Looking for assistance. RT-AC5300 Merlin and dnsmasq

[Ted Danson]

I have an ASUS RT-AC5300 router running the latest Merlin fw for it. I would like to use a custom dnsmasq config for it to route specific traffic to certain dns ip's.

I have a link to a sample config here:

https://getflix.zendesk.com/hc/en-g...-use-Getflix-DNS-servers-for-specific-domains

My question is, where do I add this? I know where the files are on the router, but they look set up for a DHCP config? I want to have the router hand out DCHP leases but to use this dnsmasq config too while using my ISP dns as the main setting.

Just looking for a helping hand really.

Much appreciated!

Thanks.

EDIT: Meant to add. I looked at this help file and am still a little confused as to where to place the custom config.

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-domains-with-dnsmasq

 

[ColinTaylor]

If you want to use custom DNS servers per device it can be done in the GUI. Useful if you're trying to direct a Roku box for example.

Parental control (or AiProtection) > DNS Filtering.

https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Filter

 

[Ted Danson]

Thanks a lot for this. That would get me so far but not all the way to completing my goal.

I'm looking to make a custom dnsmasq for specific domains, cdn's etc. At the same time, anything not in the dnsmasq list I would like to have use the router default DNS servers. My ISP, or perhaps my own hosted DNS server (VPS etc).

The reason for this is I don't want all my network traffic going through a smart DNS provider for privacy reasons. I just want to use their DNS for the service they provide. Everything else I want control of.

 

[ColinTaylor]

OK, understood.

My only thought on the wiki guide that you referred to is the section called "Adjust DHCP Server Options". Personally I think it's better to do none of those changes and leave them at default settings. The end result is exactly the same so I don't understand why he's changing them. The default settings are:

DNS Server 1 & 2 = leave blank
Advertise router's IP in addition to user-specified DNS =Yes
Forward local domain queries to upstream DNS = No

The section "Edit dnsmasq config options" should be fairly straight forward. If you are not comfortable editing files from a Unix command line you could use a Windows GUI like WinSCP instead (There are guides on the forum for that).

 

[Ted Danson]

That's something that tripped me up too, the DHCP segment. In fact, if I did change the DNS servers in DHCP to, say, OpenDNS (and also had them set in the WAN DNS server settings) and then followed the rest of the guide, literally just copy/pasting the dnsmasq example from the link I provided, and the reboot. I get no Internet connectivity at all.

In fact when I tried going through these steps again yesterday it ended up with me having to factory reset the router and restore my backed up settings prior to making these changes.

I'm happy enough going in via SSH and have all that set up properly so it's all good there. Just the dnsmasq configuration is really wrecking my head as it just doesn't seem to work properly. Unless I've made a balls of the config somewhere?

Much appreciate the help regardless.

 

[ColinTaylor]

Can you log onto the router and post the output of the following command please.

cat /jffs/configs/dnsmasq.conf.add

P.S. How are you creating the file, vi?

 

[Ted Danson]

Sure thing. Right now I'm running from a fresh factory reset, so it's just:

cat: can't open '/jffs/configs/dnsmasq.conf.add': No such file or directory

I was creating the file originally with nano (not a huge fan of vi!).

I'll try again later today though when I get some time. What kind of output are you expecting to see?

 

[ColinTaylor]

I'm expecting to see one single line as follows, where xxx.xxx.xxx.xxx has been changed to your Getflix DNS server address.

