WAN DNS setting ignored due to pppd - 386.13 on Asus AC68u

[R3dbvll]

Hi all,

I'm really hoping someone can help.
I have an Asus AC68u router (which I realise is old and now no longer supported), but it is still going strong. Currently I'm running Merlin firmware 386.13 on it.

I have just moved house and moved ISPs. Previously I was with Virgin Media, who provided a DOCSIS service. I was able to set the WAN-side DNS servers I wanted to use for the router with no problem - I set this in the router UI.

The new ISP uses PPPoE. I have a Draytek Vigor167 modem in bridge mode fronting the connection, then the Asus router. Everything works fine except for the WAN DNS settings.

From what I can tell in the logs, pppd is pulling the the ISP provided DNS servers and pushing them to file, which dnsmasq is then picking up. Nothing I do seems to change that.
I've tried adding the config option 'ms-dns' in the Additional PPPD Options field, but it makes no difference.

Are there any other pppd options I can provide, or are there other options available to make sure dnsmasq picks up my desired DNS servers?

(note, if interested - the LAN-side DNS settings work fine, and are provided by DHCP to LAN clients)

I checked through the release notes of new firmware versions, but I didn't see anything that could be related.

Many thanks
Chris.

 

[NoLight]

I ran a RT-AC68U for many years with my PPPoE ISP and never had this issue.

I would recommend upgrading to the final 386.14_2 then doing a factory reset.

Also trying DoT set to strict + DNSSC, as that was my config.

 

[dave14305]

Please show what your WAN DNS settings look like and the syslog snippet that shows the ISP DNS servers being read.

 

[bennor]

Currently I'm running Merlin firmware 386.13 on it.

The firmware 386.13 (7-Apr-2024) is almost a year old. You really should update to the latest 386.14_2 (17-Nov-2024) firmware if for nothing other than the security vulnerability fix(es) it contains, namely the one for the AiCloud vulnerability:

Malware damaging ASUS routers?

This malware damaging Asus routers has to be described in a sticky thread with a warning sign! Update: Asus is releasing patched firmware for multiple models. Check for firmware updates! The changelog for most firmware releases contains the following: 1. Strengthened input validation and data...

www.snbforums.com

Retest and see if your issue persists with the latest firmware.

 

[R3dbvll]

Thanks for all your feedback. I'll update to the latest firmware and do a reset and update here when I find out.

Also as requeted I'll post syslog info and pictures of my configuration.

 

[R3dbvll]

So I've updated to the latest firmware (386.14_2), and completed a factory reset of the router.
At this stage all I have done is put in the PPPoE credentials and added WAN-side DNS servers (in this case, Google - 8.8.8.8, 8.8.4.4).

Here is the log after I applied the WAN DNS settings. You can see pppd restarting and dnsmasq.

Mar  5 14:21:21 pppd[4373]: Plugin rp-pppoe.so loaded.
Mar  5 14:21:21 pppd[4373]: RP-PPPoE plugin version 3.11 compiled against pppd 2.4.7
Mar  5 14:21:21 pppd[4375]: pppd 2.4.7 started by administrator, uid 0
Mar  5 14:21:21 pppd[4375]: PPP session is 386 (0x182)
Mar  5 14:21:21 pppd[4375]: Connected to xx:xx:xx:xx:xx:xx via interface eth0
Mar  5 14:21:21 pppd[4375]: Using interface ppp0
Mar  5 14:21:21 pppd[4375]: Connect: ppp0 <--> eth0
Mar  5 14:21:21 pppd[4375]: CHAP authentication succeeded: Zen Subscriber/Legacy: using Zen Auth Server
Mar  5 14:21:21 pppd[4375]: CHAP authentication succeeded
Mar  5 14:21:21 pppd[4375]: peer from calling number xx:xx:xx:xx:xx:xx authorized
Mar  5 14:21:22 pppd[4375]: local  IP address <ISP provided IP>
Mar  5 14:21:22 pppd[4375]: remote IP address <ISP gateway>
Mar  5 14:21:22 pppd[4375]: primary   DNS address 212.23.3.100
Mar  5 14:21:22 pppd[4375]: secondary DNS address 212.23.6.100
Mar  5 14:21:23 dnsmasq[3985]: read /etc/hosts - 22 names
Mar  5 14:21:23 dnsmasq[3985]: using nameserver 212.23.3.100#53
Mar  5 14:21:23 dnsmasq[3985]: using nameserver 212.23.6.100#53
Mar  5 14:21:23 dnsmasq[3985]: using nameserver 212.23.3.100#53
Mar  5 14:21:23 dnsmasq[3985]: using nameserver 212.23.6.100#53
Mar  5 14:21:24 wan: finish adding multi routes
Mar  5 14:21:24 miniupnpd[3979]: shutting down MiniUPnPd
Mar  5 14:21:29 miniupnpd[4455]: HTTP listening on port 50672
Mar  5 14:21:29 miniupnpd[4455]: Listening for NAT-PMP/PCP traffic on port 5351
Mar  5 14:21:29 rc_service: ip-up 4383:notify_rc stop_samba
Mar  5 14:21:30 Samba_Server: smb daemon is stopped
Mar  5 14:21:30 kernel: gro disabled
Mar  5 14:21:30 rc_service: ip-up 4383:notify_rc start_samba
Mar  5 14:21:30 dnsmasq[3985]: exiting on receipt of SIGTERM
Mar  5 14:21:31 dnsmasq[4468]: started, version 2.90 cachesize 1500
Mar  5 14:21:31 dnsmasq[4468]: asynchronous logging enabled, queue limit is 5 messages
Mar  5 14:21:31 dnsmasq-dhcp[4468]: DHCP, IP range 192.168.102.2 -- 192.168.102.254, lease time 1d
Mar  5 14:21:31 dnsmasq-dhcp[4468]: DHCP, IP range 192.168.101.2 -- 192.168.101.254, lease time 1d
Mar  5 14:21:31 dnsmasq-dhcp[4468]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d
Mar  5 14:21:31 dnsmasq[4468]: read /etc/hosts - 22 names
Mar  5 14:21:31 dnsmasq[4468]: using nameserver 212.23.3.100#53
Mar  5 14:21:31 dnsmasq[4468]: using nameserver 212.23.6.100#53
Mar  5 14:21:31 dnsmasq[4468]: using nameserver 212.23.3.100#53
Mar  5 14:21:31 dnsmasq[4468]: using nameserver 212.23.6.100#53
Mar  5 14:21:31 wan_up: Restart DDNS
Mar  5 14:21:45 dnsmasq[4468]: read /etc/hosts - 22 names
Mar  5 14:21:45 dnsmasq[4468]: using nameserver 212.23.3.100#53
Mar  5 14:21:45 dnsmasq[4468]: using nameserver 212.23.6.100#53
Mar  5 14:21:45 dnsmasq[4468]: using nameserver 212.23.3.100#53
Mar  5 14:21:45 dnsmasq[4468]: using nameserver 212.23.6.100#53
Mar  5 14:21:45 zcip_client: configured 169.254.154.13

