DNS masq related question

[Marcus Yansen]

HI, I am running

Sometimes when my router reboots, DNS fails to work on my system, but internet is actually 'working', but given the failure of DNS I can't load sites, the solution is to restart the router again. When I look at system logs I see this, but I am not sure if it has anything to do with it.
How can I see inside the dnsmasq.conf file?
I only have Skynet installed, and I am running FW Version; 102.5_alpha2-ge1d67cafe4 (Jun 30 2025) (4.19.183) on an AX-88Upro

Jul 13 12:57:22 dnsmasq[4256]: failed to create listening socket for 127.0.0.1: Address already in use
Jul 13 12:57:22 dnsmasq[4256]: FAILED to start up
Jul 13 12:57:53 rc_service: watchdog 2351:notify_rc start_dnsmasq 0
Jul 13 12:57:53 custom_script: Running /jffs/scripts/service-event (args: start dnsmasq)
Jul 13 12:57:53 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Jul 13 12:57:53 custom_config: Using custom /jffs/configs/dnsmasq.conf config file.
Jul 13 12:57:53 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Jul 13 12:57:53 dnsmasq[4360]: failed to create listening socket for 127.0.0.1: Address already in use
Jul 13 12:57:53 dnsmasq[4360]: FAILED to start up
Jul 13 12:58:24 rc_service: watchdog 2351:notify_rc start_dnsmasq 0
Jul 13 12:58:24 custom_script: Running /jffs/scripts/service-event (args: start dnsmasq)
Jul 13 12:58:24 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Jul 13 12:58:24 custom_config: Using custom /jffs/configs/dnsmasq.conf config file.
Jul 13 12:58:24 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Jul 13 12:58:24 dnsmasq[4447]: failed to create listening socket for 127.0.0.1: Address already in use
Jul 13 12:58:24 dnsmasq[4447]: FAILED to start up
Jul 13 12:58:55 rc_service: watchdog 2351:notify_rc start_dnsmasq 0
Jul 13 12:58:55 custom_script: Running /jffs/scripts/service-event (args: start dnsmasq)
Jul 13 12:58:55 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Jul 13 12:58:55 custom_config: Using custom /jffs/configs/dnsmasq.conf config file.
Jul 13 12:58:55 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Jul 13 12:58:55 dnsmasq[4577]: failed to create listening socket for 127.0.0.1: Address already in use
Jul 13 12:58:55 dnsmasq[4577]: FAILED to start up
Jul 13 12:58:59 SIG_UPDATE: current sig : 2464
Jul 13 12:58:59 SIG_UPDATE: latest sig : 2464
Jul 13 12:59:26 rc_service: watchdog 2351:notify_rc start_dnsmasq 0
Jul 13 12:59:26 custom_script: Running /jffs/scripts/service-event (args: start dnsmasq)
Jul 13 12:59:26 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Jul 13 12:59:26 custom_config: Using custom /jffs/configs/dnsmasq.conf config file.
Jul 13 12:59:26 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Jul 13 12:59:26 dnsmasq[4718]: failed to create listening socket for 127.0.0.1: Address already in use
Jul 13 13:06:40 dnsmasq[6044]: FAILED to start up
Jul 13 13:06:45 rc_service: httpds 2346:notify_rc reboot

 

[dave14305]

Jul 13 12:57:53 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Jul 13 12:57:53 custom_config: Using custom /jffs/configs/dnsmasq.conf config file.
Jul 13 12:57:53 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)

What’s in these files?

cat /jffs/scripts/dnsmasq.postconf
cat /jffs/configs/dnsmasq.conf
cat /jffs/configs/dnsmasq.conf.add
cat /etc/dnsmasq.conf
netstat -nltup | grep :53

 

[Ripshod]

As no-one else has posted about this, plus the fact that you're running alpha firmware, perhaps you could just chalk this one up to experience. Of course, if someone else can reproduce this then maybe we could make some progress.
By any chance were you running asus firmware then upgraded to the alpha without a reset?

