What's new

DHCP and DNS config help on RT-AX86U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

wardonc

New Around Here
Greetings,

I am using an ASUS RT-AX86U router (with current firmware 3.0.0.4.386_49599) on my LAN. I also have a separate DNS system on the LAN to provide all DNS resolution. The ASUS router is configured (LAN -> DHCP Server) to the IPv4/IPv6 addresses of the DNS system.

screen1.png


When checking the DNS servers on any system (android, linux, windows) connected to the LAN, all report the IPv4 address of the DNS system and the IPv4/IPv6 addresses of the router (gateway), that is:
Code:
10.0.1.10
10.0.1.254
2600:1700:1ab1:1890::48

What is expect is the IPv4/IPv6 addresses of the DNS system, i.e.,
Code:
10.0.1.10
2600:1700:1ab1:1890::c2c

Because the router's DHCP reports the router's IPv4/IPv6 gateway addresses as DNS addresses the ASUS router is configured (WAN -> Internet Connection) to the IPv4 address of the DNS system (it does not accept IPv6). This prevents DNS leakage.

screen2.png


The router consistently fails, via DHCP, to report the IPv6 address of the assigned DNS. The router also always reports, via DHCP, the IPv4/IPv6 gateway addresses of the router as DNS. What is expected is for the router to report, via DHCP, the configured IPv4/IPv6 addresses only assigned to DNS - not the gateway addresses as DNS. Is the router misconfigured, the expected behavior wrong or is this just the way the firmware works?

TIA!
 
These are known problems with the stock firmware. If you were to install Merlin's firmware you'd have more control over DHCP and DNS (e.g. the router not including its own DNS address).
 
These are known problems with the stock firmware. If you were to install Merlin's firmware you'd have more control over DHCP and DNS (e.g. the router not including its own DNS address).
Thanks much! Merlin is on the TODO list. Just wanted to clarify the odd behavior being observed before moving to Merlin.
 
It’s available in 388 code stock Asuswrt, currently in beta for AX86U, stable coming soon. I had issues with Asuswrt-Merlin 386.7_2 on my AX86U router. Use 386.5_2 release, if you want to try Asuswrt-Merlin extra features.
 
It’s available in 388 code stock Asuswrt, currently in beta for AX86U, stable coming soon. I had issues with Asuswrt-Merlin 386.7_2 on my AX86U router. Use 386.5_2 release, if you want to try Asuswrt-Merlin extra features.
I have installed Merlin 386.7_2 with no change in behavior, still reports router IPv4/IPv6 addresses via DHCP as DNS. Do not see any means to change this behavior via webgui. Is it possible to change the behavior via dnsmasq config or is this issue with the firmware code itself?

Note that the nework works as intended, all DNS requests go through my local DNS since both LAN and WAN DNS point to the local DNS on the LAN. Just a quirky setup and the DHCP is not RFC compliant.

Thanks!
 
LAN > DHCP Server > Advertise router's IP in addition to user-specified DNS = No
 
LAN > DHCP Server > Advertise router's IP in addition to user-specified DNS = No
OUCH!!! In plain sight...there is a downside to sobriety...

OK, made the change but still a glitch but the change moves in the right direction. DHCP still reports the router IPv6 address as DNS but no longer reports the router IPv4 address as DNS. Also, DHCP still does not report the assigned IPv6 DNS address.

screen3.png


What devices on the LAN see:

Code:
10.0.1.10
2600:1700:1ab1:1890::48    <- router IPv6 address (gateway)

For giggles, also changed IPv6 -> IPv6 DNS Setting -> Connect to DNS server automatically from "Disable" to "Enable" which made no difference.

screen4.png


Merlin 386.7_2 does not quite resolve the quirk. But again, not a show stopper as it can be worked around. Tech9 indicates stock 388 resolves the issue so I'll wait for it to get out of beta. If you haven't guessed, I'm new to ASUS routers so don't know their quirks yet.

I did notice that Merlin is bit slower than stock, lost 20Mbps on Merlin, down to 930Mbs from 950Mbs on stock. I'm assuming Merlin is a bit more code bulky so a tad slower. Correct? Not a functional issue, got plenty of speed. Love the router...it smokes!

enjoy...
 
The IPv6 DNS address given out by DHCP has been discussed in the past. I think @dave14305 posted a dnsmasq.postconf user script that could be used to customise it as required.

I did notice that Merlin is bit slower than stock, lost 20Mbps on Merlin, down to 930Mbs from 950Mbs on stock. I'm assuming Merlin is a bit more code bulky so a tad slower. Correct?
No, there should be no speed difference. The core network code is identical to that of stock firmware (for a given GPL version). There might be slight differences depending on the GPL version from one release to another but they should be negligible.
 
Last edited:
The IPv6 DNS address given out by DHCP has been discussed in the past. I think @dave14305 posted a dnsmasq.postconf user script that could be used to customise it as required.


No, there should be no speed difference. The core network code is identical to that of stock firmware (for a given GPL version). There might be slight differences depending on the GPL version from one release to another but they should be negligible.
Thanks much for the info!
 
The IPv6 DNS address given out by DHCP has been discussed in the past. I think @dave14305 posted a dnsmasq.postconf user script that could be used to customise it as required.
I didn’t really remember doing it, but if Colin said so, it’s probably true:
 
I don’t know if it resolves your issue, 388 code Asuswrt just has the same GUI settings for DHCP as Asuswrt-Merlin.
Thanks for the clarification.

OK, installed the current 388 beta (9.0.0.4.388_20477) and the issues still exist: 1) the IPv6 DNS address is not advertised even though configured, and, 2) the router IPv6 gateway address is always advertised as a nameserver even though DHCP is configured. Item 1 looks like a bug. Item 2 is problematic from the standpoint of DNS security (renders local DNS insecure) and DNS practice. Whether item 2 is a bug, misunderstanding of DNS practice, an intentional "feature" or nefarious, only ASUS can say. IMHO item 2 warrants a CVE if there isn't one already (haven't looked).

In summary, and for the benefit of others who secure DNS with local DNS server(s), be aware that simply configuring DHCP to advertise you local DNS server(s) on your local LAN will not result in secure DNS as expected. This is due to the fact that ASUSWRT will always advertise the gateway (router) as a DNS server silently. Functionally this means, in most OS environments, some DNS queries will be securely resolved by the local DNS and others by whatever DNS is configured for the WAN, which is insecure by definition. To ensure local DNS server(s) on the LAN are always used requires the following steps in configuration:

  1. In "LAN -> DHCP Server" enable DHCP and enter your local DNS address(es_).
  2. If the configuration item "LAN -> DHCP Server -> DNS and WINS Server Settings -> Advertise the router's IP in addition to user-specified DNS" exists then click the "No" radio button (as of this date this does not work correctly but don't worry about it step 3 "fixes" it).
  3. In "WAN -> Internet Connection -> WAN DNS Settings -> DNS server" click the "Assign" button. In the pop-up "DNS List" scroll down to "Manual Settings", click the radio button to select, enter your local DNS server address(es) (only IPv4 accepted as of this date) then click the "OK" button.
  4. Click the "Apply" button to apply your changes.
  5. Power-cycle or reset the router to force all devices on the LAN to update via DHCP and your good to go, all DNS will be resolved by your local DNS server(s).
enjoy...HTH
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top