuswrt-merlin.ng/release/src/router/www/js/https_redirect/https_redirect.js at faf82c7ce0d6c1bbc19e94f408d8ba2886c36921 · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

I’ve never seen them either.

 

[RMerlin]

There’s some odd combination of nvram that results in the https messages:

asuswrt-merlin.ng/release/src/router/www/js/https_redirect/https_redirect.js at faf82c7ce0d6c1bbc19e94f408d8ba2886c36921 · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

I’ve never seen them either.

Short answer is: that feature is region-specific. Most likely certain countries have laws or regulations now requiring it.

 

[heysoundude]

Is Asus still nagging about not using HTTPS? I don't intend to use any firmware that's intentionally designed to annoy me into participating in their security theater.


That's what I'm using now and still experience the issue.


It may come to that, although sometimes I can go a month or more without issue and then other times it's multiple times a day. I don't know how long I'd have to go without the error to conclusively call it fixed.

have you considered or tried using unbound?
If you're looking for security and privacy, I'm of a mind that it's a better way to go: You cache the addresses you visit most frequently locally (I do it on the entware USB drive I'm running diversion etc on), and when a query of the cache for an address isn't found, it goes straight to the authoritative servers that all the "big" well-known "fast" public DNS servers do, and you can even choose to use DoT/DoH to those, if they support it.
DNSCrypt-proxy may be a little more behind the curve compared to unbound (our version here is one behind the dev's current at the moment, but it's being worked on)

 

[dave14305]

and you can even choose to use DoT/DoH to those, if they support it.

I don’t think that’s possible today. Root/TLD servers don’t support it, and I imagine most authoritative name servers don’t support it.

https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf

 

[Tech9]

and when a query of the cache for an address isn't found, it goes straight to the authoritative servers that all the "big" well-known "fast" public DNS servers do

This is when big and fast public DNS servers beat you every single time with much bigger cache than yours.

 

[heysoundude]

I don’t think that’s possible today. Root/TLD servers don’t support it, and I imagine most authoritative name servers don’t support it.

https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf

IIRC, the folks who built unbound have built in the functionality should the auth servers ever decide to go down the encryption path. but that would be indicative of greater concerns for the internet as a whole if there was demand for it

This is when big and fast public DNS servers beat you every single time with much bigger cache than yours.

Again, this is what OP is looking for, and I am just making them aware of their options.
I'll take the hit on ping time to stay a bit more private in what I search for, thanks. Those 10ms are my chance to flip the googles of the world the bird.

 

[Tech9]

'll take the hit on ping time to stay a bit more private in what I search for, thanks.

Your ISP can re-create your browsing history with >90% accuracy and you may leak your real public IP address when using own resolver. Your beliefs lead to wrong conclusions, @heysoundude - Skynet, IPv6, Unbound. You're welcome.

 

[sbsnb]

Your ISP can re-create your browsing history with >90% accuracy and you may leak your real public IP address when using own resolver. Your beliefs lead to wrong conclusions, @heysoundude - Skynet, IPv6, Unbound. You're welcome.

Without access to my DNS queries they only know the IP I'm connecting to. For many sites that could mean any number of hundreds of domains hosted on the same server. Google doesn't know anything I query or connect to unless my ISP is selling them that information.

My personal reasons for using dnscrypt-proxy is to use servers that AREN'T run by the "big boys," to prevent them from building a record of my DNS queries, and to prevent my ISP or anyone else from intercepting my DNS queries similar to how DNS queries can be redirected on the router. Ever since the incident where the dude that runs Cloudfare reported that he woke up one morning and decided one of his customers shouldn't be on the Internet, flipped a switch, and made it so, I have steered clear of "the big boys" for DNS, for email, for web hosting, and even internet access in every way possible. It opened my eyes to how vulnerable I was to having my access to information controlled by some other person's opinions and whimsy. I currently use OpenNIC which seems more resilient against the personal whims of some megalomaniac or corporate behemoth with a political agenda.

 

[heysoundude]

Your ISP can re-create your browsing history with >90% accuracy and you may leak your real public IP address when using own resolver. Your beliefs lead to wrong conclusions, @heysoundude - Skynet, IPv6, Unbound. You're welcome.

Our common ISP (iirc) has been pretty clear that they have better things to do, and would need legal compulsion to open their logs. I believe them, since they've taken a pretty adversarial stance with the big boys and the gov't agencies they're beholden to.
but granted, that is clearly not the case for everyone/everywhere

 

[sbsnb]

I started receiving interesting errors trying to visit some sites I regularly visit for years. These errors coincide with experimenting with Cloudfare's DNS. Here's an example:

Seems like something unrelated to Cloudfare, right? I dug a little deeper. Using Cloudfare's DNS servers the domain in question resolves to something in Cloudfare's IP space. When I use Quad 9 the domain resolves to a network in the UK and works perfectly fine in the browser.

This makes me very suspicious of Cloudfare. It's the kind of shenanigans I am trying to avoid in the first place.