Davidc502- wrt1200ac wrt1900acx wrt3200acm wrt32x builds

sshambar · 2019-07-19T19:33:51.511Z

@ cotequeiroz
Sorry for the delayed response (life gets in the way )...

I tried the CIPHERS line you posted (DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC) and openssh works!

Still fails with the default CIPHERS (DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB, AES-256-ECB) - so it looks like ECB is being used by openssh and failing.

Here's the output from openssl engine you requested:

(dynamic) Dynamic engine loading support
[Failure]: DUMP_INFO
3070010748:error:260AC089:engine routines:int_ctrl_helper:invalid cmd name:crypto/engine/eng_ctrl.c:87:
3070010748:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto/engine/eng_ctrl.c:255:
     [ unavailable ]
(devcrypto) /dev/crypto engine
Information about ciphers supported by the /dev/crypto engine:
Cipher DES-CBC, NID=31, /dev/crypto info: id=1, driver=mv-cbc-des (hw accelerated)
Cipher DES-EDE3-CBC, NID=44, /dev/crypto info: id=2, driver=mv-cbc-des3-ede (hw accelerated)
Cipher BF-CBC, NID=91, /dev/crypto info: id=3, CIOCGSESSION (session open call) failed
Cipher CAST5-CBC, NID=108, /dev/crypto info: id=4, CIOCGSESSION (session open call) failed
Cipher AES-128-CBC, NID=419, /dev/crypto info: id=11, driver=mv-cbc-aes (hw accelerated)
Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, driver=mv-cbc-aes (hw accelerated)
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, driver=mv-cbc-aes (hw accelerated)
Cipher RC4, NID=5, /dev/crypto info: id=12, CIOCGSESSION (session open call) failed
Cipher AES-128-CTR, NID=904, /dev/crypto info: id=21, CIOCGSESSION (session open call) failed
Cipher AES-192-CTR, NID=905, /dev/crypto info: id=21, CIOCGSESSION (session open call) failed
Cipher AES-256-CTR, NID=906, /dev/crypto info: id=21, CIOCGSESSION (session open call) failed
Cipher AES-128-ECB, NID=418, /dev/crypto info: id=23, driver=mv-ecb-aes (hw accelerated)
Cipher AES-192-ECB, NID=422, /dev/crypto info: id=23, driver=mv-ecb-aes (hw accelerated)
Cipher AES-256-ECB, NID=426, /dev/crypto info: id=23, driver=mv-ecb-aes (hw accelerated)

Information about digests supported by the /dev/crypto engine:
Digest MD5, NID=4, /dev/crypto info: id=13, driver=mv-md5 (hw accelerated), CIOCCPHASH capable
Digest SHA1, NID=64, /dev/crypto info: id=14, driver=mv-sha1 (hw accelerated), CIOCCPHASH capable
Digest RIPEMD160, NID=117, /dev/crypto info: id=102, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA224, NID=675, /dev/crypto info: id=103, driver=sha224-asm (software), CIOCCPHASH capable
Digest SHA256, NID=672, /dev/crypto info: id=104, driver=mv-sha256 (hw accelerated), CIOCCPHASH capable
Digest SHA384, NID=673, /dev/crypto info: id=105, driver=sha384-arm (software), CIOCCPHASH capable
Digest SHA512, NID=674, /dev/crypto info: id=106, driver=sha512-arm (software), CIOCCPHASH capable

[Success]: DUMP_INFO
 [DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB, AES-256-ECB]
     [ available ]

Probably a different issue, but when I use scp to the server (non-root user), I get the following error (on the client side!):

Could not open /dev/crypto: Permission denied

Might be related to the split permissions on the server and /dev/crypto having root only permissions:

crw-------    1 root     root       10,  58 Jul 16 05:45 /dev/crypto

cotequeiroz · 2019-07-19T20:11:54.599Z

Do one more test for me, please. Try to set more lax permissions (0666) to /dev/crypto and see if the ECB problems go away. I don't necessarily see that as a security concern--you're basically giving all users access to a library. sshd is a hard for me to debug: too many forks to keep up with. I'll probably change the default for CIPHERS to the ones I recommended you.

sshambar · 2019-07-19T20:33:30.262Z

Tried with the default CIPHERS and 0666 on /dev/crypto, and received the same "Couldn't obtain random bytes (error 0x2015019)" error on a ssh connection.

