Solved RT-AC68U: In-router DNS resolution issues

[dave14305]

cat /tmp/resolv.conf
cat /tmp/resolv.dnsmasq
ls -l /etc/resolv.conf
nvram show 2>/dev/null | grep -F "192.168.1.254"
grep -F "192.168.1.254" /jffs/scripts/* /jffs/configs/*

 

[Llimona]

I think you guys are getting close to finding the culprit!

Do you have a broadband modem (or router) or some other ISP provider equipment upstream from the Asus router? Do you have any active VPN connections (or Tor) initiated from within the Asus-Merlin interface?

Yes to the router bit, no to the VPN/Tor bit.

I have an AT&T fiber router (BGW-320) set up as IP passthrough.

cat /tmp/resolv.conf
cat /tmp/resolv.dnsmasq
ls -l /etc/resolv.conf
nvram show 2>/dev/null | grep -F "192.168.1.254"
grep -F "192.168.1.254" /jffs/scripts/* /jffs/configs/*

admin@RT-AC68P-2960:/tmp/home/root# cat /tmp/resolv.conf
nameserver 192.168.1.254
admin@RT-AC68P-2960:/tmp/home/root# cat /tmp/resolv.dnsmasq
server=192.168.1.254
server=/attlocal.net/192.168.1.254
admin@RT-AC68P-2960:/tmp/home/root# ls -l /etc/resolv.conf
lrwxrwxrwx    1 admin    root            16 May  6 10:40 /etc/resolv.conf -> /tmp/resolv.conf
admin@RT-AC68P-2960:/tmp/home/root# nvram show 2>/dev/null | grep -F "192.168.1.254"
wan0_dns=192.168.1.254
dhcp_end=192.168.1.254
admin@RT-AC68P-2960:/tmp/home/root# grep -F "192.168.1.254" /jffs/scripts/* /jffs/configs/*
grep: /jffs/scripts/*: No such file or directory
grep: /jffs/configs/*: No such file or directory

 

[dave14305]

I think you guys are getting close to finding the culprit!

Yes to the router bit, no to the VPN/Tor bit.

I have an AT&T fiber router (BGW-320) set up as IP passthrough.

admin@RT-AC68P-2960:/tmp/home/root# cat /tmp/resolv.conf
nameserver 192.168.1.254
admin@RT-AC68P-2960:/tmp/home/root# cat /tmp/resolv.dnsmasq
server=192.168.1.254
server=/attlocal.net/192.168.1.254
admin@RT-AC68P-2960:/tmp/home/root# ls -l /etc/resolv.conf
lrwxrwxrwx    1 admin    root            16 May  6 10:40 /etc/resolv.conf -> /tmp/resolv.conf
admin@RT-AC68P-2960:/tmp/home/root# nvram show 2>/dev/null | grep -F "192.168.1.254"
wan0_dns=192.168.1.254
dhcp_end=192.168.1.254
admin@RT-AC68P-2960:/tmp/home/root# grep -F "192.168.1.254" /jffs/scripts/* /jffs/configs/*
grep: /jffs/scripts/*: No such file or directory
grep: /jffs/configs/*: No such file or directory

So show us a screenshot of your WAN settings. You should not be inheriting DNS from the upstream modem if your settings are as you say in post #1.

You don’t have any Dual WAN setup, do you?

 

[bennor]

I have an AT&T fiber router (BGW-320) set up as IP passthrough.

What is the IP address for the AT&T router? Is it the same 192.168.1.254?

Is your Asus Router also using the 192.168.1.x address range?

When I had AT&T their router was set to use 192.168.1.254. I had to change the Asus router to use 192.168.2.x (or some other private IP address range other than 192.168.1.x.

 

[Llimona]

So show us a screenshot of your WAN settings. You should not be inheriting DNS from the upstream modem if your settings are as you say in post #1.

You don’t have any Dual WAN setup, do you?

Actually, I do! It's set up as a fail over but can get rid of it.

The background for that is that my previous ISP (Monkeybrains) used to be unreliable in my area, so I switched to AT&T. Monkeybrains charges in 3 month intervals so I kept it up as a backup while we still had service with them, which it probably stopped working as of today.

I'm going to unplug that cable and disable that.

What is the IP address for the AT&T router? Is it the same 192.168.1.254?

Is your Asus Router also using the 192.168.1.x address range?

When I had AT&T their router was set to use 192.168.1.254. I had to change the Asus router to use 192.168.2.x (or some other private IP address range other than 192.168.1.x.

