Looking for assistance. RT-AC5300 Merlin and dnsmasq

[ColinTaylor]

Do you have DNS Filtering active?

 

[Ted Danson]

Do you have DNS Filtering active?

Nope. Nothing at all.

 

[ColinTaylor]

This is odd. It is working. It has to be. Stuff like Hulu works. Also VRV, which I had to add manually. So something is working, just not everything, yet the domains are listed and do work in a different setup. Bizarre.

I think you'll have to do some debugging to see what is going on. Try restarting dnsmasq with --log-queries and then monitor the syslog for "forwarded" entries. Check they are going where you want them to.

# killall dnsmasq
# dnsmasq --log-async --log-queries

Aug  9 20:20:46 dnsmasq[7452]: query[PTR] 1.1.168.192.in-addr.arpa from 192.168.1.238
Aug  9 20:20:46 dnsmasq[7452]: /etc /hosts 192.168.1.1 is router.asus.com
Aug  9 20:20:46 dnsmasq[7452]: query[A] channel5.com.home.lan from 192.168.1.238
Aug  9 20:20:46 dnsmasq[7452]: config channel5.com.home.lan is NXDOMAIN
Aug  9 20:20:46 dnsmasq[7452]: query[AAAA] channel5.com.home.lan from 192.168.1.238
Aug  9 20:20:46 dnsmasq[7452]: config channel5.com.home.lan is NXDOMAIN
Aug  9 20:20:46 dnsmasq[7452]: query[A] channel5.com from 192.168.1.238
Aug  9 20:20:46 dnsmasq[7452]: forwarded channel5.com to 8.8.8.8
Aug  9 20:20:46 dnsmasq[7452]: reply channel5.com is 52.50.200.133
Aug  9 20:20:46 dnsmasq[7452]: query[AAAA] channel5.com from 192.168.1.238
Aug  9 20:20:46 dnsmasq[7452]: forwarded channel5.com to 8.8.8.8

 

[Ted Danson]

Interesting. Queries don't even show in the log. The only thing I can see, in the example I tried first is the domain on my computer I'm using (work device) is being ignored by dnsmasq.

Tried from an Android phone too. Nothing showing in syslog at all. As in, there are no entries. What does that mean though? The router isn't even using dnsmasq at all, devices are ignoring it?

EDIT: Just to confirm, I'm not hiding queries in DHCP settings on the router.

 

[Ted Danson]

Apologies. I have it working. I wasn't setting the correct logging level in the system menu. Here's some logs for you:

Aug 9 21:16:53 dnsmasq[568]: query[A] www.maxgo.com from 192.168.1.49
Aug 9 21:16:53 dnsmasq[568]: forwarded www.maxgo.com to 8.8.8.8
Aug 9 21:16:53 dnsmasq[568]: forwarded www.maxgo.com to 8.8.4.4
Aug 9 21:16:53 dnsmasq[568]: query[A] www.maxgo.com from 192.168.1.49
Aug 9 21:16:53 dnsmasq[568]: forwarded www.maxgo.com to 8.8.8.8
Aug 9 21:16:53 dnsmasq[568]: forwarded www.maxgo.com to 8.8.4.4
Aug 9 21:16:54 dnsmasq[568]: reply www.maxgo.com is <CNAME>
Aug 9 21:16:54 dnsmasq[568]: reply www.maxgo.com.c.footprint.net is 192.221.105.254
Aug 9 21:16:54 dnsmasq[568]: reply www.maxgo.com.c.footprint.net is 4.23.55.254
Aug 9 21:16:54 dnsmasq[568]: reply www.maxgo.com.c.footprint.net is 207.123.55.252


Aug 9 21:18:17 dnsmasq[568]: query[A] www.hbonow.com from 192.168.1.49
Aug 9 21:18:17 dnsmasq[568]: forwarded www.hbonow.com to 8.8.8.8
Aug 9 21:18:17 dnsmasq[568]: reply www.hbonow.com is <CNAME>
Aug 9 21:18:17 dnsmasq[568]: query[A] www.hbonow.com from 192.168.1.49
Aug 9 21:18:17 dnsmasq[568]: cached www.hbonow.com is <CNAME>
Aug 9 21:18:18 dnsmasq[568]: query[A] play.hbonow.com from 192.168.1.49
Aug 9 21:18:18 dnsmasq[568]: forwarded play.hbonow.com to 8.8.8.8
Aug 9 21:18:18 dnsmasq[568]: query[A] play.hbonow.com from 192.168.1.49
Aug 9 21:18:18 dnsmasq[568]: forwarded play.hbonow.com to 8.8.4.4
Aug 9 21:18:18 dnsmasq[568]: forwarded play.hbonow.com to 8.8.8.8
Aug 9 21:18:18 dnsmasq[568]: reply play.hbonow.com is <CNAME>
Aug 9 21:18:18 dnsmasq[568]: reply play.hbonow.com.c.footprint.net is 8.253.104.136
Aug 9 21:18:18 dnsmasq[568]: reply play.hbonow.com.c.footprint.net is 8.253.140.220


I did set my DNS to 8.8.8.8 and 8.8.4.4 just to test.

