Solved Manual DNS = NTP can't connect

Purdue

Occasional Visitor
My Asus AC68 is behind ISP router and acting mainly as a VPN provider and VLAN.
When (in FreshTomato) I set up the DNS manually adding the one I want (router or VPN ones), NTP stop to work (blinking "Not available" behind Time didn't got caught in the screenshot), the date is wrong, thus nothing else work.

NTP_err.png


I already tried to change the ntp server, adding i.e. 3x url. No success.
My goal is actually to have custom DNS (router) to pass the DNS requests using the VPN tunnel or just the WAN (ISP router), depending from which network an host is making the request; this way, some traffic and requests goes encrypted while others goes with the ISP clear connection.

What would be the best way to achieve that, avoiding NTP issue?

This is my actual DNS/DHCP config

MULTI.png



Thanks!
 
Last edited:

Tech9

Part of the Furniture
In FT 2021.7, I’ve noticed NTP doesn’t sinc if the servers selected are North America. With servers in Europe it works well. I used OpenDNS in my tests. Try and see if it helps.
 

Purdue

Occasional Visitor
@Tech9 doesn't work with pool.ntp.org, or europe.pool.ntp.org if i put manual dns...
 
Last edited:

Tech9

Part of the Furniture
Hmm, I’ve tried Quad9, Claudflare and OpenDNS and it’s fine. The router is in double NAT behind my pfSense firewall. The same RT-AC68U. I don’t have VLAN’s setup, NAT acceleration is disabled, IP traffic enabled, OpenVPN server active, Adblock with 2x lists, Intercept DNS, Intercept NTP, DoT to what supports it, etc. I’m not home to check what else I’ve changed. Quite impressive so far and I didn’t hit any obvious bugs. It’s a fresh test installation with NVRAM wipe. I can play with it more when I get home. @eibgrad is using FT, may have some ideas.
 

Tech9

Part of the Furniture
FT is firmware on steroids, too many settings there, so screenshots:

Untitled_112.png


Status page:

Untitled_113.png


This is with public OpenDNS, standard port 53. Your DNS is a private IP, may cause issues.
 
Last edited:

Tech9

Part of the Furniture
The result:

Untitled_114.png


It actually works with North America NTP servers as well now, it was a glitch, I guess.
 
Last edited:

Tech9

Part of the Furniture
And with extra DoH prevention, the list is quite reliable:

Untitled_115.png


Don't use too many blocklists, otherwise Dnsmasq may fail to start, look at the logs.
 

Purdue

Occasional Visitor
Thank you very much @Tech9 , very interesting and so far I was able to do litte steps without breaking the NTP connection. I've got just few questions regarding your configuration:

1) why muting all the dhcp logging?
2) how exactly works Local NTP server + Intercept local NTP client requests?
3) I'd actually would like to have DoH, you blocked it because it was not working?

Thank you very much.
 

Tech9

Part of the Furniture
1) why muting all the dhcp logging?
2) how exactly works Local NTP server + Intercept local NTP client requests?
3) I'd actually would like to have DoH, you blocked it because it was not working?

1) because I don't want to see DHCP logs, it's a personal preference. What I see now is -MARK- every hour. Less distraction from what's important.
2) exactly that it says - all NTP requests are redirected to router's own NTP server. Local NTP is always available, if the router is running. Similar to Intercept DNS queries. I never checked how it works under the hood in FreshTomato or Asuswrt-Merlin, but I expect port redirection - 123.
3) I don't like/use DoH because I don't have control over it. Standard port 443, can't do much about it. Ports 53/853 are easier. With blocked DoH all requests go to my preferred DNS service with all the filtering I would like to have there. Clients with DoH support attempt it, if it fails go to my DNS.
 

Purdue

Occasional Visitor
Thanks @Tech9 more clear now.
Also, since this was related to DNS resolving, with the goal of helping anyone jumping in the future into this thread, I've found a quite detailed explanation that may be very helpful to understand if and why of issue with DNS and NTP. Getting some grip on how FT works is very helpful: i've highlighted what the problem could have been originated.


DHCP / DNS Server (LAN)​


  • Use Internal DNS (Default: on): Allows Dnsmasq to be your DNS server at the Router IP Address (typically 192.168.1.1). DNS is cached in Tomato firmware. DHCP clients will receive the router IP address as the DNS server.

  • Use Received DNS With Static DNS (Default: off): If unticked, DNS from your ISP servers are ignored if you've entered static ones specified on the Basic > Network page. If ticked, if your WAN obtains a DHCP address from the ISP it also gets a DNS from the ISP. This option allows the router to use together both the ISP assigned DNS and the static DNS server(s) specified on the Basic > Network page. If you have static DNS entries, "" will add any name servers received from your service provider. You may also consider adding "strict-order" (without quotes) in the "Dnsmasq Custom Configuration" box. This forces Dnsmasq to send DNS queries to servers strictly in the order that they appear in the resolve file. This is useful if you are using services such as OpenDNS but still want to use your ISP's server(s) as a backup. Without this setting your ISP's DNS server(s) will tend to be favored. You can view these changes in the resolve file at "/etc/resolv.dnsmasq".

  • Intercept DNS port (UDP 53) (Default: off): When enabled, anything going out to UDP port 53 is redirected to Dnsmasq. This prevents bypassing parental controls. It may be helpful when used with OpenDNS for parental control. Another use of this intercept is with VPN client software in combination with the "Use internal DNS. Typically, VPN client software will 'tunnel' non-routable IP addresses such as 192.168.1.1 which will bypass the router and cause DNS failure. Instead, you can change the client's DNS address to any bogus routable IP address to prevent the VPN client from tunneling DNS requests and let the router intercept them. This works whether or not the VPN client software is active.
 

Tech9

Part of the Furniture
Thank you for the additional information. I only play with consumer routers though and even though FreshTomato is excellent firmware alternative for supported hardware, it won't live for long on this particular Asus router. I keep a collection of Asus routers on my shelf and when I'm done playing they are returned to stock firmware. Closed source firmware components are killing custom firmware development, unfortunately.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top