1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dnsmasq: Cache Optimization and Howto

Discussion in 'Tomato Firmware' started by rcordorica, Oct 7, 2007.

  1. rcordorica

    rcordorica Network Guru Member

    Tomato includes Dnsmasq, a lightweight DNS forwarder and DHCP server. By default Dnsmasq is configured to only cache 150 DNS lookups; a very small number that can easily be exceeded by a typical home network.

    I decided to share my research and write this simple howto if you want to enable and use dnsmasq within Tomato.

    1.
    First consider using OpenDNS as your dns provider. OpenDNS servers are faster and have a larger DNS lookup cache than your typical ISP provider DNS server. OpenDNS by default protects you from phising sites and auto-corrects mistyped urls. If you sign up for an account at opendns.com you will also get the benefit of network shortcuts, stat gathering, and website blocking.

    But you do not need an account to use the OpenDNS servers.

    Go to:
    Basic
    ->Network

    And in the LAN section, under Static DNS, enter the OpenDNS servers IP addresses.
    • 208.67.222.222
    • 208.67.220.220
    Click Save.

    [​IMG]

    2.
    Now we are going to enable dnsmasq and add some options.
    Go to:
    Advanced
    ->DHCP / DNS

    Use Internal Caching DNS Forwarder: This option enables the dnsmasq DNS lookup caching.

    Use Received DNS With Static DNS: This option configures dnsmasq to use your ISP's DNS server in addition to any Static DNS entries you have specified. I turn this off since my ISP's DNS server can be slow at peak hours. Upon startup Dnsmasq sends a query to all configured DNS servers in /etc/resolv.dnsmasq. The first server to reply back becomes the primary DNS server. If the server stops responding then Dnsmasq sends out another request and reassigns the primary server.

    Intercept DNS Port (UDP 53): This option may be helpful when used with OpenDNS for parental control. When enabled, anything going out to UDP port 53 is redirected to Dnsmasq. e.g. A client on your network can still configure their own DNS server for lookups to bypass the dnsmasq server on your router. By enabling this option their DNS lookup will get always get redirected if they are going over port 53.

    Dnsmasq Custom Configuration:

    The options and comments are taken directly from the Dnsmasq man page.

    Enter the following options into the text box:
    Code:
    cache-size=2048
    log-async=5
    #strict-order
    cache-size: Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.

    log-async: Enable asynchronous logging and optionally set the limit on the number of lines which will be queued by dnsmasq when writing to the syslog is slow. Dnsmasq can log asynchronously: this allows it to continue functioning without being blocked by syslog, and allows syslog to use dnsmasq for DNS queries without risking deadlock. If the queue of log-lines becomes full, dnsmasq will log the overflow, and the number of messages lost. The default queue length is 5, a sane value would be 5-25, and a maximum limit of 100 is imposed.

    extra: (commented out with a #)

    strict-order: By default, dnsmasq will send queries to any of the upstream servers it knows about and sets the server that is first to respond as the primary server. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.dnsmasq (which is the order of the Static DNS list).

    [​IMG]

    Click Save.

    Finally, check your logs to make sure your changes and options took effect:
    Code:
    Oct  7 00:27:26 tomato user.warn kernel: nvram_commit(): init
    Oct  7 00:27:27 tomato user.warn kernel: nvram_commit(): end
    Oct  7 00:27:28 tomato daemon.info dnsmasq[1124]: exiting on receipt of SIGTERM
    Oct  7 00:27:28 tomato daemon.info dnsmasq[1242]: started, version 2.40 cachesize 2048
    Oct  7 00:27:28 tomato daemon.info dnsmasq[1242]: compile time options: no-IPv6 GNU-getopt no-RTC no-ISC-leasefile no-DBus no-I18N no-TFTP
    Oct  7 00:27:28 tomato daemon.info dnsmasq[1242]: asynchronous logging enabled, queue limit is 5 messages
    Oct  7 00:27:28 tomato daemon.info dnsmasq[1242]: DHCP, IP range 192.168.1.100 -- 192.168.1.149, lease time 1d
    Oct  7 00:27:28 tomato daemon.info dnsmasq[1242]: reading /etc/resolv.dnsmasq
    Oct  7 00:27:28 tomato daemon.info dnsmasq[1242]: using nameserver 208.67.220.220#53
    Oct  7 00:27:28 tomato daemon.info dnsmasq[1242]: using nameserver 208.67.222.222#53
    Oct  7 00:27:28 tomato daemon.info dnsmasq[1242]: read /etc/hosts - 0 addresses
    Oct  7 00:27:28 tomato daemon.info dnsmasq[1242]: read /etc/hosts.dnsmasq - 1 addresses
    Impact on lookup speed and memory:
    FYI, dnsmasq uses a hash function to store and lookup DNS names, which means it can find any name in its cache at a constant time. The practical application is that we can set a high limit on dnsmasq cache size and it won't slow down. The hard limit is 10000 if you have enough ram to store it.

