Reply
New Member
Posts: 33
Registered: ‎04-05-2017
Kudos: 19

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

[ Edited ]

poisonsnak wrote:

 

The reason I put the timestamp in /config/ is it is the only folder that survives a firmware upgrade.  In my first post in this thread, when I remotely upgraded a router, if I put the timestamp in /var/run/dnsmasq/ I think I would have had the same problem.  In fact, I do not think the /var/ folder even survives a reboot.  The logs in /var/log/ are all reset on a reboot, and I created a test file in /var/run/ and it disappeared on reboot.

 

 


Yeah, /var is volatile. I may be misunderstanding how the timestamp actually functions, but at the time, the way I read it the timestamp doesn't necessarily need to be preserved between upgrades or reboots. It made sense at the time. Makes less sense now. I do recall flipping back and forth when I was deliberating it.

 

The manpage is pretty clear:

 

"The file must be stored on a persistent filesystem, so that it and its mtime are carried over system restarts."

 

So yeah, on reflection, putting it in /config and letting it persist appears to be the correct answer. Unless I can figure out why I thought otherwise...

Established Member
Posts: 911
Registered: ‎02-04-2015
Kudos: 529
Solutions: 36

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

Well I figured out why dnssec-timestamp does not work.  It seems like dnsmasq only updates the timestamp file once on startup.  I am pretty sure the router writes the current time to flash once a day, early in the morning, since after a power loss it usually boots with the correct date but the time says 2AM or something.

 

For example, right now

 

:/config/dnsmasq$ ls -l
total 0
-rw-r--r--    1 dnsmasq  dip              0 Jun 30 22:38 dnssec-timestamp

but since today is July 12th I would expect if I cut power to the router it would boot up with July 12th as the date, and the time early in the morning.  So this check will pass since the router's date is later than the timestamp's date. If the system time is off even by 12 hours though DNSSEC will not work in my experience. 

 

I am not sure if this should be reported to the dnsmasq people or to ubiquiti, it looks like we are using a custom version of dnsmasq:

 

$ cat /var/log/dnsmasq.log
Jun 30 22:38:04 dnsmasq[3289]: started, version 2.76-1-ubnt2 cachesize 2500

I'm not sure really who to ask in here either, possibly @UBNT-afomins  ?

New Member
Posts: 33
Registered: ‎04-05-2017
Kudos: 19

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5


poisonsnak wrote:

Well I figured out why dnssec-timestamp does not work.  It seems like dnsmasq only updates the timestamp file once on startup.  I am pretty sure the router writes the current time to flash once a day, early in the morning, since after a power loss it usually boots with the correct date but the time says 2AM or something.


Seems like that might be the root cause of the problem. If the time is off, then dnsmasq is never going to work right w.r.t. signatures. Have you tried making sure the time is accurate and seeing if signatures run properly?

 

If that's the case, then I doubt the fault lies with dnsmasq or DNSSEC. You're going to have to figure out why your time is getting set wrong. Otherwise, you're going to have to use --dnssec-no-timecheck and SIGHUP dnsmasq to tell it to start checking sigs.

Established Member
Posts: 1,525
Registered: ‎05-03-2016
Kudos: 520
Solutions: 147

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

I just setup DNSSEC in the last few days. I tried just the newest trust-anchor and got a lot of failures. Added the older one as well and that seemed to fix that problem.

 

I added dnssec-check-unsigned and after a few minutes dnsmasq died and I had no dns anymore. Restarted it and it was fine for several minutes and then died again. I removed that option and no dying since after about 2 days.

 

I use google's 8.8.8.8 and 8.8.4.4 which support DNSSEC.

 

Anyone else try dnssec-check-unsigned and have this problem? I did see the posts on the first page of this thread but not the failure modes.

Established Member
Posts: 911
Registered: ‎02-04-2015
Kudos: 529
Solutions: 36

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

[ Edited ]

@darkgrue  Since the router doesn't have a battery it has no way of keeping time when it is powered off.  So when it boots up the time will always be set wrong.  If you check the log on your router you'll see the very first messages after boot and before NTP sync have the wrong time as well, then there is a sudden jump once the clock is set.

 

I think the problem here is most routers show a fairly old date, like the firmware build date, on boot up.  Knowing this the dnsmasq developers built this timestamp option, thinking after a power failure the router's date will be really old, and the timestamp will catch this as being the wrong time.

 

For EdgeOS, ubnt decided to add a feature that makes a note of the time daily on flash.  Then when the router boots it uses this time, so the time will still be wrong but it will be within 24 hours.  The problem here, is this is still wrong enough for DNSSEC to fail, but not wrong enough for the timestamp to catch it.

 

@karog  I am using dnssec-check-unsigned with no issues.  I'm using that along with dnssec-no-timecheck, and the two trust anchors.  If you check the log (/var/log/dnsmasq.log) is there anything interesting there before the crash?  How many clients do you have on your network?  What do you have the cache-size parameter set to?  I am using 1500

edit: The only other thing I am doing differently than you is I am using Verisign DNS instead of Google.  I don't think it should matter but do you want to give it a try?  Their servers are 64.6.64.6 / 64.6.65.6

Established Member
Posts: 1,525
Registered: ‎05-03-2016
Kudos: 520
Solutions: 147

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

@poisonsnak There was nothing in the log. I have about 20 clients. cache is set at 300.

I may give those DNS servers a try at some point.

One other thing is that my external DNS requests go thru a VPN service to reduce ISP tracking.

Thx for your reply.
Highlighted
New Member
Posts: 23
Registered: ‎07-23-2016
Kudos: 1

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

[ Edited ]

Wow, DNSSEC in dnsmasq, cool!

 

With the help of this forum, I was able to cut over to dnsmasq earlier this year, and have moved to EdgeRouter Lite v1.9.7+hotfix.4. Reading this thread, I'm happy that it appears that DNSSEC may work, just in time for the new Quad9 service that seems to be a smidgen faster than Google 8.8.8.8 DNS, and offers DNSSEC! I have documented how I changed my dns forwarding, and things are working well so far.

 

Next tests will be hard-coded IPs for NTP and configuring for DNSSEC as explained here in this thread, then monitoring carefully to see how it all goes. I'm sending my syslog output (set to information) to my new syslog server.

 

If this DNSSEC implementation works out, DNSSEC support could be quite a selling point for UBNT.

 

Now if only DNS forwarding and dnsmasq activation could all be configured with a GUI, that surely make this a lot more appealing to the home lab enthusiast looking to step-up from limited feature-set consumer class routers that tend to suffer from firmware upgrade neglect. for now, new users need to ssh and learn a bit of command line, which invariably hinders adoption, but I realize GUI development takes time and effort. One can always hope.

 

PS. I've included my DNS Benchmark results, curious if folks not located in the northeastern US still find that 9.9.9.9 comes out ahead of 8.8.8.8, and whether DNSSEC would slow lookups down in any noticeable way.DNS-Benchmark-results-zip-code-06109-on-Cox-Communications-2017-11-16--TinkerTry

Reply