server=/getflix.com.au/netflix.com/netflix.net/nflximg.com/hulu.com/e.akamai.net/akamaihd.net/llnwd.net/uplynk.com/edgefcs.net/theplatform.com/brightcove.com/mgo.com/vudu.com/vvond.net/amazon.com/flixster.com/cinemanow.com/roxionow.com/hbogo.com/footprint.net/pbs.org/wwe.com/sho.com/showtimeanytime.com/shovod.edgesuite.net/dishworld.com/movenetworks.com/movetv.com/shrbt.com/go.com/cbs.com/tbs.com/southparkstudios.com/espn.com/crackle.com/mtv.com/mtvnservices.com/vh1.com/fxnetworks.com/nbcolympics.com/golfchannel.com/nbcsports.com/unicornmedia.com/rhapsody.com/pandora.com/songza.com/slacker.com/bbc.co.uk/bbc.net.uk/bbc.com/itv.com/channel4.com/channel5.com/skyanywhere.com/sky.com/nowtv.com/skychnl.net/eurosportplayer.co.uk/eurosport.com/livestream.com/beinsports.net/beinsportsplay.tv/fplive.net/performgroup.com/starsports.com/roku.com/wdtvlive.com/boxee.tv/sony.tv/vevo.com/xxx.xxx.xxx.xxx

P.S. Don't put anything in the LAN > DHCP > DNS Server 1 & 2 fields (assuming "Advertise router's IP in addition to user-specified DNS" = Yes) otherwise you are telling DHCP clients to bypass dnsmasq and go directly to another server; which defeats the purpose of what you're doing.

 

[Ted Danson]

That's great thanks a lot for your help with this. I will make sure to give this a proper go later on when I am in front of the router (in case I have to factory reset again!).

Just to clarify though, could I make it a little more elaborate? For example:

1. WAN DNS Settings = Open DNS Home IP's.
2. LAN DHCP DNS Settings = Blank
3. dnsmasq.conf.add line is: server= Getflix url's per the line you posted.
4. Add an additional dnsmasq.conf.add server= config line that points to more custom domains and ends with another DNS provider. Example, another Smart DNS service. Or perhaps another public DNS IP.
5. Set the DNS settings in DHCP to the ones specified by yourself/the Wiki guide.

Would that work? Can it be that, or even more, granular?

 

[ColinTaylor]

1. Yes. External names will be resolved by Open DNS unless specified in 3. or 4.
2. Correct.
3. Yes.
4. Yes. You can have multiple "server=" lines. In fact they don't have the end in different IP addresses. So if you wanted to make it easier to read you could split a long line into multiple shorter lines:

server=/getflix.com.au/netflix.com/netflix.net/nflximg.com/hulu.com/e.akamai.net/akamaihd.net/llnwd.net/uplynk.com/edgefcs.net/theplatform.com/brightcove.com/mgo.com/vudu.com/vvond.net/amazon.com/flixster.com/xxx.xxx.xxx.xxx
server=/cinemanow.com/roxionow.com/hbogo.com/footprint.net/pbs.org/wwe.com/sho.com/showtimeanytime.com/shovod.edgesuite.net/dishworld.com/movenetworks.com/movetv.com/shrbt.com/go.com/cbs.com/tbs.com/southparkstudios.com/xxx.xxx.xxx.xxx
server=/espn.com/crackle.com/mtv.com/mtvnservices.com/vh1.com/fxnetworks.com/nbcolympics.com/golfchannel.com/nbcsports.com/unicornmedia.com/rhapsody.com/pandora.com/songza.com/slacker.com/bbc.co.uk/bbc.net.uk/bbc.com/itv.com/channel4.com/xxx.xxx.xxx.xxx
server=/channel5.com/skyanywhere.com/sky.com/nowtv.com/skychnl.net/eurosportplayer.co.uk/eurosport.com/livestream.com/beinsports.net/beinsportsplay.tv/fplive.net/performgroup.com/starsports.com/roku.com/wdtvlive.com/boxee.tv/sony.tv/vevo.com/xxx.xxx.xxx.xxx

5. Sorry, I'm not sure what you're asking. You either leave them at the defaults I listed (see also 2.) or you set them as the wiki article states. The objective is for DHCP clients to be given only the router's IP address as a DNS server and nothing else.

 

[Ted Danson]

I got impatient and decided to risk configuring the router remotely over SSH. I set up a VPN server at the same time so I could connect to the router to test the dnsmasq.conf.add works correctly.

From what I can see so far, and following everything you said, it works 100%! I was even able to add a second DNS IP for a handful of domains which then worked. This was 100% the case as the site I was testing was geo-blocked until I added the domains required and restarted the dnsmasq service.