    So far I have not exhausted my free RAM on my WRT54GLv1.1, but since I just changed the dnsmasq settings I haven't had time to stress the higher limits.

    Criticism and comments are welcome. I want to improve this guide. I will finish up commenting on all the options later.

    EDIT - Update:
    I just wanted to say that I have been using 8192 as my cache-size for a long time now without any issues, I have plenty of free ram left. 10000 isn't a problem either, at least on my configuration. Just make sure that you aren't running out of ram and you should be ok.
     
  2. rcordorica

    rcordorica Network Guru Member

    Bump. Just updated this with more info and clearer language. I think I'll leave the "lease time" explanation out since it's self explanatory.

    The reduce packet size option doesn't have anything to do with Dnsmasq either.
     
  3. GeeTek

    GeeTek Guest

    Definitely FAQ material. It is good to have some of the finer details of DNS explained and to have a way to optimize it. When it comes to DNS, I always stop messing with it when my PC resolves, which is usually somewhere in the neighborhood of 4.2.2.4, but with your instructions I may fiddle around with it to see what happens ! Thanks.
     
  4. mstombs

    mstombs Network Guru Member

    Just to add my 2p

    The option

    dhcp-authoritative

    seems to be the default for Tomato - it is already added.

    busybox udhcp is used to obtain the WAN side IP address, it is called with the option "-m" to reduce packet size.
     
  5. rcordorica

    rcordorica Network Guru Member

    Indeed, dhcp-authoritative is the default option. I will remove it from the guide. Here is proof with only the cache-size and async set:

    Code:
    #cat /tmp/etc/dnsmasq.conf 
    interface=br0
    resolv-file=/etc/resolv.dnsmasq
    addn-hosts=/etc/hosts.dnsmasq
    expand-hosts
    dhcp-range=192.168.1.100,192.168.1.149,255.255.255.0,1440m
    dhcp-option=3,192.168.1.1
    dhcp-authoritative
    dhcp-host=01:02:03:04:05:06,66.75.250.222
    cache-size=2048
    log-async=5
    I haven't found the "-m" option however for udhcp in any documentation. Can you point me to it?
     
  6. Macskeeball

    Macskeeball LI Guru Member

    You don't need an account for those two things. Those come by simply using them as your DNS provider. It's the parental controls and other things where the ability to adjust settings (because they depend on the individual) is needed that you have to have an OpenDNS account for.

    In my case, OpenDNS is significantly slower than the DNS servers of my ISP (AT&T Yahoo), but my family still uses them for the LAN-wide anti-phishing and parental controls.
     
  7. rcordorica

    rcordorica Network Guru Member

    I changed the guide to better reflect what OpenDNS accounts provide. Thanks. You also have to set up Tomatos DDNS option for OpenDNS for the account settings to be effective. I'll probably add that to the guide later.

    For me opendns servers are farther away, and hence have a slightly higher ping, but they return DNS lookups much faster than my ISP (RoadRunner) which has a slow to respond DNS server during peak hours. The OpenDNS server has a distributed DNS server system that when combined offer more direct DNS hits. Most ISP's DNS servers aren't as big, and have to ask the .com root for most uncommon or new sites. Though I imagine some ISP's do it right.
     
  8. mstombs

    mstombs Network Guru Member

    Nor me, busybox udhcp seems an old mature package - but this has been added to the version in the Tomato source code, it sets a "minpkt" flag which is used in packet.c.

    Also to keep this thread authoritative:-

    dnsmasq can be used for host and/or domain ad blocking:-

    http://www.linksysinfo.org/forums/showthread.php?t=53133
    http://www.linksysinfo.org/forums/showthread.php?t=53904

    dnsmasq can be configured to hand out different gateways and dns servers based on on machine MAC address

    http://www.linksysinfo.org/forums/showthread.php?t=53835
     
  9. 68jimmy

    68jimmy LI Guru Member

    I have v1.07 installed on my wrt54gv2 and I do not have the Intercept DNS Port (UDP 53) option. Is this something new in the 1.10 release?

    tx.
     
  10. jon124

    jon124 LI Guru Member

    yes it is
     
  11. Macskeeball

    Macskeeball LI Guru Member

    I think it was technically added in 1.08, but yes you need to update to get it.
     
  12. Sunspark

    Sunspark LI Guru Member

    In the static DNS server IP section, we enter them in order of our preference.. but in the tomato log, it seems to display the dns ips bottom up.. Does this mean we should be entering them as line1-server3,line2-server2,line3-server1 instead of the opposite ?

    *.222 is entered first in the example given, but in the log *.220 is displayed first.
     
  13. rcordorica

    rcordorica Network Guru Member


    maybe... in my example I do not have the "strict-order" option set, so the first server is simply the first one to respond.

    but yeah, I see your point. Try it out and let us know.
     
  14. Sunspark

    Sunspark LI Guru Member

    I did set strict-order on mine because I was doing ping time tests, and dig tests (pretty interesting actually, try man dig sometime), so I ordered them like-so.

    If I telnet into the router and do: cat /etc/resolv.conf the servers are listed in the order I entered them in, in Tomato, but as mentioned, in the syslog they appear from the bottom up.

    I guess I have to take the following on faith: "By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers to are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf"
     
  15. ng12345

    ng12345 LI Guru Member

    what are the advantages/disadvantages of using dnsmasq as opposed to letting the opendns servers do everything?

    do you get faster resolution by allowing dnsmasq to cache some addresses on the router?

    also -- does it only act as a dns forwarder for those addresses that are dhcp clients? does it also do it for those with static leases?
     
  16. Macskeeball

    Macskeeball LI Guru Member

    Indeed. That's because your router is right on your LAN, while OpenDNS isn't even on your ISP's servers. Your router would respond almost immediately.
     
  17. lwf-

    lwf- Network Guru Member

    Using opendns seems to me like a bizarre workaround, get an ISP that doesn’t suck instead.
     
  18. Macskeeball

    Macskeeball LI Guru Member

    Not everyone lives in a place where there is much choice, and OpenDNS has anti-phishing and optional parental controls. That's why my family uses it even though it's slower than our ISP's DNS servers. It's nice having it centralized for the entire LAN, and it's nice having that functionality on devices that otherwise wouldn't have it (my brother's Wii). *shrug*
     
  19. RonWessels

    RonWessels Network Guru Member

    I take it your web browser is set to not cache web pages? Caching web pages on your machine seems like a bizarre workaround, get an ISP that doesn't suck instead.
     
  20. mstombs

    mstombs Network Guru Member

    Just to add something I found out recently. After having ISP DNS troubles I added the Opendns servers and ticked the box "use dynamic in addition to static DNS', but by examining the log I found only 1 dynamic dns was added. It seems Tomato only supports a total of 3 DNS servers to be defined (I'm sure dnsmasq can handle more)
     
  21. tinfoil

    tinfoil LI Guru Member

    Thank you, I was looking for something like this!
     
  22. Maggard

    Maggard LI Guru Member

    What an uninsightful comment.

    Less then half of folks in North America even have access to high speed (by local standards) service. Of those only about half have access to more then a single high speed service. So for most North Americans there isn’t a doesn’t-suck alternative (assuming the local monopoly does suck.)

    Furthermore as others have noted OpenDNS offers additional functionality. It can be set to not serve up addresses of categories of sites. It can be set to provide DNS-shortcuts. It can provide customized error pages. It offers an ad-funded alternative address lookup, which I have found useful upon occasion.

    And in my experience OpenDNS has been far more reliable, both in uptime and honoring cache expirations, then either of my two ISPs. It is also consistently faster then Comcast’s doggy DNS servers & competitive with Verizon’s residential Fios ones.

    I don’t rely on my ISPs for time services. I don’t rely on them for any email services. I don’t rely on them for Usenet access or photo sharing or whatnot. So why get all tetchy about using an alternative, arguably better, DNS service? Let the ISP get the bits to me fast & reliably; I’ll then pick the best-of-category for my other needs.
     
  23. lwf-

    lwf- Network Guru Member

    That makes absolutely no sense at all. But yes, I could browse at close to the same speed without a cache as long as the web server is responsive, it’s not like my connection is a bottleneck on the web. I do however fail to see what it has to do with DNS-servers responsiveness.

    You don’t need a fast connection to do DNS lookups, the only reason your ISPs DNS-server would be slow or even offline is that they are cheap, not necessarily the price you pay but the price the pay.

    Of course if no alternative is very good at all then I can see that OpenDNS could be an alternative but I would still argue that the ISP in question really do sucks if their own DNS-server, on their own network, is slower than external ones like OpenDNS. Its just something wrong with that.
     
  24. dareino

    dareino Network Guru Member

    I follow this guide which I thank the OP. I have a question regarding the setting up DDNS. I chose OPendDNS w/my login and password. I see a check box that says "force next update". WHen I choose this and save, I get an error message "invalid hostname". What does this mean? Do I need to change the hostname of my router to my pc hostname?
    Another question, since I already use opendns as my static dns in Tomato, do I even need to use the DDNS option????
    thxs

    dr
     
  25. rcordorica

    rcordorica Network Guru Member

    When I use force update it just says "Update successful." Make sure your using OpenDNS as your DNS. Also check if you enabled the "Enable dynamic IP update" in the OpenDNS control panel. I'm not sure what could be causing this.

    No. My WRT54GL is configured to have "tomato" as its hostname. I don't think you would want two devices to have the same hostname, otherwise they will conflict upon name resolution.

    DDNS provides your IP address to OpenDNS so that OpenDNS can enable Parental Controls, Network Shortcuts, Stats, and Website Blocking based on the IP address. You don't have to configure this if you don't plan on using any of the above features.
     
  26. dareino

    dareino Network Guru Member

    great..thanks for the info!

    dr
     
  27. s0dhi

    s0dhi LI Guru Member

    Just to be clear, are you confirming that this DNS caching and the use of DNSmasq for host ad blocking can be used concurrently?

