Today I couldn't browse the internet. Remote VNC etc. all worked fine, suggesting a DNS problem. All 5 dns resolvers showed up in 'top'. Just on a hunch, I killed the dns server at the top of the 'top' list, and bam, now all browsing is good.
So here's the problem. If the fastest dns resolver is out to lunch, not dead but returning garbage, you are screwed, all the multiple redundancy isn't doing anything. Are there DNSmasq or dnscrypt-proxy options to make this work? The misbehaving resolver was d0wn-is-ns1. After that dnscrypt-proxy task was killed, web browsing came back to life.
Deleted 'all-servers' and rebooted. All 5 dns resolvers started. Unable to browse web sites. Killed only the dnscrypt-proxy that is using d0wn-is-ns1, the other 4 resolvers are still running. Web browsing ok now.
With or without 'all-servers', seems that DNSmasq is not able to determine that d0wn-is-ns1 is returning junk, and it's the fastest resolver.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Fri Jun 23, 2017 13:25 Post subject:
i run multiple DNSCrypt on R7800 31900 and its working well...so far
i haven't tried on the new versions but as far as i know
Kong was talking about interference with DDWRT time servers,
so he recommended to exclude those lines from DNSMasq config...
server=/us.pool.ntp.org/8.8.8.8
server=/us.pool.ntp.org/8.8.4.4
i removed them and its still working well for me....
Make sure you got the correct DNSCrypt addresses in their correct spelling
also to use all-servers you'd need to disable DNSCrypt from GUI _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Even all four resolvers seem to offer DNSSEC (according the dnscrypt-resolvers.csv file) they do not behave the same:
The two dnscrypt server (and other dnscrypt I tried) seem to operate correctly when DNSSEC is enabled in dnsmasq. I could operate them for several days without failures (URL are not resolved). On the other hand these servers seem sometimes down, so the availability is not perfect.
The d0wn servers behave strange with enabled DNSSEC in dnsmasq (at least what I observed), several URL are not resolved after several minutes operating (strange: all .org domains fail first). Nevertheless these server are quite fast. But together with other servers the results are more confusing (with DNSSEC).
So I came to the conclusion to disable DNSSEC. First observation is an increase in speed and reliability: My dns installation on dd-wrt router (two independent dnsmasq instances for normal and guest wifi, one instance using four dnscrypt resolver as explained above, the guest wifi uses dnscrypt opendns/cisco with content/adult filtering for my guests/kids ) seems to work correctly without issues for several weeks now. Even if one of the two dnscrypt.nl server are sometimes not available, slow or report errors.
Now whats even more interesting from my point of view:
When trying to test DNSSEC I expected a failed result, but on the test page on https://verteiltesysteme.net/ the test is passed! When using opendns as resolver the test is failed as expected. This result is according the DNSSEC field in the dnscrypt-resolve.csv file.
When using Googles dns-server (8.8.8.8 and 8.8.4.4 as resolver on my linux desktop (without DD-WRT dns functionality, without dnsmasq, without dnscrypt and without DNSSEC) the test is passed as well.
As I do not understand the process of DNSSEC I can only assume: Maybe the used resolvers validate the DNS record correctly against their source/resolvers they are using and detect wrong results. That could be the reason why the above test is passed. If that would be true in my opinion a further validation of dnsmasq on my router would not be required as the correctly validated dns records are send encrypted from the resolver to my router via dnscrypt. For me that's save enough.
Here I really would appreciate help in understanding DNSSEC: I think my assumptions about DNSSEC are too optimistic: Other test pages say DNSSEC functionality is not installed: https://internet.nl. But the Google dns-server passes this test!
Nevertheless for me DNSCRYPT, reliabilty and speed is more important then DNSSEC, so can live with disabled DNSSEC in dnsmasq. Except more fast and reliable dnscrypt-resolver would be available with stable DNSSEC.
And I do not think that this is an issue of DD-WRT or dnscrypt.
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Fri Jun 23, 2017 22:42 Post subject:
Some dns resolvers such as google will do dnssec validation before replying. other dns resolvers will just forward the dnssec records leaving dnssec validation to the originating client.
the only way to know what is actually going on is manually verify the replies using dig.
when i first tested dnssec validation via dnscrypt the server i queried was actually forwarding dns queries to google. you can test which dns resolvers are being used by running dnsleaktest
) seems to work correctly without issues for several weeks now. Even if one of the two dnscrypt.nl server are sometimes not available, slow or report errors.