With the recommended CIPHERS and the 0666 perms, the scp permissions warning does go away though... (note: even with 0600 perms on /dev/crypto, scp would work, just gives a permissions warning)

cotequeiroz · 2019-07-19T20:50:29.696Z

Thanks. The permission warning also means /dev/crypto is not going to be used with that connection.

davidc502 · 2019-07-19T21:17:46.338Z

So, 2 things that could be done.

Force upgrade and hope for the best. Not to do yet.
sysupgrade from command line.

Do you have Openwrt on the other partition? If so, what is installed? You can find this information from Advanced reboot section in LuCi.
If you don't have OpenWrt on the other partition then you will need to upgrade using the .img file.

davidc502 · 2019-07-19T21:19:32.328Z

It has been reported in the past, but thought all those issues have been resolved. So, this issue is the first I've heard in some time. I was able to add a line using LuCi with the build I'm on now.

AsklepiOS · 2019-07-19T21:32:24.752Z

yes , both partitions OpenWRT (both from your images)

image.png768×175 3.88 KB

I upgraded your builds on this router several times, this is the first time it's not working.

davidc502 · 2019-07-19T21:34:49.442Z

Go ahead and try to load the .img... Keep settings, and see if it complains.

It is fine to use the .img too. The advantage of using the .bin over .img is wear leveling over time.

AsklepiOS · 2019-07-19T21:50:38.239Z

same error with the openwrt-mvebu-cortexa9-linksys_wrt1200ac-squashfs-factory.img file

image.png1500×305 15.1 KB

so next up commandline sysupgrade? any ideas why it is complaining?

davidc502 · 2019-07-20T01:06:18.969Z

The only thing I can think is because the other kernel is 4.14, but really that shouldn't hold it back.

So, at this point you can force the upgrade. If there is a problem revert back to the partition you are on now. Just keep the instructions handy to revert back if you need to.

Scroll down to power switch.
https://openwrt.org/toh/linksys/linksys_wrt1900ac#firmware_recovery

solidus1983 · 2019-07-20T09:37:05.769Z

Load up putty or any other ssh client

then run the following

cd /tmp
wget https://dc502wrt.org/snapshots/r10525/targets/mvebu/cortexa9/openwrt-mvebu-cortexa9-linksys_wrt1200ac-squashfs-sysupgrade.bin -O upgrade.bin
sysupgrade upgrade.bin

waynea · 2019-07-20T09:52:15.213Z

Hi David
interesting....and I think my inability to manage it through LuCi is at the root of why I can't get dnscrypt 2 to work properly.
So I retested the whole thing, step by step. and at stage 8 got the sucessful result

root@OpenWrt:/etc/config# dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml
 -check
[2019-07-20 10:57:21] [NOTICE] Source [public-resolvers.md] loaded
[2019-07-20 10:57:21] [NOTICE] Configuration successfully checked

I put a line into /etc/config/network - option dns '127.0.0.1#5300'

but LuCi doesnt allow me to set forwardings to this address. in DHCP and DNS > DNS Forwarding it just wont let me do anything, nothing happens at all. And attempting to remove the checkbox in Network > WAN > Advanced > Use DNS servers advertised by peer generates what looks like a javascript error - see image.

Screenshot at 2019-07-20 12-32-11.png920×633 28.7 KB

All resolution is then still by my ISP' DNS...

Domain exists:  yes, 4 name servers found
Canonical name: google.com.
IP addresses:   2a00:1450:4009:809::200e, 172.217.169.78
TXT records:    docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e docusign=1b0a6754-49b1-4db5-8540-d2c12664b289 facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95 v=spf1 include:_spf.google.com ~all globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8=
Resolver IP:    90.207.224.77 (extdns0.cdns16.enbgk.isp.sky.com.)

what do you think? which file can I change to tell the software to ignore my ISP's DNS?, so bypassing what look like bugs in LuCI/

all the best as always

davidc502 · 2019-07-20T14:49:43.581Z

@waynea

I've been able to duplicate the LuCi issue you have described. The following should be the work around.

Put the following line in the network configuration under WAN.

option peerdns '0'
option dns '127.0.0.1#5300'

slim0287 · 2019-07-20T14:53:28.485Z

@solidus1983
Unfortunately this script to downgrade samba4 in r10525 does not work on my WRT1900ACS V2. I run out of space on /overlay. I first had to make two changes to your script... First, I use #!/bin/sh and second you had a typo (an extra a) in mv /etc/samaba/smb.conf.template. I did a clean install of r10525 and then ran the script, and below is the full output. David noticed my /overlay space seemed small and we are working that on a different thread. However, I wanted to post my findings on the samba4 downgrade here with my 1900ACS.

root@OpenWrt:/tmp# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                18.5M     18.5M         0 100% /rom
tmpfs                   249.5M      3.4M    246.1M   1% /tmp
/dev/ubi0_1               9.0M    188.0K      8.3M   2% /overlay
overlayfs:/overlay        9.0M    188.0K      8.3M   2% /
ubi1:syscfg              29.6M    368.0K     27.7M   1% /tmp/syscfg
tmpfs                   512.0K         0    512.0K   0% /dev
/dev/sda1                28.1G      6.7G     19.9G  25% /mnt/sda1
/dev/ubi1_0              29.6M    368.0K     27.7M   1% /mnt/ubi1_0
root@OpenWrt:/tmp# ./fixsamba4.sh
Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.gz
Updated list of available packages in /var/opkg-lists/stangri_repo
Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.sig
Signature check passed.
Downloading https://dc502wrt.org/snapshots/r10525/targets/mvebu/cortexa9/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://dc502wrt.org/snapshots/r10525/targets/mvebu/cortexa9/packages/Packages.sig
Signature check passed.
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/base/Packages.sig
Signature check passed.
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/atmeterial/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_atmeterial
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/atmeterial/Packages.sig
Signature check passed.
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/darkmatter/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_darkmatter
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/darkmatter/Packages.sig
Signature check passed.
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/luci/Packages.sig
Signature check passed.
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/packages/Packages.sig
Signature check passed.
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/routing/Packages.sig
Signature check passed.
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading https://dc502wrt.org/snapshots/r10525/packages/arm_cortex-a9_vfpv3/telephony/Packages.sig
Signature check passed.
Removing package luci-app-samba4 from root...
Removing package samba4-server from root...
Not deleting modified conffile /etc/samba/smb.conf.template.
Not deleting modified conffile /etc/config/samba4.
Removing package samba4-utils from root...
Removing package samba4-libs from root...
Collected errors:
 * opkg_remove_cmd: Package samba4-server is not installed.
 * opkg_remove_cmd: Package samba4-utils is not installed.
 * opkg_remove_cmd: Package luci-app-samba4 is not installed.
--2019-07-20 07:41:17--  https://dc502wrt.org/snapshots/r10307/packages/arm_cortex-a9_vfpv3/packages/samba4-admin_4.9.8-1_arm_cortex-a9_vfpv3.ipk
Resolving dc502wrt.org... 45.79.194.151
Connecting to dc502wrt.org|45.79.194.151|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 526156 (514K) [application/vnd.shana.informed.package]
Saving to: '/tmp/ipk/samba4-admin_4.9.8-1_arm_cortex-a9_vfpv3.ipk'

/tmp/ipk/samba4-admin_4.9.8-1 100%[================================================>] 513.82K  1.48MB/s    in 0.3s    