    I have both set up but I am not totally sure that they are working together.

    Thanks,
    Kev
     
  28. mstombs

    mstombs Network Guru Member

    I think they are integrated, dnsmasq can do domain blocking because it does the DNS caching an lookups on your behalf. For things in your blocklist it just never looks them up!
     
  29. s0dhi

    s0dhi LI Guru Member

    Hmmm... that part I understand. I was wondering if the ad blocking scripting will work with the DNS caching in that sites that are not blocked should still get cached by the DNSmasq, right?

    For example, will the script that caches the DNS requests so the the lookup doesn't need to go further than the router still function if the hosts file is scripted for ad blocking? Can the two co-exist, or will using the ad blocking script make the DNS caching not function?

    I would have tested this myself, but I'm not sure how I can test it.

    Thanks!
     
  30. mstombs

    mstombs Network Guru Member

    Note we are not using the "hosts" file - for that you need every sub-site referenced. I'm pretty sure the dnsmasq domain blocking works by adding permanent references in the cache, so it doesn't go out to the internet to find out things it has already been told.
     
  31. BassKozz

    BassKozz Network Guru Member

    First off I want to thank the OP (rcordorica) for putting together this wonderfully informative thread...
    I run am the administrator for a small business network, and we've caught out employees on MySpace and Facebook hours on end when they could be doing better things with their time. I recently upgraded to Tomato v1.11 so that I could setup OpenDNS to work with the network, and I've been keeping my eye on the STATS and it's amazing to see all the sites these employees are trying to go to that are being blocked by OpenDNS, what a great tool.

    I've printed out the whole thread and read it all the way thru...
    But I still have a few questions:
    1. Will the "Use Received DNS With Static DNS" setting force DNS lookup with OpenDNS (since it is set to my primary and secondary dns), or should this be turned off so that it won't use my ISP's DNS servers and force OpenDNS?
    2. Does the "Intercept DNS Port (UDP 53)" function FORCE OpenDNS? Meaning if a employee sets IE or FireFox to use another DNS server, it will still force OpenDNS?
    3. "Static Lease Time" ? What is it, what does it do?
    4. Should the "Reduce Packet Size" function be checked? What does it do exactly?

    Thanks again,
    -BassKozz
     
  32. PeterT

    PeterT Network Guru Member

    1. Will the "Use Received DNS With Static DNS" setting force DNS lookup with OpenDNS (since it is set to my primary and secondary dns), or should this be turned off so that it won't use my ISP's DNS servers and force OpenDNS?

      As far as I know you want this turned OFF so the only DNS servers being used are those of OpenDNS
    2. Does the "Intercept DNS Port (UDP 53)" function FORCE OpenDNS? Meaning if a employee sets IE or FireFox to use another DNS server, it will still force OpenDNS?

      Correct; if this option is NOT set then a person could override their PC's DNS setttings to another (non OpenDNS) server. Enabling this option ensures that the ONLY DNS server your client PC's can use is that of the Tomato Router, and that the router in turn will use OpenDNS.
    3. "Static Lease Time" ? What is it, what does it do?

      If you have entries in the Basic/Static DHCP screen, this will ensure that the leases to the client machines will have the same Lease Time as you set in the Basic/Network Lease Time field. This has the advantage of ensuring that any settings supplied by DHCP to the clients are consistently supplied, and also that if you ever wish to change a statically assignged DHCP client to a new IP address, it will happen without the client having to reboot.
    4. Should the "Reduce Packet Size" function be checked? What does it do exactly?

      This appears to control the size of the DHCP packet that is exchanged with your ISP that obtains an IP address for your router. If everything is working without it set, don't bother changing it.
     
  33. mstombs

    mstombs Network Guru Member

    Moving this info which may get lost in the Tomato 1.17 release thread

    Tomato only supplies 3 DNS servers to dnsmasq, via resolv.dnsmasq, so if you specify 3 static dns the "use supplied dns in addition to static" has no effect.

    I get 2 dns servers via dhcp, so can only add one additional opendns server via the web gui.

    The 3 servers limit is a Tomato restriction, not dnsmasq, so a workaround is to not enter your additional (open)dns servers in the static dns fields, but to add them to the web gui "Dnsmasq Custom Configuration" with

    Code:
    server=208.67.222.222
    server=208.67.220.220
    for example, then my log reports on wan dhcp renews:-

    Code:
    Feb 28 12:23:56 wrt54gs daemon.info dnsmasq[2114]: exiting on receipt of SIGTERM
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: started, version 2.41 cachesize 2048
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: compile time options: no-IPv6 GNU-getopt no-RTC no-ISC-leasefile no-DBus no-I18N no-TFTP
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: asynchronous logging enabled, queue limit is 5 messages
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: DHCP, IP range 192.168.0.100 -- 192.168.0.149, lease time 1d
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: using nameserver 208.67.220.220#53
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: using nameserver 208.67.222.222#53
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: read /etc/hosts - 0 addresses
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: read /etc/hosts.dnsmasq - 13 addresses
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: using nameserver 194.168.8.100#53
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: using nameserver 194.168.4.100#53
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: using nameserver 208.67.220.220#53
    Feb 28 12:23:57 wrt54gs daemon.info dnsmasq[2161]: using nameserver 208.67.222.222#53
    The .100 dns servers are obtained by dhcp and passed to dnsmasq via resolv.dnsmasq