 

[bennor]

View attachment 36630

So the question is, where is that DNS value (192.168.1.254) in that screen shot coming from? From the Dual WAN? Or something else?

I don't have Dual WAN enabled and it shows the correct DNS values.

 

[dave14305]

View attachment 36628

Actually, I do! It's set up as a fail over but can get rid of it.

The background for that is that my previous ISP (Monkeybrains) used to be unreliable in my area, so I switched to AT&T. Monkeybrains charges in 3 month intervals so I kept it up as a backup while we still had service with them, which it probably stopped working as of today.

View attachment 36629
I'm going to unplug that cable and disable that.


View attachment 36630

So which WAN Index/ WAN Type was selected when you were viewing your WAN DNS settings?

 

[Llimona]

So which WAN Index/ WAN Type was selected when you were viewing your WAN DNS settings?

/facepalm

So it seems like all along the WAN settings page was defaulting to the fail over interface rather than the primary one and I never noticed...

As soon as I disabled dual WAN I got to see the actual WAN DNS settings which they were set to automatic instead of Cloudflare's.

I'm so sorry for wasting everyone's time with this silly mistake. Thanks a lot for helping me figure this out, everyone!

 

[RSJ]

Note: Originally misclicked and created this thread way too early while starting to write it. Most of the content has been edited in. Apologies!

Running Merlin: 386.3_2

I have my network setup to use a pihole DNS filter. The Asus router advertises the pihole's local IP as a DNS server on DHCP and that works perfectly fine for all the devices within the network, except the router itself.

Anything within the router cannot resolve domains, this prevents things like OpenVPN clients, DDNS or even firmware update checks from working.

The way I have the DNS setup is (striken-through settings have been corrected based on suggestions from replies!):

LAN / DHCP Server / DNS and WINS Server Setting

• DNS Server 1: pihole's local ip
• DNS Server 2: pihole's local ip
• Advertise router's IP in addition to user-specified DNS: No
• WINS Server: (blank)

LAN / DNS Filter

• Enable DNS-based Filtering: On
• Global Filter Mode: Router
• Custom (user-defined) DNS 1: (blank)
• Custom (user-defined) DNS 2: (blank)
• Custom (user-defined) DNS 3: (blank)
• Client List:
  • pihole's MAC (No filter)

WAN / WAN DNS Setting
Tried many combinations of these to no avail. That's what I expected the router's requests to rely on but that might be a terrible assumption.

• Connect to DNS Server automatically: No
• DNS Server1: 1.1.1.1 (Cloudflare)
• DNS Server2: 1.1.1.2 1.0.0.1 (Cloudflare)
• Forward local domain queries to upstream DNS: Yes No
• Enable DNS Rebind protection: Yes
• Enable DNSSEC support: Yes
• Validate unsigned DNSSEC replies: Yes
• Prevent client auto DoH: Auto
• DNS Privacy Protocol: None

Example Log Extract

May  6 10:17:00 ovpn-client1[3043]: RESOLVE: Cannot resolve host address: <myvpnserverdomain : port> (Name or service not known)

Solution
If you are using dual WAN... make sure that you are editing the WAN DNS settings for the right WAN. /facepalm

Thank you for posting all this and for everyone chiming in! I'm running Merlin on my GT-AX11000 and was very confused on how to configure it correctly with pihole. This is just awesome! I have an AiMesh with an RT-AX88U, RT-AX89X and RT-AX82U with two being Merlin capable. I'm really hoping Merlin will be available for the 82U and 89X at some point. Anyway, you and all the other smart people really saved me a lot of headache and time with this!!

 

[jsn2233]

Like others indicated, use Cloudflare's 1.0.0.1 for the second DNS Server. And set Forward local domain queries to upstream DNS to No. My setup is similar with Pi-Hole, and there are no issues with the router checking for firmware updates.

View attachment 36627

I know this is 2 years old but no one is answering my new post. Is there any reason we should set the DNS to those? I don't understand. How does this get your network to traffic through Pihole? My first DNS is Pihole and the second is Quad9 and it seems to work fine.

 

[bennor]

I know this is 2 years old but no one is answering my new post. Is there any reason we should set the DNS to those? I don't understand. How does this get your network to traffic through Pihole? My first DNS is Pihole and the second is Quad9 and it seems to work fine.

What new post are people not answering? Are you talking about this one: Pihole/Yazfi with guest network?
Don't confuse the WAN DNS fields with the LAN DHCP DNS fields. Pi-Hole recommends putting the IP address of the Pi-Hole device into the LAN DHCP DNS fields, not the WAN DNS fields.

