Menu
What's new
By:
Filters Better Search

Issue with vpn client 'Accept DNS Configuration' parameter

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Re-reading the strict-order man entry for the tenth times or so, I am even more convinced than before that this option is simply useless, as it does not work the way people expect (it will not guarantee that a given server will be used first, since dnsmasq will always go with what was the last known working server). Therefore I intend to remove the Strict option, and relabel the options:

"Ignore", "Accept" and "Exclusive".
 
RMerlin said:
Re-reading the strict-order man entry for the tenth times or so, I am even more convinced than before that this option is simply useless, as it does not work the way people expect (it will not guarantee that a given server will be used first, since dnsmasq will always go with what was the last known working server). Therefore I intend to remove the Strict option, and relabel the options:

"Ignore", "Accept" and "Exclusive".
Click to expand...
Sorry, but I have to disagree with this one. It's always worked in the way I would expect accessing in order as verified by dumping the dnsmasq stats.
 
john9527 said:
Sorry, but I have to disagree with this one. It's always worked in the way I would expect accessing in order as verified by dumping the dnsmasq stats.
Click to expand...

They aren't processed in reverse orders for you (meaning ISP would be used first)?

One problem with this idea as well is since dnsmasq will always go with the last known working DNS, if the tunnel's DNS fails to respond to a request, it might no longer get used by the tunnel until dnsmasq gets restarted, as dnsmasq would have moved to another DNS (typically your ISP's).
 
RMerlin said:
They aren't processed in reverse orders for you (meaning ISP would be used first)?

One problem with this idea as well is since dnsmasq will always go with the last known working DNS, if the tunnel's DNS fails to respond to a request, it might no longer get used by the tunnel until dnsmasq gets restarted, as dnsmasq would have moved to another DNS (typically your ISP's).
Click to expand...
Let me go back through my notes. I seem to vaguely remember there was a quirk (maybe you had to add the serves in reverse order of how you wanted them accessed??). I found it when I added a hidden option for one of my users who wanted a 'reverse strict' so he could use a local DNS server first and fall back to the VPN servers if his failed.
 
john9527 said:
Let me go back through my notes. I seem to vaguely remember there was a quirk (maybe you had to add the serves in reverse order of how you wanted them accessed??). I found it when I added a hidden option for one of my users who wanted a 'reverse strict' so he could use a local DNS server first and fall back to the VPN servers if his failed.
Click to expand...

That could match the findings posted earlier in this thread.

I had a quick look at my code, and it would require a good bit of refactoring to be able to add the VPN servers at the end of the list rather than the top (since the result of the VPN addition determines how the firmware deals with the ISP servers while writing the resolv file). Just unsure if it's really worth it considering Simon's notes on how unreliable strict-order really is. Imagine that for a few secs none of the VPN-supplied DNS works. Dnsmasq would then fall back to your ISP server, and would always stick to them, until dnsmasq itself gets restarted. That kind of unpredictable behaviour is what makes me doubt the real value in keeping the Strict option there.

In an ideal world, if any server is marked as being "down", dnsmasq would periodically (after a few minutes down) re-test them while in strict mode, and if they come back alive, put them back at the top of the priority list. But considering Simon won't even consider fixing the reverse order parsing, I doubt he'd ever go down that route.
 
Last edited:
RMerlin said:
nsmasq would then fall back to your ISP server, and would always stick to them, until dnsmasq itself gets restarted. That kind of unpredictable behaviour is what makes me doubt the real value in keeping the Strict option there.
Click to expand...
I think the 'stickiness' is disabled when in strict mode.
 
@RMerlin
Decided to do a little testing to check again, and found that the VPN resolv file gen was inadvertently broken when you added the the support for pushing server search domains (and I missed it when I remapped your change). Likely the cause of the problems. I'll send you a patch.
 
I just pushed a number of fixes around DNS handling for OpenVPN clients.

1) Swapped order of nameservers so while in strict-order mode, VPN servers will get used first
2) Fixed strict-order not getting enabled in various scenarios, such as changing while the client was running, or enabling then starting it

I've now tested about every scenarios and things looked good:

Starting and stopping in strict-order mode
Changing to and from strict-order mode with a running client
 
RMerlin - I'm not sure this is related (and it's a minor issue)...

For whatever reason, likely related to the issues raised in this thread, I get DNS leaks when I set 'Strict' mode. Setting 'Exclusive' fixes this, but has one minor side effect.

The hostname of my router is 'rtr' and the domain is set to home.<mydomain>.com. In 'Strict' mode, this resolves to 10.0.0.1 from my internal LAN. I presume the router itself is resolving this. In Exclusive mode, rtr.home.<mydomain>.com resolves to the public IP address set by DDNS. This means that I can't access the router when on the LAN by using its hostname, presumably due to hairpinning.

Is there any scope for a setting which will resolve locally (but not forward) then fall back to the VPN DNS servers?

Running 384.8_2 on an 86U.
 
Saturnine said:
For whatever reason, likely related to the issues raised in this thread, I get DNS leaks when I set 'Strict' mode. Setting 'Exclusive' fixes this, but has one minor side effect.
Click to expand...

Yes, as discussed in this firmware, Strict mode does not use the VPN servers in priority. It also won't prevent clients from using hardcoded nameservers.

Exclusive mode forces the router to use the specified remote server, therefore the router's own DNS server is bypassed. There's nothing that can be done about that.
 
You must log in or register to reply here.

Similar threads

A
Proper use of VPN director
Replies
6
Views
350
kernol
kernol
E
VPN Killswitch not working on RT-AC68U 386.12_4
Replies
1
Views
419
bob bart
B
B
VPN Client Problem
Replies
4
Views
704
Brenneke
B
K
OpenVPN client Accept DNS Configuration not working properly firmware 388.1
Replies
0
Views
924
Karmatron
K
B
Firewall lan - vpn?
Replies
0
Views
306
blast
B
Similar threads
Thread starter Title Forum Replies Date
C VPN doing a lot of unrecognized options without them even being in the config IPV6 issue Asuswrt-Merlin 3
S TCP VPN Issue 388.2.2 Asuswrt-Merlin 3
brocellous RT-AC68U 802.11 DSCP QoS issue? Asuswrt-Merlin 3
spacemanspiff Getting a lot of Abnormal Login HTTP locks - Chrome issue? Asuswrt-Merlin 0
C Strange WAN connection issue Asuswrt-Merlin 9
C Dual Wan issue Failover on GT-AX11000 Asuswrt-Merlin 4
R Solved AiMesh Node client connection issue Asuswrt-Merlin 7
H WAN issue Asuswrt-Merlin 4
v.y.k Traffic Monitoring - Save frequency - issue Asuswrt-Merlin 7
D RT-AC86U mesh node FTP issue Asuswrt-Merlin 7

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 665 (members: 19, guests: 646)
Top