*edit* BTW, there's a beta firmware available.

 

[ColinTaylor]

I only have Skynet installed, and I am running FW Version; 102.5_alpha2-ge1d67cafe4 (Jun 30 2025) (4.19.183) on an AX-88Upro

Alpha releases are unsupported experimental releases. You should expect to have problems with them. Install the last stable release and test again.

N.B. If you still want to test the newest firmware the alpha release has been superseded by the official beta release (3006_102.5_beta1).

 

[Marcus Yansen]

My apologies, I wasn't aware (I am glad to know I should expect to have some problems). Since the alpha release has been superseeded as you said, I will update to that beta then. Thank you very much for the tip @CollinTaylor.

 

[dave14305]

My apologies, I wasn't aware (I am glad to know I should expect to have some problems). Since the alpha release has been superseeded as you said, I will update to that beta then. Thank you very much for the tip @CollinTaylor.

It’s not going to be related to alpha2 versus beta1. Not much changed. Something has customized your dnsmasq and you need to run the commands to see what it is or was.

 

[Marcus Yansen]

Can you point me to where these commands are dave14305?

 

[dave14305]

See my first reply in this thread.

 

[Ripshod]

Maybe you should have mentioned that you are, or have been experiencing problems with Skynet too?

 

[Marcus Yansen]

Oh wow somehow I missed the first several posts at the top, including yours. Here are the outputs of each. I also installed the ctrld script per their website instructions, and also made additional changes in the GUI DNS settings, maybe I did something wrong there? I posted a screenshot of that too and @Ripshod, thank you for letting me know that would be helpful, I didn't know if the two could be related, but to summarize, I am having trouble updating/changing the ban malware list on my skynet, I get the error [*] List Content Error Detected - Stopping Banmalware (my post for skynet issue is here: https://www.snbforums.com/threads/s...-stopping-banmalware.95185/page-2#post-961890 )

Here are the dnsmasq files in order:

cat /jffs/scripts/dnsmasq.postconf
pid=$(cat /tmp/ctrld.pid 2>/dev/null)
if [ -n "$pid" ] && [ -f "/proc/${pid}/cmdline" ]; then
pc_delete "servers-file" "$config_file" # no WAN DNS settings
pc_append "no-resolv" "$config_file" # do not read /etc/resolv.conf
# use ctrld as upstream
pc_delete "server=" "$config_file"
pc_append "server=127.0.0.1#5354" "$config_file"
pc_delete "add-mac" "$config_file"
pc_delete "add-subnet" "$config_file"
pc_append "add-mac" "$config_file" # add client mac
pc_append "add-subnet=32,128" "$config_file" # add client ip
pc_delete "dnssec" "$config_file" # disable DNSSEC
pc_delete "trust-anchor=" "$config_file" # disable DNSSEC
pc_delete "cache-size=" "$config_file"
pc_append "cache-size=0" "$config_file" # disable cache

# For John fork
pc_delete "resolv-file" "$config_file" # no WAN DNS settings

# Change /etc/resolv.conf, which may be changed by WAN DNS setup
pc_delete "nameserver" /etc/resolv.conf
pc_append "nameserver 127.0.0.1" /etc/resolv.conf