    Doing it this way you can also add restrictions to what use is made of these servers see manpage for more details
    -S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
     
  34. BassKozz

    BassKozz Network Guru Member

    Peter,

    I've been using this information for a while now, but I never thanked you for it...
    So, Thank You :D
     
  35. BaphometaS

    BaphometaS Guest

    added question

    I have searched and cant seem to find info on this exact question.
    Seems like when using dnsmasq you no longer need the dnscache service
    enabled under XP. I have disabled mine and still am surfing the web super
    quick. Is there a downside to doing this, letting the router handle all DNS
    actions? Id like to hear others opinions / tweaks regarding this..

    thanks..
     
  36. rcordorica

    rcordorica Network Guru Member

    well thats the thing... XP has a cache, Firefox has a cache, the router has a cache, and opendns acts like a cache....

    i think you should be fine disabling xp's cache, but i don't see how leaving it on could hurt either (besides using up some ram). XP probably uses the service to cache local names, so it may affect performance there, but since its local, it' only like 1 hop anyways.
     
  37. bigclaw

    bigclaw Network Guru Member

    That's right, between the actual website on the Internet and your browser, everybody and their cousins have a DNS cache. What you want to do is put a cache before the major bottleneck. In this case, the major bottleneck is the network beyond your router, so a DNS cache at the router makes sense. The status of any other DNS caches is probably immaterial as some are out of your control, and the rest is not a bottleneck to begin with.
     
  38. jsmiddleton4

    jsmiddleton4 Network Guru Member

    cache-size=2048
    log-async=5
    #strict-order

    ? Do we need the #strict-order ? I'm confused. The example does not show it but the text/explanation does.

    Fixed previous problem.

    What do we set DDNS to, WAN or Exterrnal IP address every 10 minutes?
     
  39. PeterT

    PeterT Network Guru Member

    The hash-mark acts as a "comment" for the whole line; ie ignore the rest of the line, so
    #strict-order is the same as not even having that line in the config. file.
     
  40. rcordorica

    rcordorica Network Guru Member

    correct.

    @jsmiddleton4: the explanation IS in the original post, but i added a comment about the #
     
  41. rcordorica

    rcordorica Network Guru Member

    I was just reading the man page, and found this interesting option:

    Seems like it should help if the servers are unreliable in their response times since by default dnsmasq already chooses the fastest to respond server on startup. Although it may be considered a bad network practice...

    EDIT:
    i added it to my options, but I don't see any change in the logs:
    I wonder if tomato's version supports this option. Maybe it just works silently.
     
  42. jsmiddleton4

    jsmiddleton4 Network Guru Member

    rc...

    Thanks but I guess I didn't ask my question very well. The explanation includes the reason why we would use the strict order, it shows in the example at the beginning of the posts, yes I understand its commented out with the #. I'm not dissing the information just saying its a bit confusing. One place it looks like we could be using it, explains it, etc., but then we don't use it? Why would I want to use or or why not?

    What does strict order do in terms of how it works so that I would want to use it?

    Also what about that setting for WAN to use?
     
  43. rcordorica

    rcordorica Network Guru Member

    I don't use it because I want the fastest server to handle my dns requests. Strict order forces dnsmasq to contact the servers in the order listed under the "Static DNS" list. Some people use it because they want to strictly define what dns servers to use, and in what order. Somebody else in this thread talked about how they pinged each server and set up the order strictly based on the pings. In theory dnsmasq already does this for you.


    Do you mean on the DDNS page for Dynamic DNS IP Address? I use the recommend default there. The WAN (Wide Area Network) IP should be the IP address that your ISP gives you assuming tomato is doing the log-in. If you have a dsl or cable modem that gets the IP address and then hands a private address to your router (i.e. 192.168.1.1) then you would need to specify to check for an External IP since the WAN will be 192.168.1.1. An external checker is like: http://whatismyip.com
     
  44. jsmiddleton4

    jsmiddleton4 Network Guru Member

    rc....

    Thanks. So given the fastest one is the one you end up using is it better to leave the setup with the default dns server numbers getting passed from the ISP and then add the OpenDNS ones into the manual setup/dnsmasq options?

    And then select the option to use both provided and static dns numbers? Or even the other way around, static in the setup, the IP's from the ISP in the dnsmasq setup?
     
  45. rcordorica

    rcordorica Network Guru Member

    Well, if your ISP is always the fastest to respond then its unlikely that OpenDNS will be assigned as the primary server. At least that is what happens in my case. My ISP's DNS servers are closer to me, so of course the ping is better. But that doesn't mean their DNS cache is as big as OpenDNS.