I feel we are getting somewhere though as clearly dnsmasq entries for DNS are not being used at all. I've changed DNS IP's on the WAN config back to my ISP now. dnsmasq is working, but it doesn't seem to be forwarding everything. Especially www.maxgo.com always seems to use 8.8.8.8 for lookup. Hijack perhaps?

 

[ColinTaylor]

dnsmasq is working, but it doesn't seem to be forwarding everything. Especially www.maxgo.com always seems to use 8.8.8.8 for lookup. Hijack perhaps?

Sorry, I don't know what you're expecting to see. maxgo.com and hbonow.com aren't in that list from Getflix.

 

[Ted Danson]

No matter. It's working! I'm not quite sure why though.

 

[ColinTaylor]

Hopefully it will stay that way. Client devices have a tendency to cache their own entries. Also, some devices and apps have DNS IP addresses hard-coded into them in which case the dnsmasq changes are ineffective.

 

[Ted Danson]

Here's the weird thing. My W10 laptop is hit and miss, even with flushed dns cache. But everything else on the network appears fine. Android, STB's, tablets and so on.

Some stuff didn't work, so I added domains and it works. I've turned off 'all' logging as I log to a remote server and don't want colossal levels of data. Good for debug though like today of course!

I 'think' I'm good to go now. Some stuff I need VPN for. No way around it, and that's fine as I can use PBR for that, kindly built in to the firmware by Merlin, and that is fine.

One thing I do wish though is for the ability to leave the VPN client switched on and have conditional forwarding to a specific domain, as well as the ability to drop in devices to the PBR list which we already have built in to the firmware.

Example, I launch an app on an STB. The router detects the query and then sends all traffic over the VPN. Easier said than done though I guess as you'd need all the other domains/cdn's etc to go over it too. Could get messy!

Thanks a lot again for all your help, it really is appreciated. Delighted to finally have this working and being able to protect privacy at the same time. Well, as much as it can be protected these days! Thanks again!

 

[Ted Danson]

One thing I want to add, just in case anyone is looking for similar help in future, is that AB-Solution is definitely causing problems. Even using the most relaxed rule set.

Not sure how to approach that one. Maybe it blocks some cdn's? Maybe AB-Solution can bypass specific MAC addresses?

For now I've had to uninstall it. Just wanted to share in case it helps out.

 

[ColinTaylor]

Perhaps that's not too surprising, I've experienced a similar thing here. I use my own ad-blocking solution but it's based on the same principle as AB-Solution.

Even ignoring any geo-blocking considerations, more and more services won't work with ad-blocking. For example, if I want stream ITV programmes I have to whitelist ad.doubleclick.net, bs.serving-sys.com, sb.scorecardresearch.com and www.google-analytics.com.

Other channels use a random selection of ad sites which changes every time you try to watch a program making it impossible to whitelist them all. So sometimes the program will play and other times it won't.

By logging the DNS queries you can see whether a domain is being blocked because it will be resolved to 0.0.0.0 or 127.0.0.1.

 

[thelonelycoder]

One thing I want to add, just in case anyone is looking for similar help in future, is that AB-Solution is definitely causing problems. Even using the most relaxed rule set.

Not sure how to approach that one. Maybe it blocks some cdn's? Maybe AB-Solution can bypass specific MAC addresses?

For now I've had to uninstall it. Just wanted to share in case it helps out.

AB-Solution itself does nothing else but add a few lines to the dnsmasq.conf and let's it do the ad-blocking this way, using pixelserv-tls for https sites if enabled and installed.

The AB UI is nothing more than a fancy settings interface to add some user scripts and cron jobs.
It's a hosts file based blocker and nothing more.
Use the f option 1 or 2 to see what is blocking the resolving of those domains.

I use a /jffs/configs/dnsmasq.conf.add to add local DNS resolution with some lines such as:
address=/dev/192.168.2.160
address=/aus/192.168.2.170
This directs all clients to the respective IP for *.dev and *.aus tld's in my network.

 

[ColinTaylor]

I use a /jffs/configs/dnsmasq.conf.add to add local DNS resolution with some lines such as:
address=/dev/192.168.2.160
address=/aus/192.168.2.170
This directs all clients to the respective IP for *.dev and *.aus tld's in my network.

Can you explain the purpose of this because I can't see it. If I have local domain called "dev" with multiple hosts, why would I want all of the host names to resolve to a single address? I think I missing something here.