I'm going to play around a little more later on but am really happy with this so far. I really appreciate your help, thank you very much for explaining it so clearly and answering my questions. Much obliged!

 

[Ted Danson]

Spoke to soon. It's working sporadically and definitely not for some sites. Odd.

 

[ColinTaylor]

Try rebooting the client devices. Also check for typo's. Look in the syslog to confirm your changes, i.e.

Aug  9 16:00:48 dnsmasq[29215]: using nameserver 4.4.4.4#53 for domain example3.com
Aug  9 16:00:48 dnsmasq[29215]: using nameserver 4.4.4.4#53 for domain example2.com
Aug  9 16:00:48 dnsmasq[29215]: using nameserver 8.8.8.8#53 for domain example.com
Aug  9 16:00:48 dnsmasq[29215]: using nameserver 8.8.8.8#53 for domain channel5.com

Also bear in mind that just because you're using a different DNS server it doesn't guarantee that you can get around geo-blocking.

 

[Ted Danson]

Nope. Nothing in the logs there showing that it's being forced to used Google DNS. It's weird. If I scrap all of this and go back to just having, say, Getflix, as my DNS servers on the WAN settings. It's fine. It all works.

Now with this set up, some things work but others do not. I should add I have not rebooted the router yet, only restarted the dnsmasq service.

 

[ColinTaylor]

You should see those messages in the syslog when you start up dnsmasq (not when the client issues a query). It's possible that Merlin's firmware is suppressing dnsmasq messages. How are you restarting dnsmasq? Try this:

# killall dnsmasq
# dnsmasq --log-async
# cat /tmp/syslog.log

Also, make sure IPv6 is disabled. All these guides assume an IPv4-only setup.

 

[Ted Danson]

I was using service restart_dnsmasq for rebooting it.

Tried your cmd list there and I've always had IPv6 disabled. I do have absolution installed too but have disabled it to see if that's causing a problem. After all that it's still the same issue, sporadic results. By sporadic though I mean some stuff, say, Hulu for example, works every time. Other domains that should work and be un-geoblocked, and do work if I have my original router setup back to normal, no longer work. Location is detected.

Tried ipleak.net too to see what it comes back with but it's just showing OpenDNS IP's and my ISP public IP as my IP address.

 

[ColinTaylor]

Did you see the dnsmasq startup messages in the syslog?

My guess is that absolution has done something that is conflicting with your changes. If you can work out what domains are not working and then post the contents of /etc/dnsmasq.conf we might be able to spot something.

 

[Ted Danson]

Did you see the dnsmasq startup messages in the syslog?

My guess is that absolution has done something that is conflicting with your changes. If you can work out what domains are not working and then post the contents of /etc/dnsmasq.conf we might be able to spot something.

Thanks for that. I tried uninstalling ab-solution, same issues are happening. Here's the conf file (sorry it's truncated but the IP is at the end as instructed on each server= line. I did split them up too. Same issues arose.

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
dhcp-range=lan,192.168.1.4,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
interface=tun21
# Default Dnsmasq options
domain-needed
all-servers
strict-order

# Use Getflix DNS for these domains
server=/getflix.com.au/netflix.com/netflix.net/nflximg.com/hulu.com/e.akamai.ne$

# Use Smart DNS Proxy for these domains
server=/horizonemea-s.akamaihd.net/disney.com/disneylife.com/contentdirect.tv/a$

 

[ColinTaylor]

Try removing the following lines.

all-servers
strict-order

Also, what are the contents of /etc/resolv.conf and /tmp/resolv.dnsmasq

 

[Ted Danson]

No joy removing all-servers and strict-order from dnsmasq.conf.add and the contents of /etc/resolv.conf are:

nameserver 127.0.0.1

Contents of /tmp/resolv.dnsmasq are nothing. It's blank. The file exists though.

This is odd. It is working. It has to be. Stuff like Hulu works. Also VRV, which I had to add manually. So something is working, just not everything, yet the domains are listed and do work in a different setup. Bizarre.