When mixing a non Pi-Hole DNS address from a public DNS server with a Pi-Hole DNS address in the LAN DHCP DNS fields there will exist the potential possibility of LAN clients bypassing the Pi-Hole. Which kind of defeats the whole reason for using a Pi-Hole to filter ads. If one is worried about their main Pi-Hole going down one can always setup a second Pi-Hole on their local network. The Pi-Hole program can run on a variety of devices (or Dockers) other than Raspberry Pi's. Pi-Hole supported operating systems.

Edit to add: Did a post few years ago showing how I setup Pi-Hole(s) on my network:
https://www.snbforums.com/threads/pihole-dns.74646/page-3#post-712319
There may be other better ways but it is what works for me on my setup.
I don't mix public DNS servers with the Pi-Hole. Just use the Pi-Hole IP addresses in the LAN DHCP DNS fields and the YazFi DNS fields.

 

[jsn2233]

What new post are people not answering? Are you talking about this one: Pihole/Yazfi with guest network?
Don't confuse the WAN DNS fields with the LAN DHCP DNS fields. Pi-Hole recommends putting the IP address of the Pi-Hole device into the LAN DHCP DNS fields, not the WAN DNS fields.

When mixing a non Pi-Hole DNS address from a public DNS server with a Pi-Hole DNS address in the LAN DHCP DNS fields there will exist the potential possibility of LAN clients bypassing the Pi-Hole. Which kind of defeats the whole reason for using a Pi-Hole to filter ads. If one is worried about their main Pi-Hole going down one can always setup a second Pi-Hole on their local network. The Pi-Hole program can run on a variety of devices (or Dockers) other than Raspberry Pi's. Pi-Hole supported operating systems.

Edit to add: Did a post few years ago showing how I setup Pi-Hole(s) on my network:
https://www.snbforums.com/threads/pihole-dns.74646/page-3#post-712319
There may be other better ways but it is what works for me on my setup.
I don't mix public DNS servers with the Pi-Hole. Just use the Pi-Hole IP addresses in the LAN DHCP DNS fields and the YazFi DNS fields.

Wow man thanks that is great info!

I'm curious is my setup ok in your eyes? 192.168.1.8 is where my pihole is located and I don't have DNS director enabled.

I use this VPN and after setting it to Strict for Accept DNS I am getting no more DNS leaks on my guest and home network, is this recommended?

One thing I do notice is when I don't have it set to strict, say, relaxed, I get DNS leaks but the IP address is not my own IP address. What does that mean? Is it the secondary DNS in my WAN settings?

 

[bennor]

I'm curious is my setup ok in your eyes? 192.168.1.8 is where my pihole is located and I don't have DNS director enabled.
....
I use this VPN and after setting it to Strict for Accept DNS I am getting no more DNS leaks on my guest and home network, is this recommended?
....
One thing I do notice is when I don't have it set to strict, say, relaxed, I get DNS leaks but the IP address is not my own IP address. What does that mean? Is it the secondary DNS in my WAN settings?

I don't use VPN Client so I cannot comment on how Pi-Hole works with the VPN Client setting or why you are getting DNS leakage. Someone more well versed with using VPN Clients will have to address that. Your basic settings for Pi-Hole on the LAN DHCP server page looks fine at first quick glance. Just note you may have to reboot the router and LAN/WiFi client devices to get those devices to pull the new DNS information/settings.

 

[jsn2233]

Is it ok that I set the WAN DNS to my pihole and the Quad9 DNS?

 

[bennor]

Is it ok that I set the WAN DNS to my pihole and the Quad9 DNS?

As posted above the Pi-Hole documentation doesn't recommend it.

ASUS router
ASUS was so kind to set up a FAQ how to configure their routers together with Pi-hole.

They offer two kinds of setup depending on your router's firmware version. On newer firmware they recommend setting Pi-hole as DNS server for the WAN connection and on older versions for LAN connections. However, we recommend to setup Pi-hole always as DNS server for your LAN! If you do so, Pi-hole's IP is distributed as DNS server via DHCP to your network clients. Each client will directly send their queries to Pi-hole and will be shown individually in Pi-hole's web interface. Additionally, you can use the group management features.

You can find the FAQ here: https://www.asus.com/support/FAQ/1046062/

When using Pi-Hole IP's in the WAN fields there exists the remote possibility of a feedback loop happening if "Use Conditional Forwarding" is enabled within the Pi-Hole. When the feedback loop happens it cripples the local LAN and Pi-Hole which is flooded with feedback loop DNS requests.

However, you do you and configure it how ever you want based on your configuration and use needs.