DNS Caching Asus Stock / Merlin?

[Authority]

Hi - I was wondering if either the Asus stock software or Merlin fork cache DNS? I remember Tomato had an option to capture DNS requests.

The reason I ask is I use OpenDNS and can see the DNS requests coming from my network. Typically I see hundreds from my Sonos audio system, X-Box One, etc. I am wondering why the router isn't answering these repetitive requests from the cache and if there's anything I can do to reduce them (not that I need to, I just want to understand and optimize).

Thanks in advance.

 

[RMerlin]

As long you use the router's IP as the DNS for your clients, dnsmasq will cache responses.

 

[Authority]

As long you use the router's IP as the DNS for your clients, dnsmasq will cache responses.

Thanks Merlin. That's what I thought, so I can't figure out why so many requests are still getting to OpenDNS. Any thoughts? Is there a way to see what percentage of requests are being answered by the cache, or to otherwise tweak it? It's the same requests over and over and over...

 

[Nullity]

Some devices have their DNS hard-coded to use another server, so DHCP-assigned DNS is ignored. (I think Roku does this.) I dunno how to deal with that situation.

As merlin said, the default setup uses dnsmasq, which caches DNS requests.

 

[Authority]

If the IP was hard coded, it wouldn't be doing a lookup right? Here's what it looks like. It just seems like these are exactly the kinds of lookups dnsmasq should eliminate? And by the way, I don't have DHCP giving out the OpenDNS address... my devices are all showing only the router address for dhcp.

 

[Authority]

Some devices have their DNS hard-coded to use another server, so DHCP-assigned DNS is ignored. (I think Roku does this.) I dunno how to deal with that situation.

As merlin said, the default setup uses dnsmasq, which caches DNS requests.

I think what you meant was the devices may have a hard coded DNS server, but in that case, they wouldn't be using OpenDNS and showing up on this dashboard (unless they all happened to hard coded to OpenDNS which I guess is possible but unlikely). I remember Tomato and DD-WRT had the ability to intercept DNS requests... not sure if Asus/Merlin can or does do that too?

 

[System Error Message]

There is another option that is doable but im not sure how to do this on stock asus firmware or merlin firmware. In routerOS or cisco IOS you can capture DNS request by checking the destination NAT. To do this you need to redirect all TCP and UDP packets that are headed to port 53 of a server other than your router/DNS server that is going from LAN to WAN.

It would be clearer to understand if looking at routerOS rule example
I have my mikrotik routerboard doing DNS server, cache, NTP server so i capture DNS and NTP packets like this

#aug/ 3/2015 11:20:43 by RouterOS 6.29.1
# software id = AT1B-M27Y
#
Flags: X - disabled, I - invalid, D - dynamic 

      ;;; Hijack TCP DNS requests
      chain=dstnat action=dst-nat to-addresses=192.168.88.50 to-ports=53 
      protocol=tcp dst-port=53 log=no log-prefix="" 

      ;;; Hijack DNS requests
      chain=dstnat action=dst-nat to-addresses=192.168.88.50 to-ports=53 
      protocol=udp src-address=192.168.88.0/24 dst-address=!192.168.88.50 
      dst-port=53 log=no log-prefix="" 

      ;;; Hijack time sync requests
      chain=dstnat action=dst-nat to-addresses=192.168.88.50 to-ports=123 
      protocol=udp dst-port=123 log=no log-prefix=""

my router uses an IP address of 192.168.88.50 and has DNS server, cache and NTP server. I find this to work very well so i dont have to configure devices and even if you tried to sync time with microsoft.com it will be redirected to the router.

 

[Authority]

In routerOS or cisco IOS you can capture DNS request by checking the destination NAT. To do this you need to redirect all TCP and UDP packets that are headed to port 53 of a server other than your router/DNS server that is going from LAN to WAN.

I believe Tomato does this, trying to figure out if Asus/Merlin can or does! I half way suspect a bug in the caching not being on or something?

 

[Nullity]

I think what you meant was the devices may have a hard coded DNS server, but in that case, they wouldn't be using OpenDNS and showing up on this dashboard (unless they all happened to hard coded to OpenDNS which I guess is possible but unlikely). I remember Tomato and DD-WRT had the ability to intercept DNS requests... not sure if Asus/Merlin can or does do that too?

