Recursive DNS Resolving vs DNSMasq - Kong 31100M

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
mkaand
DD-WRT User


Joined: 06 Jan 2008
Posts: 307
Location: Istanbul

PostPosted: Sat Jun 17, 2017 23:32    Post subject: Recursive DNS Resolving vs DNSMasq - Kong 31100M Reply with quote
I want to secure my internet connection. I have WRT1900ACv1 router and Kong's 31100M firmware. I use DNSMasq for blocking some hosts. If I disable Recursive DNS Resolving, DNSMasq is working but:

ipleak.net and whoer.net says DNS leak http://en.conn.internet.nl says DNSSEC is OK.

Here is my dnsmasq.conf

Code:
interface=br0,ath0.1
resolv-file=/tmp/resolv.dnsmasq
strict-order
domain=xxxxxxxxxxxxxxxx
dhcp-leasefile=/tmp/dnsmasq.leases
dhcp-lease-max=107
dhcp-option=br0,3,192.168.20.1
dhcp-option=ath0.1,3,192.168.21.1
dhcp-authoritative
dhcp-range=br0,192.168.20.100,192.168.20.149,255.255.255.0,1440m
dhcp-range=ath0.1,192.168.21.100,192.168.21.149,255.255.255.0,3600m
stop-dns-rebind
proxy-dnssec
address=/xxxxxxxxxxxxxxxxx/192.168.20.1
address=/api.netdrive.net/127.0.0.1
address=/keystone.mwbsys.com/127.0.0.1
address=/telemetry.malwarebytes.com/127.0.0.1
address=/idb.iobit.com/127.0.0.1
address=/asc55.iobit.com/127.0.0.1
address=/is360.iobit.com/127.0.0.1
address=/asc.iobit.com/127.0.0.1
address=/pf.iobit.com/127.0.0.1
address=/www.iana.org/127.0.0.1
address=/iunins.iobit.com/127.0.0.1
address=/sd.iobit.com/127.0.0.1
address=/apowersoft.com/127.0.0.1
address=/tonec.com/127.0.0.1
address=/www.tonec.com/127.0.0.1
address=/registeridm.com/127.0.0.1
address=/www.registeridm.com/127.0.0.1
address=/secure.registeridm.com/127.0.0.1
address=/internetdownloadmanager.com/127.0.0.1
address=/www.internetdownloadmanager.com/127.0.0.1
address=/secure.internetdownloadmanager.com/127.0.0.1
address=/mirror.internetdownloadmanager.com/127.0.0.1
address=/mirror2.internetdownloadmanager.com/127.0.0.1
address=/mirror3.internetdownloadmanager.com/127.0.0.1


If I enable Recursive DNS Resolving, ipleak.net and whoer.net says NO-DNS leak but I can resolve all of above hosts. (I cannot block hosts)

I need help. I want to block some of hosts (above) but in the same time I want to use Recursive DNS Resolving but how? Thanks.

_________________
Kaan's World | @mkaand | PLEX Archive | Trakt.tv
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Jun 18, 2017 16:42    Post subject: Reply with quote
1. Using 'Recursive DNS Resolving' you no longer are using DNSMasq for name resolution.

2. You would need to work on the unbound.conf -- see >> cat /tmp/unbound.conf

' there is an old script to convert Dan Pollock's ad blocking hosts file into Unbound local-data '
mkaand
DD-WRT User


Joined: 06 Jan 2008
Posts: 307
Location: Istanbul

PostPosted: Mon Jun 19, 2017 6:24    Post subject: Reply with quote
mrjcd wrote:
1. Using 'Recursive DNS Resolving' you no longer are using DNSMasq for name resolution.

2. You would need to work on the unbound.conf -- see >> cat /tmp/unbound.conf

' there is an old script to convert Dan Pollock's ad blocking hosts file into Unbound local-data '


Thank you very much for your fast response. I will check the link, but I found this, maybe it can fix my problem. Do you know how to change unbound's default listening port 53?

_________________
Kaan's World | @mkaand | PLEX Archive | Trakt.tv


Last edited by mkaand on Wed Jun 21, 2017 11:45; edited 1 time in total
mkaand
DD-WRT User


Joined: 06 Jan 2008
Posts: 307
Location: Istanbul

PostPosted: Mon Jun 19, 2017 8:39    Post subject: Reply with quote
I try to fix dnsmasq unbound war with following code. Looks like it is ok but something adds port= 0 to dnsmasq.conf. I need help please.

Code:
sleep 10
stopservice unbound
sleep 10
sed -i '/server:/ a\port: 5353\' /tmp/unbound.conf
startservice unbound
sleep 5
stopservice dnsmasq
sleep 10
sed -i '/port=0/d' /tmp/dnsmasq.conf
sed -i '/resolv-file=\/tmp\/resolv.dnsmasq/d' /tmp/dnsmasq.conf
startservice dnsmasq


I added these lines to dnsmasq additional options:

Code:
proxy-dnssec
no-resolv
server=127.0.0.1#5353

_________________
Kaan's World | @mkaand | PLEX Archive | Trakt.tv
mkaand
DD-WRT User


Joined: 06 Jan 2008
Posts: 307
Location: Istanbul

PostPosted: Wed Jun 21, 2017 11:42    Post subject: Reply with quote
I made a solution for Unbound (Recursive DNS Resolving) and DNSMASQ working together.

Here is my startup script:

Code:
# Working Together v1.0 (Unbound & DNSMasq)
# This startup script fixes battle of Unbound vs DNSMasq
# Written by Kaan Dogan - 21.06.2017

sleep 10
stopservice unbound
stopservice dnsmasq
sed -i '/server:/ a\port: 5153\' /tmp/unbound.conf
unbound -c /tmp/unbound.conf

sed -i '/port=0/d' /tmp/dnsmasq.conf
sed -i '/resolv-file=\/tmp\/resolv.dnsmasq/d' /tmp/dnsmasq.conf
dnsmasq --conf-file=/tmp/dnsmasq.conf


And here is Additional DNSMasq Options:

Code:
proxy-dnssec
no-resolv
port= 53
server=127.0.0.1#5153

_________________
Kaan's World | @mkaand | PLEX Archive | Trakt.tv
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum