I have lately found interest in the world of DNS, but we haven’t made it easy! Not even with dnsmasq-full
Is there any 1:1 conversion list between the dnsmasq official settings and Openwrt dhcp and network settings?
Like uci set network.wan.peerdns, what is peerdns called in dnsmasq? I can’t even find that in the official manual?
But it turns off the ISP dns server connection.
And uci add_list network.wan.dns is the same as dnsmasq server=
Why have we made non standard setup and why is it spread out between network and dhcp config file?
For the list supported by OpenWrt have a look at https://openwrt.org/docs/guide-user/base-system/dhcp
What it is not on the table needs to be set as a native dnsmasq config in an option file which needs to be included...
I'm on mobile phone so can not check by myself but iirc there is already a default file included... Use ps to get the current running process of dnsmasq. That way you see where the current used config file lives in /var
In this file you should find a reference on the mentioned default include file. There you can put in your additional options not supported by OpenWrt UCI
I changed the headline for the tread to fit the discussion more since I am pretty sure there are a lot of users out there as confused about DNS, Dnsmasq and dhcp as me.
Another question I found when I was cleaning up.
From the beginning when I made my static leases Luci put a line called dns=1 in every static lease I set up.
So I did the same in the rest of my static leases since I thought Luci know what to do.
But what does that line actually do, today for the first time I tried static lease with dns as 0 and 1 and pretty much nothing interesting happens. The IP is solved with the host name and internet works on the device?
That one is pretty complicated, but little like this. It is a lot easier when using host names instead of different IP depending on what config script setup is loaded in the router.
Will probably start with this alternative when that times comes.
--dnssec-no-timecheck
DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGINT. The intention is that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as reliable time is established, a SIGINT should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records which have not been thoroughly checked.
Earlier versions of dnsmasq overloaded SIGHUP (which re-reads much configuration) to also enable time validation.
If dnsmasq is run in debug mode (--no-daemon flag) then SIGINT retains its usual meaning of terminating the dnsmasq process.
ISP DNS server and DNSSEC=OFF (all red lines except: Correct signature: that is green):
Oh no! Your DNS responses are not authenticated:
DNSSEC using ECDSA P-256 (FAIL)
Correct signature: connected
Invalid signature: connected
Expired signature: connected
Missing signature: connected
DNSSEC using ECDSA P-384 (FAIL)
Correct signature: connected
Invalid signature: connected
Expired signature: connected
Missing signature: connected
DNSSEC using Ed25519 (FAIL)
Correct signature: connected
Invalid signature: connected
Expired signature: connected
Missing signature: connected
Cloudflare and google DNS servers and DNSSEC=OFF, (all lines green):
Great! Your DNS responses are authenticated:
DNSSEC using ECDSA P-256 (PASS)
Correct signature: connected
Invalid signature: not connected
Expired signature: not connected
Missing signature: not connected
DNSSEC using ECDSA P-384 (PASS)
Correct signature: connected
Invalid signature: not connected
Expired signature: not connected
Missing signature: not connected
DNSSEC using Ed25519 (PASS)
Correct signature: connected
Invalid signature: not connected
Expired signature: not connected
Missing signature: not connected
Cloudflare and google DNS servers and DNSSEC=ON, (all lines green):
Great! Your DNS responses are authenticated:
DNSSEC using ECDSA P-256 (PASS)
Correct signature: connected
Invalid signature: not connected
Expired signature: not connected
Missing signature: not connected
DNSSEC using ECDSA P-384 (PASS)
Correct signature: connected
Invalid signature: not connected
Expired signature: not connected
Missing signature: not connected
DNSSEC using Ed25519 (PASS)
Correct signature: connected
Invalid signature: not connected
Expired signature: not connected
Missing signature: not connected
So now it is actually even worse because now we have the other question, how do we actually turn off dnssec or what is the meaning off the option dnssec?!?