2019-07-20 07:41:18 (1.48 MB/s) - '/tmp/ipk/samba4-admin_4.9.8-1_arm_cortex-a9_vfpv3.ipk' saved [526156/526156]

--2019-07-20 07:41:18--  https://dc502wrt.org/snapshots/r10307/packages/arm_cortex-a9_vfpv3/packages/samba4-client_4.9.8-1_arm_cortex-a9_vfpv3.ipk
Resolving dc502wrt.org... 45.79.194.151
Connecting to dc502wrt.org|45.79.194.151|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 69765 (68K) [application/vnd.shana.informed.package]
Saving to: '/tmp/ipk/samba4-client_4.9.8-1_arm_cortex-a9_vfpv3.ipk'

/tmp/ipk/samba4-client_4.9.8- 100%[================================================>]  68.13K  --.-KB/s    in 0.1s    

2019-07-20 07:41:18 (513 KB/s) - '/tmp/ipk/samba4-client_4.9.8-1_arm_cortex-a9_vfpv3.ipk' saved [69765/69765]

--2019-07-20 07:41:18--  https://dc502wrt.org/snapshots/r10307/packages/arm_cortex-a9_vfpv3/packages/samba4-libs_4.9.8-1_arm_cortex-a9_vfpv3.ipk
Resolving dc502wrt.org... 45.79.194.151
Connecting to dc502wrt.org|45.79.194.151|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6081426 (5.8M) [application/vnd.shana.informed.package]
Saving to: '/tmp/ipk/samba4-libs_4.9.8-1_arm_cortex-a9_vfpv3.ipk'

/tmp/ipk/samba4-libs_4.9.8-1_ 100%[================================================>]   5.80M  5.58MB/s    in 1.0s    

2019-07-20 07:41:20 (5.58 MB/s) - '/tmp/ipk/samba4-libs_4.9.8-1_arm_cortex-a9_vfpv3.ipk' saved [6081426/6081426]

--2019-07-20 07:41:20--  https://dc502wrt.org/snapshots/r10307/packages/arm_cortex-a9_vfpv3/packages/samba4-server_4.9.8-1_arm_cortex-a9_vfpv3.ipk
Resolving dc502wrt.org... 45.79.194.151
Connecting to dc502wrt.org|45.79.194.151|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 150055 (147K) [application/vnd.shana.informed.package]
Saving to: '/tmp/ipk/samba4-server_4.9.8-1_arm_cortex-a9_vfpv3.ipk'

/tmp/ipk/samba4-server_4.9.8- 100%[================================================>] 146.54K   748KB/s    in 0.2s    

2019-07-20 07:41:20 (748 KB/s) - '/tmp/ipk/samba4-server_4.9.8-1_arm_cortex-a9_vfpv3.ipk' saved [150055/150055]

--2019-07-20 07:41:20--  https://dc502wrt.org/snapshots/r10307/packages/arm_cortex-a9_vfpv3/packages/samba4-utils_4.9.8-1_arm_cortex-a9_vfpv3.ipk
Resolving dc502wrt.org... 45.79.194.151
Connecting to dc502wrt.org|45.79.194.151|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65905 (64K) [application/vnd.shana.informed.package]
Saving to: '/tmp/ipk/samba4-utils_4.9.8-1_arm_cortex-a9_vfpv3.ipk'

/tmp/ipk/samba4-utils_4.9.8-1 100%[================================================>]  64.36K  --.-KB/s    in 0.1s    

2019-07-20 07:41:21 (488 KB/s) - '/tmp/ipk/samba4-utils_4.9.8-1_arm_cortex-a9_vfpv3.ipk' saved [65905/65905]

--2019-07-20 07:41:21--  https://dc502wrt.org/snapshots/r10307/packages/arm_cortex-a9_vfpv3/luci/luci-app-samba4_git-19.170.41626-1154c41-1_all.ipk
Resolving dc502wrt.org... 45.79.194.151
Connecting to dc502wrt.org|45.79.194.151|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2472 (2.4K) [application/vnd.shana.informed.package]
Saving to: '/tmp/ipk/luci-app-samba4_git-19.170.41626-1154c41-1_all.ipk'

/tmp/ipk/luci-app-samba4_git- 100%[================================================>]   2.41K  --.-KB/s    in 0s      

2019-07-20 07:41:21 (18.2 MB/s) - '/tmp/ipk/luci-app-samba4_git-19.170.41626-1154c41-1_all.ipk' saved [2472/2472]

--2019-07-20 07:41:21--  https://dc502wrt.org/snapshots/r10307/packages/arm_cortex-a9_vfpv3/luci/luci-i18n-samba4-cs_git-19.170.41626-1154c41-1_all.ipk
Resolving dc502wrt.org... 45.79.194.151
Connecting to dc502wrt.org|45.79.194.151|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1868 (1.8K) [application/vnd.shana.informed.package]
Saving to: '/tmp/ipk/luci-i18n-samba4-cs_git-19.170.41626-1154c41-1_all.ipk'

/tmp/ipk/luci-i18n-samba4-cs_ 100%[================================================>]   1.82K  --.-KB/s    in 0s      

2019-07-20 07:41:22 (11.6 MB/s) - '/tmp/ipk/luci-i18n-samba4-cs_git-19.170.41626-1154c41-1_all.ipk' saved [1868/1868]

--2019-07-20 07:41:22--  https://dc502wrt.org/snapshots/r10307/packages/arm_cortex-a9_vfpv3/luci/luci-i18n-samba4-en_git-19.170.41626-1154c41-1_all.ipk
Resolving dc502wrt.org... 45.79.194.151
Connecting to dc502wrt.org|45.79.194.151|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1405 (1.4K) [application/vnd.shana.informed.package]
Saving to: '/tmp/ipk/luci-i18n-samba4-en_git-19.170.41626-1154c41-1_all.ipk'

/tmp/ipk/luci-i18n-samba4-en_ 100%[================================================>]   1.37K  --.-KB/s    in 0s      

2019-07-20 07:41:22 (13.6 MB/s) - '/tmp/ipk/luci-i18n-samba4-en_git-19.170.41626-1154c41-1_all.ipk' saved [1405/1405]

Installing luci-app-samba4 (git-19.170.41626-1154c41-1) to root...
Installing samba4-libs (4.9.8-1) to root...
Installing luci-i18n-samba4-cs (git-19.170.41626-1154c41-1) to root...
Installing luci-i18n-samba4-en (git-19.170.41626-1154c41-1) to root...
Installing samba4-admin (4.9.8-1) to root...
Installing samba4-client (4.9.8-1) to root...
Installing samba4-libs (4.9.8-1) to root...
Installing samba4-server (4.9.8-1) to root...
Installing samba4-utils (4.9.8-1) to root...
Collected errors:
 * pkg_write_filelist: Failed to open //usr/lib/opkg/info/samba4-libs.list: No space left on device.
 * opkg_install_pkg: Failed to extract data files for samba4-libs. Package debris may remain!
 * opkg_install_cmd: Cannot install package luci-app-samba4.
 * verify_pkg_installable: Only have 0kb available on filesystem /overlay, pkg luci-i18n-samba4-cs needs 2
 * opkg_install_cmd: Cannot install package luci-i18n-samba4-cs.
 * verify_pkg_installable: Only have 0kb available on filesystem /overlay, pkg luci-i18n-samba4-en needs 1
 * opkg_install_cmd: Cannot install package luci-i18n-samba4-en.
 * verify_pkg_installable: Only have 0kb available on filesystem /overlay, pkg samba4-admin needs 518
 * opkg_install_cmd: Cannot install package samba4-admin.
 * verify_pkg_installable: Only have 0kb available on filesystem /overlay, pkg samba4-client needs 68
 * opkg_install_cmd: Cannot install package samba4-client.
 * verify_pkg_installable: Only have 0kb available on filesystem /overlay, pkg samba4-libs needs 6020
 * opkg_install_cmd: Cannot install package samba4-libs.
 * verify_pkg_installable: Only have 0kb available on filesystem /overlay, pkg samba4-server needs 147
 * opkg_install_cmd: Cannot install package samba4-server.
 * verify_pkg_installable: Only have 0kb available on filesystem /overlay, pkg samba4-utils needs 64
 * opkg_install_cmd: Cannot install package samba4-utils.
 * opkg_conf_write_status_files: Couldn't close //usr/lib/opkg/status: No space left on device.
./fixsamba4.sh: line 15: /etc/init.d/samba4: not found
./fixsamba4.sh: line 16: /etc/init.d/samba4: not found
root@OpenWrt:/tmp# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                18.5M     18.5M         0 100% /rom
tmpfs                   249.5M     10.7M    238.8M   4% /tmp
/dev/ubi0_1               9.0M      8.9M         0 100% /overlay
overlayfs:/overlay        9.0M      8.9M         0 100% /
ubi1:syscfg              29.6M    368.0K     27.7M   1% /tmp/syscfg
tmpfs                   512.0K         0    512.0K   0% /dev
/dev/sda1                28.1G      6.7G     19.9G  25% /mnt/sda1
/dev/ubi1_0              29.6M    368.0K     27.7M   1% /mnt/ubi1_0
root@OpenWrt:/tmp# exit
Connection to openwrt.lan closed.