dnsmasq.conf
homenet@RT-AX88U_Pro-F4A0:/tmp/home/root#
homenet@RT-AX88U_Pro-F4A0:/tmp/home/root# cat /jffs/configs/dnsmasq.conf
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
no-poll
no-negcache
min-port=4096
dns-forward-max=1500
bogus-priv
domain-needed
dhcp-range=lan,192.168.50.2,192.168.50.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.50.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
no-dhcp-interface=tun22
no-dhcp-interface=tun23
address=/use-application-dns.net/
address=/_dns.resolver.arpa/
address=/mask.icloud.com/mask-h2.icloud.com/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
edns-packet-max=1232
ipset=/blocklist.greensnow.co/darklist.de/feodotracker.abuse.ch/iplists.firehol.org/lists.blocklist.de/myip.ms/raw.githubusercontent.com/rules.emergingthreats.net/sigs.interserver.net/blocklist.de/talosintelligence.com/voipbl.org/ipdeny.com/ipapi.co/api.db-ip.com/api.bgpview.io/asn.ipinfo.app/speedguide.net/otx.alienvault.com/github.com/Skynet-WhitelistDomains # Skynet
ipset=/astrill.com/strongpath.net/snbforums.com/bin.entware.net/nwsrv-ns1.asus.com/pool.ntp.org/asuswrt-merlin.net/asuswrt.lostrealm.ca/big.oisd.nl/codeload.github.com/diversion.ch/drv.ms/entware.diversion.ch/entware.net/fwupdate.asuswrt-merlin.net/garycnew.github.io/localhost.localdomain/maurerr.github.io/mirrors.bfsu.edu.cn/mirrors.cernet.edu.cn/Skynet-WhitelistDomains # Skynet
ipset=/mirrors.cqupt.edu.cn/mirrors.nju.edu.cn/oisd.nl/onedrive.live.com/openstreetmap.org/pgl.yoyo.org/pkg.entware.net/small.oisd.nl/someonewhocares.org/sourceforge.net/sunrisesunset.io/urlhaus.abuse.ch/Skynet-WhitelistDomains # Skynet

dnsmasq.conf.add
/tmp/home/root# cat /jffs/configs/dnsmasq.conf.add
ipset=/blocklist.greensnow.co/darklist.de/feodotracker.abuse.ch/iplists.firehol.org/lists.blocklist.de/myip.ms/raw.githubusercontent.com/rules.emergingthreats.net/sigs.interserver.net/blocklist.de/talosintelligence.com/voipbl.org/ipdeny.com/ipapi.co/api.db-ip.com/api.bgpview.io/asn.ipinfo.app/speedguide.net/otx.alienvault.com/github.com/Skynet-WhitelistDomains # Skynet
ipset=/astrill.com/strongpath.net/snbforums.com/bin.entware.net/nwsrv-ns1.asus.com/pool.ntp.org/asuswrt-merlin.net/asuswrt.lostrealm.ca/big.oisd.nl/codeload.github.com/diversion.ch/drv.ms/entware.diversion.ch/entware.net/fwupdate.asuswrt-merlin.net/garycnew.github.io/localhost.localdomain/maurerr.github.io/mirrors.bfsu.edu.cn/mirrors.cernet.edu.cn/Skynet-WhitelistDomains # Skynet
ipset=/mirrors.cqupt.edu.cn/mirrors.nju.edu.cn/oisd.nl/onedrive.live.com/openstreetmap.org/pgl.yoyo.org/pkg.entware.net/small.oisd.nl/someonewhocares.org/sourceforge.net/sunrisesunset.io/urlhaus.abuse.ch/Skynet-WhitelistDomains # Skynet

