RT-AX3000: DHCP and DNS randomly stop working

[Lothsahn]

I've got an ASUS RT-AX3000. I just updated to the latest firmware (386.4_0) and it seemed stable for a few days. I then enabled dual-wan in failover mode and that worked great. I tested pulling the network connection and it would failover and fail back as expected. I also disabled 2.4 GHZ wifi.

About a day later, I had an issue where the local DHCP server will stop handing out addresses and DNS will stop resolving. When this occurred, there were no errors in the system log or any mention of dnsmasq at all. I restarted dnsmasq (service restart_dnsmasq) and everything went back to normal. Then it happened again, a few days later. Again, restarting dnsmasq fixed the issue, but the issue came back 2 hours later. 2 copies of dnsmasq are always running at all times:

admin@LothRouter:/jffs# ps | grep dnsmasq
21792 admin 3424 R grep dnsmasq
32098 nobody 2752 R dnsmasq --log-async
32099 admin 2620 S dnsmasq --log-async

Anyone having a similar experience? I'm going to try a factory reset and reconfigure the router, but with hundreds of port forwards, it's VERY annoying to do that.

 

[ColinTaylor]

2 copies of dnsmasq are always running at all times:

That's normal.

but with hundreds of port forwards, it's VERY annoying to do that.

Just save the port forwards to a file on a USB drive and reload them afterwards.

nvram get vts_rulelist > somefile.txt

nvram set vts_rulelist="$(cat somefile.txt)"
nvram commit

 

[dave14305]

There are some possible “hang” scenarios in dnsmasq 2.86 when DNSSEC is enabled. Not sure if it applies to your setup.

[Dnsmasq-discuss] Infinite loop in dnsmasq v2.86?

 

[Lothsahn]

DNSSEC was enabled. I will ensure I disable it. Thank you @dave14305

 

[Lothsahn]

That's normal.


Just save the port forwards to a file on a USB drive and reload them afterwards.

nvram get vts_rulelist > somefile.txt

nvram set vts_rulelist="$(cat somefile.txt)"
nvram commit

That saved me SO much time. Thank you!

 

[bbunge]

If you want to run DNSSEC there is a way to run it via Stubby instead of Dnsmasq.

Create a file called stubby.postconf in /jffs/scripts with the fillowing content:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Set the file to executable with chmod 755 /jffs/scripts/stubby.postconf

Restart the router or click Apply at the bottom of WAN/Internet Connection Make sure that DNSSEC is not enabled on that page.

To check if it is working, in a terminal run stubby -l You should see Stubby reporting its operation with a statement that DNSSEC is enabled. Press Ctrl+c to cancel stubby logging.

 

[Lothsahn]

After the factory reset and leaving DNSSEC disabled, I have not had the issue reoccur. I will update this post if it does, but I'm now running dual wan and I've had no issues. Failover works as expected and the router works great. No DHCP or DNS issues now.

 

[ekahan88]

After the factory reset and leaving DNSSEC disabled, I have not had the issue reoccur. I will update this post if it does, but I'm now running dual wan and I've had no issues. Failover works as expected and the router works great. No DHCP or DNS issues now.

Hello. How do you disable DNSSEC? I could not find it on the router setting. Please help. Thank you.

 

[ColinTaylor]

Hello. How do you disable DNSSEC? I could not find it on the router setting. Please help. Thank you.

It's an option under WAN DNS Setting. The option is not present in stock firmware.

 

[ekahan88]

It's an option under WAN DNS Setting. The option is not present in stock firmware.

Thank you for your prompt reply. Yes, currently still using stock firmware. Is that means that DNSSEC disabled by default?
I wonder sometime the router is not able to assign our devices the correct IP address (it gives 192.168.1.xx instead of 192.168.50.xx). So devices won't be able to connect to internet.

 

[ColinTaylor]

Thank you for your prompt reply. Yes, currently still using stock firmware. Is that means that DNSSEC disabled by default?

Stock firmware doesn't support DNSSEC at all.

I wonder sometime the router is not able to assign our devices the correct IP address (it gives 192.168.1.xx instead of 192.168.50.xx). So devices won't be able to connect to internet.

This has nothing to do with DNS. Although I see you are overriding your router's DNS server with different ones in the LAN DHCP settings. That's usually not a good idea.

It sounds like you have another DHCP server on your LAN. This is often another router, access point, repeater, etc. that has configured or connected incorrectly.

 

[ekahan88]

Stock firmware doesn't support DNSSEC at all.


This has nothing to do with DNS. Although I see you are overriding your router's DNS server with different ones in the LAN DHCP settings. That's usually not a good idea.

It sounds like you have another DHCP server on your LAN. This is often another router, access point, repeater, etc. that has configured or connected incorrectly.I

 

[ekahan88]

I will recheck again, thank you for your kind answers!

 

[ColinTaylor]

I will recheck again, thank you for your kind answers!

If you still have problems I suggest you start a new thread as your problem is unrelated to this thread. Good luck.