AsusWRT most likely supports since it supports iptables, but you probably need to set it up via cmdline/scripts. Since tomato/ddwrt use the linux kernel and most likely use iptables as well, to make your job a bit easier maybe you could find the script that they use.


I would like to employ the NTP redirection that System Error Message mentions in my own network...

 

[Authority]

AsusWRT most likely supports since it supports iptables, but you probably need to set it up via cmdline/scripts. Since tomato/ddwrt use the linux kernel and most likely use iptables as well, to make your job a bit easier maybe you could find the script that they use.


I would like to employ the NTP redirection that System Error Message mentions in my own network...

Did he say NTP redirection, or that he ran an NTP service?

 

[Nullity]

Did he say NTP redirection, or that he ran an NTP service?

lol, you ask like you cannot take 1 second to scroll up and answer your own question.

 

[System Error Message]

Did he say NTP redirection, or that he ran an NTP service?

Both. In routerOS the configuration is done manually instead of ticking boxes. Since many consumer routers now are linux based which means its possible to configure things manually on them too if you can access the files. It may be better to manually configure it because for things like DNS you have to capture both TCP and UDP and you have to set the rule to which network you want or risk accidently ruining your own router's DNS and NTP capability which can happen using checkboxes on a complicated network.

Its just much easier in routerOS because it shows you all the available options immediately that you dont need to rely on modifying files and command lines though it has command line as an option too.

 

[ColinTaylor]

There is another option that is doable but im not sure how to do this on stock asus firmware or merlin firmware. In routerOS or cisco IOS you can capture DNS request by checking the destination NAT. To do this you need to redirect all TCP and UDP packets that are headed to port 53 of a server other than your router/DNS server that is going from LAN to WAN.

This feature is built into the GUI in Merlin's firmware. It is called DNS Filtering.

You can get cache stats from dnsmasq by sending it a signal USR1.

By restarting dnsmasq with the -q option all the DNS queries will be logged to syslog which shows whether a request is answered locally or forwarded upstream.

 

[System Error Message]

Im not sure DNS filtering does that. I thought DNS filtering just lets you filter DNS request but it doesnt capture DNS requests not sent to the router.

The other way of capturing DNS request is by inspecting packets.

 

[ColinTaylor]

Im not sure DNS filtering does that. I thought DNS filtering just lets you filter DNS request but it doesnt capture DNS requests not sent to the router.

No, that's exactly what it does. It creates NAT rules which intercept all DNS requests (tcp/udp 53) from a specified client and redirects them to another destination. One of it's primary uses is circumventing geo-location of services like Netflix.

 

[System Error Message]

Thats good but because its a checkbox it doesnt offer more options to capture other packets too. I think its important to have routers that give you control over your network instead of relying on outside services. If a particular DNS or NTP server used by a device was down than having NAT to intercept it will make them work normally.

 

[ColinTaylor]

Well Merlin's firmware allows you to write any sort of custom scripts. So if you wanted to intercept NTP requests you could. It's just that there's no user friendly GUI for it.

To be fair, the raison d'être of Merlin's firmware is to stay as close to ASUS's original whilst fixing bugs. It's not really designed to be a professional router firmware. There are probably better routers/firmwares if you need that kind of functionality.

 

[System Error Message]

Well Merlin's firmware allows you to write any sort of custom scripts. So if you wanted to intercept NTP requests you could. It's just that there's no user friendly GUI for it.

To be fair, the raison d'être of Merlin's firmware it to stay as close the ASUS's original whilst fixing bugs. It's not really designed to be a professional router firmware. There are probably better routers/firmwares if you need that kind of functionality.

I know openwrt has way more functionality but merlin firmware has stock performance for wifi and hardware NAT and also keeps asus exclusive features too like their cloud software and anti virus in some models.

You can run DNS benchmark to confirm if this feature is working.

 

[Authority]

This feature is built into the GUI in Merlin's firmware. It is called DNS Filtering.

Thanks! I can't find that option in the GUI... what page should I look?

 

[ColinTaylor]

It's at Parental control > DNS Filtering