etc dnsmasq.conf]
SUSWRT-Merlin RT-AX88U_PRO 3006.102.5_beta1 Sat Jul 5 17:13:21 UTC 2025
homenet@RT-AX88U_Pro-F4A0:/tmp/home/root# cat /etc/dnsmasq.conf
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
no-poll
no-negcache
min-port=4096
dns-forward-max=1500
bogus-priv
domain-needed
dhcp-range=lan,192.168.50.2,192.168.50.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.50.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
no-dhcp-interface=tun22
no-dhcp-interface=tun23
address=/use-application-dns.net/
address=/_dns.resolver.arpa/
address=/mask.icloud.com/mask-h2.icloud.com/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
edns-packet-max=1232
ipset=/blocklist.greensnow.co/darklist.de/feodotracker.abuse.ch/iplists.firehol.org/lists.blocklist.de/myip.ms/raw.githubusercontent.com/rules.emergingthreats.net/sigs.interserver.net/blocklist.de/talosintelligence.com/voipbl.org/ipdeny.com/ipapi.co/api.db-ip.com/api.bgpview.io/asn.ipinfo.app/speedguide.net/otx.alienvault.com/github.com/Skynet-WhitelistDomains # Skynet
ipset=/astrill.com/strongpath.net/snbforums.com/bin.entware.net/nwsrv-ns1.asus.com/pool.ntp.org/asuswrt-merlin.net/asuswrt.lostrealm.ca/big.oisd.nl/codeload.github.com/diversion.ch/drv.ms/entware.diversion.ch/entware.net/fwupdate.asuswrt-merlin.net/garycnew.github.io/localhost.localdomain/maurerr.github.io/mirrors.bfsu.edu.cn/mirrors.cernet.edu.cn/Skynet-WhitelistDomains # Skynet
ipset=/mirrors.cqupt.edu.cn/mirrors.nju.edu.cn/oisd.nl/onedrive.live.com/openstreetmap.org/pgl.yoyo.org/pkg.entware.net/small.oisd.nl/someonewhocares.org/sourceforge.net/sunrisesunset.io/urlhaus.abuse.ch/Skynet-WhitelistDomains # Skynet
no-resolv
no-resolv
server=127.0.0.1#53
add-mac
add-subnet=32,128
cache-size=0

-nltup]
tcp 0 0 192.168.2.5:53 0.0.0.0:* LISTEN 2720/ctrld
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2720/ctrld
udp 0 0 192.168.2.5:53 0.0.0.0:* 2720/ctrld
udp 0 0 127.0.0.1:53 0.0.0.0:* 2720/ctrld
udp 0 0 0.0.0.0:5353 0.0.0.0:* 4106/avahi-daemon:
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2720/ctrld
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2720/ctrld
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2720/ctrld
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2720/ctrld
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2720/ctrld
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2720/ctrld
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2720/ctrld
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2720/ctrld
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2720/ctrld

 

[ColinTaylor]

I also installed the ctrld script ...

I only have Skynet installed...

Oh good grief.

Go to Administration - Restore/Save/Upload Setting and do a Factory default > Restore making sure the "Initialize all the settings..." box is ticked.

 

[Marcus Yansen]

Oh good grief.

Well sorry I didn't consider ctrld an amtm related ad-on so that's why I didn't say anything at the beginning. Now I learned that I should've..

 

[dave14305]

Now I learned that I should've..

Pro tip: update your forum signature with everything installed.

 

[Marcus Yansen]

Pro tip: update your forum signature with everything installed.

Done.
Unfortunately after a hard reset, and re-formatting my disk as well and re-installing everything the other issue that I am having with Skynet exists, but the dnsmasq issue I opened this thread for I'll keep an eye out to see if it keeps happening as well.

 

[Marcus Yansen]

Hi, although this is not about the dns masq issue I opened this thread for - it is for my other thread on the skynet issue with updating the list I believe I Figured out the culprit - it is controld - I switched dns to google and everything seems to work fine. I am going to post a final update after several tries when I am sure it is not just a fluke

 

[dave14305]

I’m not confident that ctrld will have predictable results given how unusual their approach to modifying dnsmasq is. Never ever heard any reports like they mention in their change, but I’ve never run their software either.

internal/router: change dnsmasq config manipulation on Merlin · Control-D-Inc/ctrld@a9ed702

Generally, using /jffs/scripts/dnsmasq.postconf is the right way to add custom configuration to dnsmasq on Merlin. However, we have seen many reports that the postconf does not work on their device...

github.com

 

[Marcus Yansen]

I mean I could configure their dns the manual way throguh wan dns settings and adding the unique resolver as well - perhaps if I face issues I will try that approach.
That commit you linked, I am not sure if it has been implemented?
But I am open to any suggestions. If I continue to face dnsmasq issues, then maybe I will remove ctrld from the daemon and set it up on controld the router the manual / 'old school' way like through the WAN settings on the GUI then - would that be your suggestion?

 

[dave14305]

would that be your suggestion?

When you start facing problems, simplify. Most of the “extra” DNS software available for these routers is written in Go language (AGH, NextDNS, Control-D). And they all seem to struggle to integrate cleanly with the firmware.

