dnsmasq.conf.add config file keeps having execute attribute set

[Jeffrey Young]

I am using Merlin 388.8_4 on an AX86U-Pro. Using Diversion and Skynet (and a few of my own written scripts)

Over the last few months, I have noticed that the dnsmasq.conf.add file has the execute attribute set. After I take the execute bit off, a few days later, it is set again. I have not really nailed down what process is doing this.

Having the execute bit set on a file that does not need it is having the unintended effect of Asus's ASD process zapping the file from time to time. Particularly at system boot, which really messes things up.

Anyone else seeing this behavior? I would love to be able to lock the file so that attributes can't be set, but as almost everything runs as root, that is not happening.

 

[dave14305]

Skynet does it.

https://github.com/Adamm00/IPSet_ASUS/blob/b388084289a07e572a5f37d03d1a9f896148bf25/firewall.sh#L983

 

[Jeffrey Young]

Skynet does it.

https://github.com/Adamm00/IPSet_ASUS/blob/b388084289a07e572a5f37d03d1a9f896148bf25/firewall.sh#L983

Thanks @dave14305

@Adamm , any particular reason dnsmasq.conf.add gets the execute permission set? At least in my setup, on reboot, the file is deleted/ I am assuming it is the ASD process, but I can't be certain as the ASD log is encrypted. If I remove the execute permission and reboot, everything is fine.

 

[Twiglets]

Thanks @dave14305

@Adamm , any particular reason dnsmasq.conf.add gets the execute permission set? At least in my setup, on reboot, the file is deleted/ I am assuming it is the ASD process, but I can't be certain as the ASD log is encrypted. If I remove the execute permission and reboot, everything is fine.

On reboot my 'dnsmasq.conf.add' file does not get deleted !!!
I have made 'lots' of changes and it would be instantly noticable to me.
The ASD process is running as well.

Obvious but 'hacky' solution ... copy a MASTER copy of the 'dnsmasq.conf.add' file to '/jffs/configs' very early in the startup sequence.
(After ASD has started ... of course.)

I think it is something else doing the delete as I have Diversion, Skynet, Unbound, DNSCrpyt etc running and have never seen 'dnsmasq.conf.add' being deleted once set.

 

[dave14305]

I think it is something else doing the delete as I have Diversion, Skynet, Unbound, DNSCrpyt etc running and have never seen 'dnsmasq.conf.add' being deleted once set.

May depend on the contents, not just its presence.

 

[Jeffrey Young]

On reboot my 'dnsmasq.conf.add' file does not get deleted !!!
I have made 'lots' of changes and it would be instantly noticable to me.
The ASD process is running as well.

Obvious but 'hacky' solution ... copy a MASTER copy of the 'dnsmasq.conf.add' file to '/jffs/configs' very early in the startup sequence.
(After ASD has started ... of course.)

I think it is something else doing the delete as I have Diversion, Skynet, Unbound, DNSCrpyt etc running and have never seen 'dnsmasq.conf.add' being deleted once set.

It is a whacky one for sure. So far, over the last 6 months, I have had the file disappear twice on reboot. So, it is not consistent. My average up time is about three weeks. It seems that after three weeks some silly stuff starts to creep in and restart is in order.

I have cron job set up to remove the execute bit for now. Still, I see no reason to put the execute bit on the dnsmasq.conf.add file.

I have to say that I am not a fan of the ASD logs being encrypted. I love security, but I like to know what is happening too.

 

[Twiglets]

May depend on the contents, not just its presence.

['Teaching Grandmother to suck eggs' Mode On]
As far as I know there are only 2 'valid' ways to 'change' certain config files during normal boot up:

*******.add or ******.postconfig ... (We will ignore simply over-writing them as that should be obvious [My previous 'Hacky' solution] !!!)

These files impact the config files by adding content (.add) or after 'normal' creation manipulate the file pre-execution (.postconfig).

Both ******.add & ******.postconfig are not used by anything else, and have never been changed even if they are erroneous and contain invalid data/formats/etc.
(I know this because I have screwed up these files, because I cannot type, and the errors ALWAYS persisted !!! )

I have rebooted various routers, because of my need to tinker 100's of times !!!