    If you want to take advantage of OpenDNS' account based features then you should only use OpenDNS as your DNS servers.

    If you want the fastest possible DNS then you should probably use your ISP DNS and enter the OpenDNS IP's into the dnsmasq options, as well as any other fast DNS providers. Then you can set the "all-servers" option and request a DNS lookup to all servers simultaneously; the first to respond becomes the DNS reply.

    Right now I am using OpenDNS servers exclusively with the "all-servers" option and a cache size of 8192.

    After about a week the router caches most names and requests to OpenDNS for lookups goes way down. That is the best behavior in terms of performance, but maybe not for stat gathering since OpenDNS doesn't get queried. But right now OpenDNS has disabled their website monitoring stats, so that is kind of useless anyways (until they turn it back on).
     
  46. kzrssk

    kzrssk LI Guru Member

    Bump for good info + this should be added to the FAQ
     
  47. i1135t

    i1135t Network Guru Member

    What's the command to check the status of my nameservers when I telnet into the router? I do a "cat /etc/resolv.dnsmasq" and all I see is 127.0.0.1 which is my loopback address. Why doesn't it list my OPENDNS servers? I did a reboot and same thing.... What am I missing?
     
  48. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Quick question and one of those where I think I know the answer but just want to double check.

    For setups where we are using one router to be the dhcp server, one slave wds, one pure wireless AP, only the dhcp server needs these tweaks?
     
  49. xcooling

    xcooling LI Guru Member

  50. biatche

    biatche Network Guru Member

    i have
    Code:
    cache-size=2048
    log-async=5
    address=/biatche/192.168.0.11
    
    im trying to setup some hostnames.. how do i do that? above dont seem to work
     
  51. TexasFlood

    TexasFlood Network Guru Member

    Since the tweaks I saw above are all dnsmasq related then the answer must be yes I think.

    FYI, for what it's worth, I played around with this stuff a while back and ended up doing:

    >Set up an OpenDNS account (already had DynDNS acct) and defined my perferred filtering rules there
    >Configured OpenDNS in addition to DynSDNS on Tomato basic/ddns tab, ticked "Use as DNS" for OpenDNS
    >In Tomato advanced DHCP / DNS tab under Dnsmasq Custom Configuration, set
    Code:
    strict-order
    cache-size=2048
    log-async=5
    >Ticked "Use Received DNS With Static DNS" on for some redundancy
     
  52. biatche

    biatche Network Guru Member

    uhm, was that meant for me?
     
  53. Meffy

    Meffy LI Guru Member

    I see a new option which is "Maximum Active DHCP Leases"
    Maybe you could update your post on the best values for 10000 cache size?
    Would it still chose 10000 if i set it to 11000?
     
  54. jochen

    jochen LI Guru Member

    A "DHCP lease" is a lease of a dynamic assigned IP to a client. This has nothing to do with DNS cache.
     
  55. Dashiell

    Dashiell Network Guru Member

    One question regarding dnsmasq cache on the router...

    I have mine set at a 5120 cache size. The WAN connection is a cable modem, with a 2 day DHCP lease. Naturally, when the WAN DHCP renews, dnsmasq restarts.

    What I'm trying to find out is if that dnsmasq cache is wiped out during the restart. If yes, then it's clear to say that the 5120 cache is only good for a 48hr period, clearing out and restarting anew at every WAN lease renewal.

    Can anyone clarify?




     
  56. rhester72

    rhester72 Network Guru Member

    The dnsmasq cache is in memory, so yes, it is cleared whenever dnsmasq restarts.

    Rodney
     
  57. Planiwa

    Planiwa LI Guru Member

    And a good thing that is!
    When the system runs out of memory, the first thing it does is kill dnsmasq, to free up the memory that it may be hogging.
    viz:
    Sep 23 20:27:04 ROUTER user.err kernel: Out of Memory: Killed process 13163 (dnsmasq).

    I have just read all 56 messages in this thread -- no one seems to know or care how much memory is consumed per DNS cache entry. Anyone know?

    The OP seems to place a strong emphasis on

    1. using OpenDNS
    2. a small (conventional) home network (with no P2P applications)
    3. a situation where there is no shortage of memory.

    There are also networks with heavy P2P use and constant router crashes due, ultimately, to memory allocation failures.

    Some of these P2P applications generate 100's of (throwaway) DNS queries in a few seconds. Caching them would be worse than pointless, and would only aggravate the memory problem.

    Slowing down DNS queries, along with reducing UDP timeouts to 10s or even 5s, ad, of course, limiting total connections to 2048, may be the most effective way to keep routers from crashing.

    I don't want to detour this thread, and would ask that we only focus on the memory implications of DNS options.

    When I monitor free memory, it seems to jump up and down by 500k constantly.

    When the kernel catches "Out of Memory", it does so even with a Free of .5MB and a Cache of 4.5MB.

    Have others tracked "free" memory to find out what leads to router crashes?
     