 

[thelonelycoder]

Can you explain the purpose of this because I can't see it. If I have local domain called "dev" with multiple hosts, why would I want all of the host names to resolve to a single address? I think I missing something here.

I do web development and host all projects during development on local servers.
Instead of testing things on ab-solution.info directly, I do this on my local server on the domain ab-solution.dev, this being a virtual hosts on Apache.
There are close to a hundred domains on my development servers for local development and testing before deploying to the public servers.
It's just the way I do it, for many years now.

 

[ColinTaylor]

Thanks @thelonelycoder Yes the penny just dropped, but your reply beat me to it.

So you're not talking about multiple devices on a network, but multiple domains being hosted on a single machine. I get it now.

 

[thelonelycoder]

So you're not talking about multiple devices on a network, but multiple domains being hosted on a single machine.

Multiple local tld domains on multiple local machines, each hosting tld domain names such as *.dev, *.aus and so on.

 

[Ted Danson]

Hmm, I'll have a play around with it. After checking more dnsmasq logs, I've slowly discovered and added more domains to my dnsmasq.conf.add file and now have nearly 0 issues. I've also implemented the following code, which seems to work fine until today when some stuff was hit and miss. I'm not sure why.

# Default Dnsmasq options
domain-needed
log-queries
log-dhcp

# Set custom DNS servers for specific hosts
## Device 1
#dhcp-host=AA:BB:CC:DD:EE:FF,set:smartdns

## Device 2
dhcp-host=AA:BB:CC:DD:EE:FF,set:smartdns

## Device 3
dhcp-host=AA:BB:CC:DD:EE:FF,set:smartdns

# Set Smart DNS Proxy IP addresses
dhcp-option=tag:smartdns,option:dns-server,xx.xx.xx.xx,xx.xx.xx.xx

Under the last setting there, dhcp-option.... I then have the whole server=/domain.com/domain.com/xx.xx.xx.xx etc. This is so everything else I don't specify to use the smart DNS all the time can still use the normal conditional forwarding I originally set up.

One aside question, is it possible to add further to this config file? I'd like to add a VPN client I have set up on the router. I presently have a rule set up for it, within the Merlin GUI, to only apply to a specific device(s) when the client is switched on. Is it possible to add to this config so that I can leave the client switched on all the time and when the router queries certain domains, it will use the active VPN client as well as a custom DNS IP address? Maybe that's a bit complex for home networking kit, but it would be bloody brilliant if it is possible.

Thanks a million both of you. I'd just like to say thanks as well for AB-Solution, it's a really good project. Thanks a lot for making it.

 

[ColinTaylor]

Sorry, I can't help you. I don't use VPN clients.

 

[Jack Yaz]

Hmm, I'll have a play around with it. After checking more dnsmasq logs, I've slowly discovered and added more domains to my dnsmasq.conf.add file and now have nearly 0 issues. I've also implemented the following code, which seems to work fine until today when some stuff was hit and miss. I'm not sure why.

# Default Dnsmasq options
domain-needed
log-queries
log-dhcp

# Set custom DNS servers for specific hosts
## Device 1
#dhcp-host=AA:BB:CC:DD:EE:FF,set:smartdns

## Device 2
dhcp-host=AA:BB:CC:DD:EE:FF,set:smartdns

## Device 3
dhcp-host=AA:BB:CC:DD:EE:FF,set:smartdns

# Set Smart DNS Proxy IP addresses
dhcp-option=tag:smartdns,option:dns-server,xx.xx.xx.xx,xx.xx.xx.xx

Under the last setting there, dhcp-option.... I then have the whole server=/domain.com/domain.com/xx.xx.xx.xx etc. This is so everything else I don't specify to use the smart DNS all the time can still use the normal conditional forwarding I originally set up.

One aside question, is it possible to add further to this config file? I'd like to add a VPN client I have set up on the router. I presently have a rule set up for it, within the Merlin GUI, to only apply to a specific device(s) when the client is switched on. Is it possible to add to this config so that I can leave the client switched on all the time and when the router queries certain domains, it will use the active VPN client as well as a custom DNS IP address? Maybe that's a bit complex for home networking kit, but it would be bloody brilliant if it is possible.

Thanks a million both of you. I'd just like to say thanks as well for AB-Solution, it's a really good project. Thanks a lot for making it.

I know you can use Policy Rules to point the client to use VPN tunnel when accessing certain IPs. While this isn't DNS based it's a step in the right direction I hope!

 

[Ted Danson]

Sorry, I can't help you. I don't use VPN clients.

No worries. You helped me a bunch as it is!

Jack Yaz: Ah OK, so I'd be looking to do some sort of PBR with VPN somewhere in the router configuration files? IP shouldn't be a problem after looking up the domains anyway.