[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Temporary failure in name resolution

On Mon 05 Apr 2021 at 09:33:25 (-0400), Stefan Monnier wrote:
> >>> A notable class of exceptions is that of OpenWrt powered devices:
> >>> OpenWrt comes with dnsmasq configured out of the box, and thus provides
> >>> caching.
> >> "Back in the days" (at the beginning of OpenWRT), most home routers used
> >> `dnsmasq`, AFAIK.  So I'd expect today's devices to use `dnsmasq` or
> >> similar as well.  Why would the manufacturers bundle some broken dns
> >> proxy/server instead of `dnsmasq`?

Perhaps because they want to scrutinise all the names that you look
up. That allows them to perform "security" and "family" filtering,
in the style of 1.1.1.2 and 1.1.1.3. And when they block a site,
they can insert their own web page to suck you into somewhere in
their servers.

> > I think it's attempt to save up on system resources, and also cost and
> > firmware size reduction.
> > You can build a device that looks shiny on the outside and put 5-8 years old
> > SoC inside with bare minimum EEPROM and RAM required for it to function.
> 
> The ones with `dnsmasq` back then had typically 4MB of flash and 16MB of RAM.
> 
> Are the ones with broken DNS proxy/server really coming with fewer
> resources than that?
> 
> > And besides, you can make it so there is no internal DNServer at all,
> 
> That I can believe (and isn't a bad option, IMO),
> but the discussion was about broken DNS proxies/servers.

Well, I assume that's your term for the modem/router being leased
by the OP from att, and similar. I would assume that, rather like
BT (British Telecom) and their HomeHubs for domestic customers,
they lock in the addresses of their own DNS servers for the
reasons outlined above.

But I don't recognise your statement "most home routers used `dnsmasq`",
because AIUI dnsmasq implies "It can serve the names of local machines
which are not in the global DNS" (Wikipedia), and none of my routers has
been able to do that, even when they're the very device that handed out
the name and IP address by DHCP.

> > just a simple iptables SNAT rule for port #53 hidden from end user
> > behind a checkbox on the web interface named "Enable DNS relay".
> 
> That's not even needed: just tell the DHCP clients to use the ISP's
> DNS servers.

That seems to be the general solution. But I'm not sure if that's
possible with certain devices, like "smart" TVs that can browse
the web.

Cheers,
David.
Reply to: