Router IPv6 hosts entries

[dave14305]

I noticed today after enabling IPv6 and testing nextdns.io, that I was seeing AAAA requests for router.asus.com in the nextdns.io console logs. Sure enough, the hosts file has no IPv6 address for router.asus.com, so it was apparently forwarding the AAAA requests upstream with no luck.

After researching a little bit, I read this post and decided to write a script to get the address from nvram. I'm opting against the advice of @ColinTaylor (I call this spitting in the wind) and not using the link-local address, since it looks nicer in Windows nslookup.

I guess this was solved in John's fork a while back, but Merlin hasn't adopted it as best I can tell. There is code for lan_hostname but those nvram variables aren't populated in my setup. If there's a better way to do this, I'm open to ideas (e.g. dnsmasq). I just want to prevent sending router.asus.com upstream in the end.

FYI for @IsaacFL from a couple years ago.

/jffs/scripts/hosts.postconf

#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh

if [ "$(nvram get ipv6_service)" != "disabled" ]; then
        pc_append "$(nvram get ipv6_rtr_addr) $(nvram get local_domain)" "$CONFIG"
        pc_append "$(nvram get ipv6_rtr_addr) $(nvram get computer_name).$(nvram get lan_domain) $(nvram get computer_name)" "$CONFIG"
fi

 

[Dabombber]

I played around for quite a while with IPv6 addresses through dnsmasq before settling on using the interface-name option. It can be used as a config entry rather than trying to work out the IPv6 address in a script (it'd be nice if [::] and [fe80::] were substituted), though might not work with router.asus.com since it has a hosts entry.

--interface-name=<name>,<interface>[/4|/6]
Return DNS records associating the name with the address(es) of the given interface. This flag specifies an A or AAAA record for the given name in the same way as an /etc /hosts line, except that the address is not constant, but taken from the given interface. The interface may be followed by "/4" or "/6" to specify that only IPv4 or IPv6 addresses of the interface should be used. If the interface is down, not configured or non-existent, an empty record is returned. The matching PTR record is also created, mapping the interface address to the name. More than one name may be associated with an interface address by repeating the flag; in that case the first instance is used for the reverse address-to-name mapping. Note that a name used in --interface-name may not appear in /etc /hosts.

Even without changing the hosts entry, something like this in /jffs/configs/dnsmasq.conf.add should work (it did for me at least).

interface-name=router.asus.com,br0/6

 

[Dabombber]

In your example you're only setting the IPv4 addresses so you'll have the same problem...

address=/router.asus.com/#

Would be better since it sets both IPv4 and IPv6.

But in the end there's not much difference between resolving to your router or nowhere. The real risk is if the domain is dodgy which shouldn't be the case for asus.com.

As for using interface-name, it can use a local extension too for example

interface-name=RT-AC88U.local,br0

Which is useful since your IPv6 address might not have been set up when the /et c/hosts file is generated.

 

[dave14305]

I don't understand why you did this? but I don't think you should do it. learn more

It is done to prevent AAAA DNS requests for the router’s internal hostname from being sent outside to external (upstream) DNS servers, while still letting the router name resolve correctly internally.

 

[ColinTaylor]

I just don't understand why you should continue to use the local domain, you can use only the IP address, which is more secure.

I just don't understand why you keep going on about this. It should be apparent from the replies to your other posts on this subject that other people do not share your view. Time to leave it at that.

 

[dave14305]

I just don't understand why you should continue to use the local domain, you can use only the IP address, which is more secure.

For me it's because I use HTTPS with a certificate for the LAN name. Since I posted the original message, I've switched from using router.asus.com to router.home.lan for my https SSL certificate. I'm not sure I agree with the assertion that using the IP is more secure. Just less confusing for people who don't understand how the router handles router.asus.com.

 

[SomeWhereOverTheRainBow]

I noticed today after enabling IPv6 and testing nextdns.io, that I was seeing AAAA requests for router.asus.com in the nextdns.io console logs. Sure enough, the hosts file has no IPv6 address for router.asus.com, so it was apparently forwarding the AAAA requests upstream with no luck.

After researching a little bit, I read this post and decided to write a script to get the address from nvram. I'm opting against the advice of @ColinTaylor (I call this spitting in the wind) and not using the link-local address, since it looks nicer in Windows nslookup.

I guess this was solved in John's fork a while back, but Merlin hasn't adopted it as best I can tell. There is code for lan_hostname but those nvram variables aren't populated in my setup. If there's a better way to do this, I'm open to ideas (e.g. dnsmasq). I just want to prevent sending router.asus.com upstream in the end.

FYI for @IsaacFL from a couple years ago.

/jffs/scripts/hosts.postconf

#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh

if [ "$(nvram get ipv6_service)" != "disabled" ]; then
        pc_append "$(nvram get ipv6_rtr_addr) $(nvram get local_domain)" "$CONFIG"
        pc_append "$(nvram get ipv6_rtr_addr) $(nvram get computer_name).$(nvram get lan_domain) $(nvram get computer_name)" "$CONFIG"
fi

I appreciate you bringing up this topic as I am still tackling many ipv6 issues myself. I must say anything we can do to improve the conditions of which it is used under, I fully support your efforts in this regard.


nvram get computer_name needs to be modified to actually get you the name of the router. this is incompatible as it returns a null value now for most setups. I notice it works for yours tho, so carry on.

 

[SomeWhereOverTheRainBow]

my adaptation
/jffs/scripts/hosts.postconf

#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh

if [ "$(nvram get ipv6_service)" != "disabled" ]; then
        pc_append "$(nvram get ipv6_rtr_addr) $(nvram get lan_hostname).$(nvram get lan_domain) $(nvram get lan_hostname) $(nvram get lan_hostname).local" "$CONFIG"
        pc_append "$(nvram get ipv6_rtr_addr) $(nvram get lan_hostname).local" "$CONFIG"
        pc_append "$(nvram get ipv6_rtr_addr) router.asus.com" "$CONFIG"
        pc_append "$(nvram get ipv6_rtr_addr) www.asusnetwork.net" "$CONFIG"
        pc_append "$(nvram get ipv6_rtr_addr) www.asusrouter.com" "$CONFIG"
fi

 

[Dabombber]

nvram get computer_name needs to be modified to actually get you the name of the router. this is incompatible as it returns a null value now for most setups. I notice it works for yours tho, so carry on.

It might only be set for use in the webui, you can just use uname -n instead.

It might also be worth checking if ipv6_rtr_addr is set, since IPv6 might only be set up after dnsmasq starts.

 

[dave14305]

I appreciate you bringing up this topic as I am still tackling many ipv6 issues myself. I must say anything we can do to improve the conditions of which it is used under, I fully support your efforts in this regard.


nvram get computer_name needs to be modified to actually get you the name of the router. this is incompatible as it returns a null value now for most setups. I notice it works for yours tho, so carry on.

When I started this thread in December, I was running 384.13, which hadn’t changed over to lan_hostname yet.