The beta1 has updated Control D settings for DNS Privacy (DoT) if you want to try it. But I only use my ISP DNS servers with regular DNS with the “Hagezi Light” block list via a small custom script.

 

[Marcus Yansen]

When you start facing problems, simplify. Most of the “extra” DNS software available for these routers is written in Go language (AGH, NextDNS, Control-D). And they all seem to struggle to integrate cleanly with the firmware.

The beta1 has updated Control D settings for DNS Privacy (DoT) if you want to try it. But I only use my ISP DNS servers with regular DNS with the “Hagezi Light” block list via a small custom script.

For sure, and sorry, lesson has been definitely learned lol - sorry to take so much of everyone's valuable time here and I hope and will give back. But I will take a different approach to laying out my question next time. It's good to know about the potential conflict between these dns daemons and the custom fw routers. Just to make sure I am on the same page with you, you mean that I can consider inputting my DNS info here instead of using the Dameon, correct. I will try this out if I experience any issues at all with the current setup (so i exprience an issue with dnsmasq or updating skynet as in my other post

For what it's worth this is what the instructions say, for DNS Servers, if using static WAN to Assign legacy ControlD Dns (that's unique to your account) - currently mine shows google, I will change it when I modify it to controld.

• If you are using a static WAN configuration on your Asus Merlin router, set the DNS server fields to your unique Control D legacy DNS resolver IPv4 addresses provided for your Endpoint (these are shown in your Control D dashboard when you create or edit an Endpoint).

All the other options starting at forward local domain to preset servers, I have set according to ControlD instructions.

And for the "DNS-over-TLS Server List (Max Limit : 8)" this is what controld says to do:

• IP Address field: Leave this blank, or enter 0.0.0.0 if the field requires something, unless the router requires a bootstrap IP—then use 76.76.2.22 or 76.76.10.22.
• DNS-over-TLS field: Use your resolver’s FQDN, for example: abcd1234.dns.controld.com (get this from your Endpoint page). <-- Doesn't seem to apply to me...
• TLS Hostname field: Also input your unique resolver host, like abcd1234.dns.controld.com.
• For the TLS Port field on your Asus Merlin router, enter 853. This is the standard port for DNS-over-TLS, and it’s what Control D uses.
• You can leave the SPKI Fingerprint field blank when configuring Control D on your Asus Merlin router—it’s not required for Control D DNS-over-TLS operation. Control D doesn’t
• You can ignore the Preset Servers option on the Asus Merlin router when using Control D. Instead, use the Custom option and manually enter your unique Control D DNS IPv4 addresses in the DNS server fields.

Also LAN settings set to no for "Advertise router's IP i naddition to user-specified DNS:

• Set that option to no. If you set it to yes, your router will advertise its own IP as a DNS server, which can cause some devices to bypass your Control D settings and use the router for DNS instead. By setting it to no, you make sure only your specified Control D DNS servers are distributed to devices on your network.
• If your router is using Control D DNS, it means all DNS queries handled by the router will go through Control D. However, if you advertise the router's IP to your devices (by setting that option to yes), your devices might use the router as their DNS server instead of going directly to Control D. This usuallyworks, since the router forwards queries to Control D, but there are caveats:
• Setting it to no ensures devices will use the Control D resolvers directly—this provides the most control and visibility. If you only want basic filtering and don’t need device-level analytics, you can set it to yes, but for best results and all of Control D's features, no is the way to go.
  Some advanced features, like device-based analytics or client-specific rules, may not work because all requests look like they come from the router.
  • If the router's forwarding stops for any reason, devices fall back to the router's DNS, which might not be what you want.

Thanks very much again for the help!

 

[dave14305]

Did your ctrld listener port change recently from port 5354 to 53? The dnsmasq.postconf suggests it was 5354, but the netstat and /etc/dnsmasq.conf show ctrld listening on port 53 and 5353 now, which could also explain the original dnsmasq startup failure.