I've removed some stuff for privacy, but I kept in the ISP DNS servers, so you can see those values being obtained by pppd and used by dnsmasq. At this point, dnsmasq should be using the WAN DNS addresses I provided.

Here is a curiosity: If I put in some parameters for pppd which pppd does not recognise, pppd fails/exits, BUT dnsmasq then falls back to using the WAN DNS servers I added.

I've added a picture of my WAN setup.

Chris

 

[R3dbvll]

To follow up on my 'curiosity' comment above:
I put 'dumb-param' as an additional parameter for pppd, and applied that.
This is the log output:

Mar  5 14:37:56 pppd[6387]: Plugin rp-pppoe.so loaded.
Mar  5 14:37:56 pppd[6387]: RP-PPPoE plugin version 3.11 compiled against pppd 2.4.7
Mar  5 14:37:56 pppd[6387]: In file /tmp/ppp/options.wan0: unrecognized option 'dumb-param'
Mar  5 14:38:09 WAN(0)_Connection: Fail to connect with some issues.
Mar  5 14:38:17 services: apply rules error(19298)
Mar  5 14:38:17 dnsmasq[4468]: read /etc/hosts - 22 names
Mar  5 14:38:17 dnsmasq[4468]: using nameserver 8.8.8.8#53
Mar  5 14:38:17 dnsmasq[4468]: using nameserver 8.8.4.4#53
Mar  5 14:38:17 dnsmasq[4468]: using nameserver 8.8.8.8#53
Mar  5 14:38:17 dnsmasq[4468]: using nameserver 8.8.4.4#53
Mar  5 14:38:17 zcip_client: configured 169.254.154.13

You can see that pppd exits, and dnsmasq picks up the ip addresses I added. Of course this is no use as I then don't have an internet connection!

 

[R3dbvll]

The approach I'm taking now is to try to get dnsmasq to use the DNS config I want after it starts, or during start, but after pppd starts.

I've tried a few approaches but nothing works so far.

Does anybody have an idea how to do this via a script in /jffs or something like that?

 

[dave14305]

Does anybody have an idea how to do this via a script in /jffs or something like that?

In /jffs/scripts/dnsmasq.postconf:

#!/bin/sh
. /usr/sbin/helper.sh
pc_delete "servers-file" "$1"
pc_append "server=8.8.8.8" "$1"
pc_append "server=8.8.4.4" "$1"

What have you tried?

 

[R3dbvll]

In /jffs/scripts/dnsmasq.postconf:

#!/bin/sh
. /usr/sbin/helper.sh
pc_delete "servers-file" "$1"
pc_append "server=8.8.8.8" "$1"
pc_append "server=8.8.4.4" "$1"

What have you tried?

I'll give that a go.

I tried the below script, which was suggested by someone else after a Google search:

source /usr/sbin/helper.sh

pc_replace "resolv-file=/tmp/resolv.conf" "no-resolv" $CONFIG

pc_append "server=8.8.8.8" $CONFIG
pc_append "server=8.8.4.4" $CONFIG

nvram set wan1_dns="8.8.8.8,8.8.4.4"

 

[R3dbvll]

In /jffs/scripts/dnsmasq.postconf:

#!/bin/sh
. /usr/sbin/helper.sh
pc_delete "servers-file" "$1"
pc_append "server=8.8.8.8" "$1"
pc_append "server=8.8.4.4" "$1"

What have you tried?