  58. mstombs

    mstombs Network Guru Member

    Yes I have seen this on ram challenged ADSL routers too, there must be an issue with memory fragmentation (easy to do in the /var ram disk) and the router being unable to allocate big enough contiguous blocks. I think an issue may be that dnsmasq 'forks' creating clone child processes to deal with each connection, each getting a copy of the workspace, but monitoring memory use using "top" for example is very imprecise - the sum of all the "virtual memory" used is often greater than 100% due to double counting and the OS cleverly re-using common code space etc.
     
  59. jan.n

    jan.n Addicted to LI Member

    That just happend to me two days ago. Just 27 connections were being tracked so that wasn't the problem. I had 200-300k of free memory and had no special software running on my machines that could have filled up the routers' memory.
     
  60. zbeyuz

    zbeyuz Serious Server Member

  61. Monk E. Boy

    Monk E. Boy Network Guru Member

    Holy zombie thread batman.

    I would post your question in "ALL-U-NEED Ad Blocking" since its got far more in common with what you want to accomplish. And it's not a 3 year old thread that was pages back and almost completely unrelated to what you want. Or perhaps the "Auto DL Hosts File and Install..." thread would be closer. I dunno, either one is current and are certainly more related than this one.
     
  62. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I'm sorry.. I am confused as to how to increase the cache size on the dnsmasq, I keep getting an error saying "Invalid length: PLease reduce the length to 2048 characters or less"

    You mention a text box, you mean the dnsmasq text box?
    I tried that and still getting the msg...
    Please help, thanks.
     
  63. WaLLy3K

    WaLLy3K Serious Server Member

    Advanced > DHCP/DNS > Dnsmasq Custom Config Textbox >

    Code:
    cache-size=2048
    Then hit save.
     
  64. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    thanks..thats the size right now..do i input "0" in order to be unlimited?
     
  65. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    This is what I have now, but I keep getting the error...
    dnsmasq.JPG

    but i keep getting this...
    dnsmasq2.JPG
     
  66. jerrm

    jerrm Network Guru Member

    0 will disable caching, there is no "unlimited" setting.

    Odds are pretty slim increasing it further will do any real good.

    Run "killall -s USR1 dnsmasq" from the command line and look at the logs. There will be a line similar to

    cache size 1500, 0/68793 cache insertions re-used unexpired cache entries

    If the 0/68793 value shows a small percentage of re-used entries, increasing the cache won't do any good.
     
  67. jerrm

    jerrm Network Guru Member

    The custom config text in the gui is limited to 2K. The error has nothing to do with cache-size. All those address entries belong in another file.
     
  68. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    in which file..
    Im using those addresses to force SafeSearch via the router. It works, but I would have to use waaaay less addresses to not get the error... I just need to increase the cache in order to add more google addresses.
     
  69. jerrm

    jerrm Network Guru Member

    You misunderstand what cache-size is for. It is totally unrelated to what you want to do.

    Look at dnsmasq's conf-file directive, use tomato's dnsmasq.custom functionality, or create a host file for the entries.
     
  70. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    ok.. but where in Tomato do I input the host file?
    Also, you mentioned that I had those addresses in the wrong place, so where do they need to go if I want to force Google SafeSearch on my network? - All I have found online is that dnsmasq is the place to input those addresses to achieve SafeSearch... please let me know, thanks.
     
  71. jerrm

    jerrm Network Guru Member

    For any recent shibby build put the hosts file in /etc/dnsmasq/hosts/ and it will be loaded automatically. Store the file on usb/jffs/cifs and copy it to the hosts folder (or link to it) during init.

    If you don't have some form of persistent storage, try creating the file with script in init:
    Code:
    tlds="com ac ad ae com.af com.ag com.ai al etc"
    mkdir -m 777 -p /tmp/etc/dnsmasq/hosts
    
    {
    for tld in $tlds
    do
    echo "216.239.38.120 www.google.$tld"
    done
    } > /tmp/etc/dnsmasq/hosts/safesearh.hosts
     
    Last edited: Apr 12, 2015
  72. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I am so confused, lol -

    "For any recent shabby build put the hosts file in /etc/dnsmasq/hosts/ and it will be loaded automatically"

    again, where do I find this "/etc/dnsmasq/hosts/"..
    do you mean in my computer?

    Also, that section where you entered that code....what section of Tomato is that?
     
  73. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I guess since I am a beginner at all this..
    Can I ask for a step by step on how to create and add a host file to Tomato with all the Google addresses in order to force SafeSearch on my network?.. pretty please?
     
  74. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I think I found a way, although not sure if it's correct or not... but, I was able to remove all the addresses from dnsmasq and added them to the "Access Restriction" area and it seems to be working and forcing Safe Search.. are there any CONS about doing it this way?
    access restriction.JPG
     
  75. may

    may Reformed Router Member

    NVRAM capacity ?
     
  76. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    tomato nvram.JPG
     
  77. may

    may Reformed Router Member

    That was more like an answer for Your question about the cons.
    When You fill up the NVRAM, the possibility of loosing Your router config is really strong.
     
