RT-AC66U B1 Won't Resolve Certain Websites

[HarryMuscle]

I've got an RT-AC66U B1 router that is running Merlin 380.70. All my clients use the router as their DNS server and the router itself is configured to use OpenDNS as its DNS servers. A few days ago certain websites stopped being accessible. I tracked it down to the router telling clients that those addresses can't be resolved by the DNS server. If I configure a client to use the OpenDNS servers directly the addresses can be resolved no problem. So the issue is the router.

I'm wondering if this is a known issue? Before I go through the hassle of resetting, updating the firmware, and reconfiguring everything I'm trying to get an idea of how successful I will be. If this is a weird issue not encountered before then this might be caused by corruption in the RAM or NVRAM and I should probably just get a new router. On the other hand if this is an issue encountered before by others and just a software bug then the hardware is probably still good.

Thanks,
Harry

 

[L&LD]

The firmware you are using is ancient by any standards.

Use the RMerlin v384.15_0 (or the excellent Alpha 2) firmware for the RT-AC68U for your RT-AC66U_B1 model and perform a full M&M Config to bring it's defaults up-to-date.

Do not use a saved config file. Do not use the old settings that may have previously worked. 'M&M' stands for minimal and manual, after all.

 

[HarryMuscle]

The firmware you are using is ancient by any standards.

Use the RMerlin v384.15_0 (or the excellent Alpha 2) firmware for the RT-AC68U for your RT-AC66U_B1 model and perform a full M&M Config to bring it's defaults up-to-date.

Do not use a saved config file. Do not use the old settings that may have previously worked. 'M&M' stands for minimal and manual, after all.

I fully agree it's quite old. I'm just trying to get an idea if this might be a hardware issue cause then I won't even bother with updating and configuring this router and just get a new one.

Thanks,
Harry

 

[L&LD]

The M&M Config (and even adding the Nuclear Reset, if desired) will take all of an hour, tops, to follow. If the hardware is really gone, those steps still need to be done to 'know'.

The same steps will be needed with a new router too. If you want to give it the best chance to succeed in your network.

No way to tell if its a hardware issue otherwise.

 

[RMerlin]

This sounds more like a problem with the DNS server used by the router than a router/firmware issue.

 

[HarryMuscle]

This sounds more like a problem with the DNS server used by the router than a router/firmware issue.

That's what I thought too but if I configure the exact same DNS servers on the client everything works fine. If the client uses the router as its DNS server things stop working. Unless the DNS servers are responding differently to the router vs the client directly but I've never heard of that before.

Thanks,
Harry

 

[HarryMuscle]

This sounds more like a problem with the DNS server used by the router than a router/firmware issue.

Didn't try this until just now ... I configured the router to use the Google DNS servers and the same websites are still not resolvable so I think that rules out the DNS servers being the issue since both Google and OpenDNS return domain not found for the same websites.

Thanks,
Harry

 

[dave14305]

Is dnssec enabled on the LAN DHCP page in 380.70?

 

[appleseed]

I hope this does not sound rude but c'mon you give no additional info so it could be anything.

I mean you don't mention log file, additional scripts, any Asus/Trend software, temperature, free mem/flash, sunspots, lightning, gamma ray burst, anything... questions like this make me wonder why people don't give more info. Also, it's Monday and I am grumpy.

 

[LegitPC]

My client had a similar issue, most sites worked but DMV and a few others wouldn't load. I messed with it for a while but what ended up working was cloning the mac address of the PC connected to the router. After that everything worked. Give it a shot!

 

[RMerlin]

My client had a similar issue, most sites worked but DMV and a few others wouldn't load. I messed with it for a while but what ended up working was cloning the mac address of the PC connected to the router. After that everything worked. Give it a shot!

Failure to load != failure to resolve.

Failures to load are often caused by your ISP providing you with a blacklisted IP. Forcing an IP change through MAC cloning can often resolve it, which is probably what happened in your case.

 

[HarryMuscle]

Is dnssec enabled on the LAN DHCP page in 380.70?

Thanks for the suggestion. It was enabled. As soon as I disabled it everything started to work correctly. However, I would prefer to use DNSSec for the slight additional security it provides.

Would anyone have any ideas why DNSSec would have started to cause these issues for certain domains?

Thanks,
Harry

 

[RMerlin]

Thanks for the suggestion. It was enabled. As soon as I disabled it everything started to work correctly. However, I would prefer to use DNSSec for the slight additional security it provides.

Would anyone have any ideas why DNSSec would have started to cause these issues for certain domains?

It usually means your upstream DNS servers do not support DNSSEC.

 

[dave14305]

Thanks for the suggestion. It was enabled. As soon as I disabled it everything started to work correctly. However, I would prefer to use DNSSec for the slight additional security it provides.

Would anyone have any ideas why DNSSec would have started to cause these issues for certain domains?

Thanks,
Harry

I don't really know (or think) this would help, but assuming OpenDNS and Google DNS do support DNSSEC (OpenDNS has only very recently enabled it), you could try adding this additional trust anchor that is not present in 380.70 dnsmasq.conf. Add this line to /jffs/configs/dnsmasq.conf.add:

trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

It's just a stab in the dark. Remove it if it doesn't help.

EDIT: if it does help, remove it and add this to /jffs/scripts/dnsmasq.postconf:

#!/bin/sh

CONFIG="$1"
. /usr/sbin/helper.sh

if [ $(nvram get dnssec_enable) == "1" ]; then
  pc_append "trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D" "$CONFIG"
fi