davidc502 · 2019-07-20T14:58:03.552Z

@slim0287

I'm waiting for my daughter to get back with me. I sent her off to college with my 1900acs V2. It hasn't been updated in probably 2 years :). I'm curious to see how space is allocated on it.

waynea · 2019-07-20T15:29:24.231Z

still get resolution to my ISP DNS I'm afraid, is there a value to be change to reflect that LuCI wont let mes et forwardings to 127.0.0.1#5300 in DHCP and DNS > DNS ?

davidc502 · 2019-07-20T15:40:49.130Z

The following should be unchecked "Use DNS servers advertised by peer"
& Use custom DNS servers = 127.0.0.1#5300

If both of the above are in place then it won't use your ISP's DNS. The exception is DHCP is set up to give clients your ISP's DNS IP's. Then hosts on your network will continue to use ISP's DNS servers.

The way you can tell if it is working properly is to run the following command.
openwrt# tcpdump -nnvi eth0 dst port 53

Keep the above command running and then open another command line to your router and do a couple of nslookup. Also, do some lookups from clients on the lan. If you see no results from the command above then DNS is working properly. If you are getting no results from the router, but you see results from your clients, then that means DHCP needs to be configured differently.

waynea · 2019-07-20T15:55:17.427Z

[quote="davidc502, post:2729, topic:15839"]
So both Use DNS servers advertised by peer AND the box for custom DNS servers are unchecked.
this gives

tcpdump -nnvi eth0 dst port 53
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

while in another terminal session, all resoluton ceases

Domain exists:  probably not, or blocked by the proxy
Canonical name: -
IP addresses:   -
TXT records:    -

I had to restore the domain service by peer checkbox to get connectivity back whereupon resolution naturally shows my ISP's DNS.

IS this what you would expect? PS, in LuCI Network ? DHCP and DNS now says This section contains no values yet, but I can connect to the web

davidc502 · 2019-07-20T16:12:16.927Z

You said - "So both Use DNS servers advertised by peer AND the box for custom DNS servers are unchecked." No, use custom DNS servers should look like below. Is this how yours looks?

Screenshot%20from%202019-07-20%2011-11-21

Screenshot from 2019-07-20 11-11-21.png976×173 9.53 KB

By the way... Have you used the automated script that sets all of this up for you?

waynea · 2019-07-20T16:18:29.322Z

Hi (again!!)
yes mine looks like that now Screenshot%20at%202019-07-20%2017-16-09

and I downloaded the script from your site and followed the instructions, or at least I though I did. ...! The check of the .toml file still seems positive