These files always persisted with no change, the only reason I can imagine for the .add files to be deleted is if something is scanning or manipulating the file and the 'file open' is not closed cleanly. The file could lose its contents or effectively be 'deleted'.

Again I have not seen anything that appears to do this.
[Mode Off]

STUPID Questions:
=================

Is there anything that could be changing or interfering with the 'normal' boot up sequence ?

Faulty memory in the Router ?

Is the .add file being generated on the fly at boot up time (If so check process) ?


Finally, I would 'scatter' throughout the scripts used at boot up some simple checksum check of the 'dnsmasq.conf.add' written to a file on your USB. This would at least show you at what point the file is being changed.

This is the sort of problem that would annoy me no end !!!!

I would 'waste' lots of time to solve it ... just because I can !!!

 

[Jeffrey Young]

This is the sort of problem that would annoy me no end !!!!

Especially when it happens when you are not at home (power failure and UPS dies - which by the way, I use NUT to detect when the UPS is about to die, so I can gracefully prepare the router to have the rug pulled out from under its feet).

When the dnsmasq mod script goes poof, I lose my Active Directory DNS management, which means I loose the family single sign on services - which includes VPN.

Have already checked all my scripts. There is no reason that I can think of to add the execute bit to this file.

Hopefully Adam can look at it in the future and remedy. For now, I am hoping it was bad timing along with Asus ASD signatures and that Asus has fixed it now.

 

[bennor]

Having the execute bit set on a file that does not need it is having the unintended effect of Asus's ASD process zapping the file from time to time. Particularly at system boot, which really messes things up.

RMerlin apparently indicated that ASD is supposed exclude (whitelist) "some things" on the Asus-Merlin firmware; presumably to allow for the use of addon scripts and the use of scripting files like; firewall-start, dnsmasq-INDEX.conf.add, stubby-INDEX.yml.add, dnsmasq-sdn.postconf, and stubby-sdn.postconf.
https://www.snbforums.com/threads/more-on-asd.94670/#post-955547

Both the firmware and the device matter when reviewing asd's behaviour.

- Asuswrt-Merlin uses different asd signatures that are less restrictive than the signatures used by the stock firmware (some things are whitelisted so not to interfere with Asuswrt-Merlin)
- Very old devices may still be using asd V1
- Newer devices will be using asd V2 - that one will encrypt its log in addition to architectural improvements
- Very recent firmwares have now switched to V2.1 which should be far more CPU-efficient

The way V1, V2 and V2.1 works is different. I can't share any further details beside the fact that newer versions should be less CPU intensive.

If ASD really is the culprit and not a addon script, then perhaps ping @RMerlin to see if he has any thoughts on what might be happening. This assumes you have the dnsmasq.conf.add file in a directory that ASD is supposed to whitelist/exclude like /jffs/configs (edit to add: and some addon script isn't replacing or modifying the properly formed /jffs/configs/dnsmasq.conf.add file contents or permissions).

 

[Adamm]

I've pushed an update that fixes permissions for the file. That being said its the content of the file (or the name) that will trigger ASD, so although the execution flag was incorrectly being set it shouldnt be the direct reason for ASD nuking the file.

 

[Jeffrey Young]

I've pushed an update that fixes permissions for the file. That being said its the content of the file (or the name) that will trigger ASD, so although the execution flag was incorrectly being set it shouldnt be the direct reason for ASD nuking the file.

Thanks @Adamm

Touch wood, I have not had a recoccurance since taking the execute permission off. I get what you are saying though. It is too bad that the ASD log is now encrypted. It would have been nice to know if ASD was the reason for absolute certainty.

 

[bennor]

@Jeffrey Young as @Adamm and others indicated, the contents of the file may trigger ASD. If the issue happens again, it might help if you post the contents of the dnsmasq.conf.add file for others to review for any issues or errors. You appear to be running a good number of addon scripts including apparently your own custom scripts on the RT-AX86U Pro, perhaps one of those other scripts (other than Skynet) has started modifying the dnsmasq.conf.add file which then triggers ASD (if it's really ASD that is causing the issue).

