Disabling the built-in DNS server

[maciekish]

Hi,
I want to run my OpenVPN server on UDP 53 to bypass a cranky firewall. Service wont start if i switch to that port because dnsmasq is running on it already.

Im on stock firmware - Do i need merlin to do this or can it be done on stock? Obviously manually killing dnsmasq after boot is not a solution, VPN service needs to come online automagically.

 

[System Error Message]

You would need to give out public DNS servers instead. Faster routers run DNS server because they can cache entries that make browsing the internet much faster.
You should run your openVPN server on a high numbered port instead.

 

[maciekish]

You would need to give out public DNS servers instead. Faster routers run DNS server because they can cache entries that make browsing the internet much faster.
You should run your openVPN server on a high numbered port instead.

Please read my question. Thanks.

Clients cache DNS entries just as well. This is a home network with ~10 clients on 250mbps fibre. I really dont need the built in DNS.

 

[ColinTaylor]

Using Merlin's firmware you can create a /jffs/configs/dnsmasq.conf.add file. In that file you could specifiy the dnsmasq "port=0" parameter.

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

-p, --port=<port>
Listen on <port> instead of the standard DNS port (53). Setting this to zero completely disables DNS function, leaving only DHCP and/or TFTP.

 

[maciekish]

Using Merlin's firmware you can create a /jffs/configs/dnsmasq.conf.add file. In that file you could specifiy the dnsmasq "port=0" parameter.

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

Thanks! Ill hold off flashing until tomorrow just in case someone comes up with a stock solution. If not ill go with this.

 

[System Error Message]

benefits of DNS cache work well as long as you have more than 1 person. The issue isnt how fast your internet is but the router will reach you in less than 1ms whereas google will take a lot longer. Where i am google is just 4ms away but with DNS caching internet browsing is much faster than if i just used google DNS only.

When you say cranky firewall do you mean your ISP is filtering your internet? If high numbered ports were blocked a lot of applications like torrents and p2p such as skype wouldnt work properly because they use upnp.

 

[RMerlin]

Or to avoid creating a bunch of issues on your network: run OpenVPN on 1194, but configure iptables to accept connections on port 53/udp on the WAN interface, and forward them to the router's port 1194. Basically configure a port forward to the router itself.

 

[maciekish]

Or to avoid creating a bunch of issues on your network: run OpenVPN on 1194, but configure iptables to accept connections on port 53/udp on the WAN interface, and forward them to the router's port 1194. Basically configure a port forward to the router itself.

Will that actually work? I know some VPN solutions dont like this kind of port forwarding. If yes, can it be done on stock firmware?

 

[maciekish]

benefits of DNS cache work well as long as you have more than 1 person. The issue isnt how fast your internet is but the router will reach you in less than 1ms whereas google will take a lot longer. Where i am google is just 4ms away but with DNS caching internet browsing is much faster than if i just used google DNS only.

When you say cranky firewall do you mean your ISP is filtering your internet? If high numbered ports were blocked a lot of applications like torrents and p2p such as skype wouldnt work properly because they use upnp.

Its true that *bandwidth* doesnt matter, but a fibre connection vs ADSL etc makes a lot of difference latency wise. Im already handing out 8.8.8.8 as DNS on my LAN since years back. I get it, youre trying to be helpful. But all it does it waste my time. With all due respect, please only post if you actually answer my question. Thanks.

 

[RMerlin]

Will that actually work? I know some VPN solutions dont like this kind of port forwarding. If yes, can it be done on stock firmware?

Try configuring the forward directly on the Virtual Server page. If it doesn't work, then you will need to go down the custom firmware route, so you can manually create the necessary iptables entries.

I suspect OpenVPN would be OK with this since it's pretty much just a userspace SSL tunnel.

 

[System Error Message]

Will that actually work? I know some VPN solutions dont like this kind of port forwarding. If yes, can it be done on stock firmware?

That does work but it requires some logic to figure out what to configure in the firewall. You would still need RMerlin's firmware for it. I do it where NAT cannot be used (my ISP blocks NAT) so i use a general rule to redirect traffic to the proxy.

 

[maciekish]

Using Merlin's firmware you can create a /jffs/configs/dnsmasq.conf.add file. In that file you could specifiy the dnsmasq "port=0" parameter.

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

So i went ahead and flashed merlin and added /jffs/configs/dnsmasq.conf.add with port=0. Unfortunately after rebooting the router OpenVPN1 still fails to start and the system log says port is in use. Any other ideas please?

The port forwarding from 53 to 1194 using stock firmware didnt work either