I gave this a try, and I get the same result unfortunately - dns servers for the WAN side are still set to the ISP provided services,

 

[dave14305]

I gave this a try, and I get the same result unfortunately - dns servers for the WAN side are still set to the ISP provided services,

Please show the /etc/dnsmasq.conf after dnsmasq restarts and the system log excerpt where dnsmasq has started.

Please confirm you have enabled custom scripts in the GUI and set your script to be executable (chmod 755 /jffs/scripts/dnsmasq.postconf).

 

[R3dbvll]

I'm not sure why, but it seems to be working now. The thing i've changed is that I noticed the time on the router was showing the wrong timezone, so I corrected that - could timing be the issue here?

I can confirm that I have (and had before), enabled customs scripts in the GUI.

Here is the dnsmasq.postconf script I've used (a copy of yours dave14305)

. /usr/sbin/helper.sh
pc_delete "servers-file" "$1"
pc_append "server=8.8.8.8" "$1"
pc_append "server=8.8.4.4" "$1"

That script was set to executable (755).

The resulting dnsmasq.conf file:

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
no-poll
no-negcache
cache-size=1500
min-port=4096
dns-forward-max=1500
domain=lan
expand-hosts
bogus-priv
domain-needed
local=/lan/
bogus-priv
domain-needed
local=/lan/
dhcp-range=lan,192.168.0.50,192.168.0.199,255.255.255.0,86400s
dhcp-option=lan,3,192.168.0.1
dhcp-option=lan,6,45.90.28.69,45.90.30.69
dhcp-option=lan,15,lan
dhcp-option=lan,252,"\n"
dhcp-authoritative
interface=br1
dhcp-range=br1,192.168.101.2,192.168.101.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.101.1
interface=br2
dhcp-range=br2,192.168.102.2,192.168.102.254,255.255.255.0,86400s
dhcp-option=br2,3,192.168.102.1
dhcp-host=xxxxxxxx,xxxxxx,192.168.0.5
address=/use-application-dns.net/
address=/_dns.resolver.arpa/
address=/mask.icloud.com/mask-h2.icloud.com/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
address=/use-application-dns.net/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
edns-packet-max=1232
server=8.8.8.8
server=8.8.4.4

The log shows the following after a reboot (or in fact changing the WAN DNS entries in the GUI, which have no effect but to restart pppd, dnsmasq etc):

.
Mar  9 17:00:19 pppd[18434]: primary   DNS address 212.23.3.100
Mar  9 17:00:19 pppd[18434]: secondary DNS address 212.23.6.100
.
Mar  9 17:00:57 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Mar  9 17:00:58 dnsmasq[19275]: started, version 2.90 cachesize 1500
Mar  9 17:00:58 dnsmasq[19275]: asynchronous logging enabled, queue limit is 5 messages
Mar  9 17:00:58 dnsmasq-dhcp[19275]: DHCP, IP range 192.168.102.2 -- 192.168.102.254, lease time 1d
Mar  9 17:00:58 dnsmasq-dhcp[19275]: DHCP, IP range 192.168.101.2 -- 192.168.101.254, lease time 1d
Mar  9 17:00:58 dnsmasq-dhcp[19275]: DHCP, IP range 192.168.0.50 -- 192.168.0.199, lease time 1d
Mar  9 17:00:58 dnsmasq[19275]: using nameserver 8.8.8.8#53
Mar  9 17:00:58 dnsmasq[19275]: using nameserver 8.8.4.4#53
Mar  9 17:00:58 dnsmasq[19275]: using only locally-known addresses for use-application-dns.net
Mar  9 17:00:58 dnsmasq[19275]: using only locally-known addresses for mask-h2.icloud.com
Mar  9 17:00:58 dnsmasq[19275]: using only locally-known addresses for mask.icloud.com
Mar  9 17:00:58 dnsmasq[19275]: using only locally-known addresses for _dns.resolver.arpa
Mar  9 17:00:58 dnsmasq[19275]: using only locally-known addresses for use-application-dns.net
Mar  9 17:00:58 dnsmasq[19275]: using only locally-known addresses for lan
Mar  9 17:00:58 dnsmasq[19275]: using only locally-known addresses for lan
Mar  9 17:00:58 dnsmasq[19275]: read /etc/hosts - 27 names

Is it possible to get this change reflected in the GUI?

Currently, the GUI shows the WAN DNS setting to be 'Default status : Get the DNS IP from your ISP automatically.'

 

[dave14305]

I notice you’re telling LAN clients to use NextDNS via LAN DHCP DNS page:

dhcp-option=lan,6,45.90.28.69,45.90.30.69

 

[R3dbvll]

I notice you’re telling LAN clients to use NextDNS via LAN DHCP DNS page:

That is correct. Devices on the LAN go to a NextDNS service, and I want the router to be using something else.
It's more that I'm exploring capabilities at the moment. It's easier to distinguish what devices is making the calls if I can separate the router out.