 

[Jeffrey Young]

Sure, my dnsmasq.conf.add file

# start of dnsmasq.conf.add
# Last edited: June 21, 2025

interface=ipsec*
interface=wg*
dhcp-client-update
#all-servers
server=/youngind.ca/
server=/young.youngind.ca/192.168.189.3
server=/young.youngind.ca/192.168.189.202
server=/young.youngind.ca/10.0.0.110
server=/cloud.youngind.ca/8.8.8.8
server=/anna.youngind.ca/8.8.8.8
rebind-domain-ok=dns.msftncsi.com
rebind-domain-ok=young.youngind.ca

dhcp-host=50:7b:9d:31:2f:c2,192.168.189.6,nc,86400
dhcp-host=00:1B:A9:BF:12:8E,192.168.189.13,printer,86400
dhcp-host=E8-FB-1C-DC-B9-AB,08-26-AE-33-52-64,192.168.189.16,slyjay-ltop,3600
dhcp-host=B4:B6:86:2C:C8:88,192.168.189.17,PostPrinter,86400
dhcp-host=a2:09:6f:a1:09:6f,7C:10:C9:35:65:48,192.168.2.15,youngchurch,86400    # TP Link Repeater
dhcp-host=60:45:cb:67:73:c8,60:45:cb:67:73:c9,192.168.2.16,youngchurch,86400    # RT-AC68U Repeater
dhcp-host=84:47:09:49:c8:c7,192.168.189.7,trailer                # Bosgame MiniPC (Trailer)

dhcp-host=f8:7b:8c:15:c9:ff,192.168.2.18,ampedwireless,86400    # Amped Wireless Repeater

# Raspberry Pi's
dhcp-host=DC:A6:32:A5:82:AF,192.168.189.5,fileserver
#dhcp-host=E4:5F:01:40:78:5F,E4:5F:01:40:78:60,192.168.189.7,trailer

dhcp-option=lan,42,192.168.189.2 # ntpMerlin
ipset=/aax-eu.amazon-adsystem.com/aax-us-east.amazon-adsystem.com/asuswrt-merlin.net/asuswrt.lostrealm.ca/big.oisd.nl/bin.entware.net/cdn.staticneo.com/clarium.global.ssl.fastly.net/codeload.github.com/diversion.ch/drv.ms/entware.diversion.ch/entware.net/fls-na.amazon-adsystem.com/fwupdate.asuswrt-merlin.net/ib.adnxs.com/images-na.ssl-images-amazon.com/ir-na.amazon-adsystem.com/ir-uk.amazon-adsystem.com/localhost.localdomain/Skynet-WhitelistDomains # Skynet
ipset=/maurerr.github.io/mirrors.bfsu.edu.cn/mirrors.cernet.edu.cn/mirrors.cqupt.edu.cn/mirrors.nju.edu.cn/oisd.nl/onedrive.live.com/openstreetmap.org/pagead2.googlesyndication.com/pgl.yoyo.org/pkg.entware.net/r.ca-central-1.awstrack.me/raw.githubusercontent.com/small.oisd.nl/snbforums.com/someonewhocares.org/sourceforge.net/sunrisesunset.io/urlhaus.abuse.ch/wms-eu.amazon-adsystem.com/Skynet-WhitelistDomains # Skynet
ipset=/wms-na.amazon-adsystem.com/wms-na.assoc-amazon.com/ws-eu.amazon-adsystem.com/ws-na.amazon-adsystem.com/wxxvpdx.clicks.mlsend.com/z-na.amazon-adsystem.com/iplists.firehol.org/ipdeny.com/ipapi.co/api.db-ip.com/api.bgpview.io/asn.ipinfo.app/speedguide.net/otx.alienvault.com/github.com/astrill.com/strongpath.net/nwsrv-ns1.asus.com/pool.ntp.org/192.168.189.11/Skynet-WhitelistDomains # Skynet

As for my custom scripts. None of them touch dnsmasq.conf.add directly. Even my own custom guest network script relies on manual manipulation of the dnsmasq.postconf script (I use a custom script as I needed a LAN port to be part of the guest network, although it was inspired by YazFi).