  78. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    so you're saying I won't be able to upload a host file to Tomato because I don't have enough memory?
     
  79. may

    may Reformed Router Member

    I'm afraid so...
     
  80. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    oh wow.. I thought the reason for the host file is to not use the router's memory. so If I want to block access to a few hundred websites, what do I need?... get a better router with more memory?..there's got to be another option.
     
  81. may

    may Reformed Router Member

  82. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    thanks for trynig.. but that's all in another language to me :(
     
  83. jerrm

    jerrm Network Guru Member

    @may is partially wrong. You have enough nvram, but the gui won't allow more than 2K in the dnsmasq custom config (as already stated). There are ways to store what you need in nvram, but would be beyond what I would attempt to walk you through.

    But, for the original query that only mentioned google domains, you have already been given an answer that won't require external storage here.

    1: Paste the code snippet from http://www.linksysinfo.org/index.php?threads/dnsmasq-cache-optimization-and-howto.23076/#post-259854 into the tomato gui under Administration->Scripts-Init.
    2: Edit the "tlds=" line to include all the domains that should be appended to "www.google."
    3: Save
    4: Reboot.

    I can't make it any simpler than that.

    Since the original post you have added apparently wanting to redirect other domains. The same basic technique could probably be used for the non-google domains you intend block, building the list in script to avoid storing duplicated text.

    If you don't have it already, get a real opendns subscription and block the search engine category, create the one entry for www.google.com and be done with it. Opendns can probably maintaining a list of search engines than you can.

    If the kids are young, this may help reduce accidental exposure. If they are older and determined they will find a way and it will quickly become a game of whack-a-mole.

    For older kids, disabling ssl search so you can see what they are searching for may be the better approach.
     
  84. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Thanks Jerrm..
    Is this the way is supposed to look?
    init.JPG
     
  85. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I guess I am still a bit confused..
    When you say.. "For any recent shibby build put the hosts file in /etc/dnsmasq/hosts/"
    you mean that's the location at my computer?
     
  86. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    It doesn't seem to be working.. you said to just copy that code into init scripts and I did that, but that alone will do what I need? -
    I also created a folder at my computer called /tmp/etc/dnsmasq/hosts/safesearh.hosts, in this hosts file, I have included all the google addresses, but it's not working... aren't I supposed to tell the router which computer has this file?

    I know this has to be a very, very simple task to achieve...for someone that knows how to do it.. but for someone like me who's never done it, seems impossible.. and I have been at this for days now.
     
  87. jerrm

    jerrm Network Guru Member

    No. It should look like the original post, except replace "etc" with the additional top level domains you wish enforce - "co.uk ca fr es it" etc.
     
  88. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    huh? lol
    you said.. "Edit the "tlds=" line to include all the domains that should be appended to "www.google." - so now you say to change the "etc"? - I am more confused here by the minute.. excuse my thick skull here... Im just gonna step back for some time as this is driving me crazy... This can't so complicated... like the TV Commercial says.. "there's gotta be a better way".

    Last thing Im gonna try is what Mofia suggested usging Pastebin.. I've never used it so I have to do some reasearch on what that is and how to use it.. we'll see what happens.
     
  89. jerrm

    jerrm Network Guru Member

    I'll make one last attempt and then be silent on the issue.

    I said edit the line, I did not say change "tlds."

    The "etc" was meant as a placeholder to show where to add all the domains you want to include. I thought that would be apparent, but was wrong. I am not going to key all of that for you.

    The script takes the values in the "tlds" variable, appends them to "www.google." and creates a hosts file from the data. The point is to save space by not storing all the redundant "www.google." text.

    With that background, try following the directions here again.
     
  90. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I think I am beginning to understand what you mean...
    you mean the code needs to look like this?

    tlds=".google.com .google.ae .google.com.af .google.com.ag .google.off.ai .google.am .google.com.ar .google.as .google.at .google.com.au .google.az .google.ba .google.com.bd .google.be .google.bg .google.bi .google.com.bo .google.com.br .google.bs .google.co.bw .google.com.bz .google.ca .google.cd .google.cg .google.ch .google.ci .google.co.ck .google.cl .google.com.co .google.co.cr .google.com.cu .google.de .google.dj .google.dk .google.dm .google.com.do .google.com.ec .google.es .google.com.et .google.fi .google.com.fj .google.fm .google.fr .google.gg .google.com.gi .google.gl .google.gm .google.gr .google.com.gt .google.com.hk .google.hn .google.hr .google.co.hu .google.co.id .google.ie .google.co.il .google.co.im .google.co.in .google.is .google.it .google.co.je .google.com.jm .google.jo .google.co.jp .google.co.ke .google.kg .google.co.kr .google.kz .google.li .google.lk .google.co.ls .google.lt .google.lu .google.lv .google.com.ly .google.mn .google.ms .google.com.mt .google.mu .google.mw .google.com.mx .google.com.my .google.com.na .google.com.nf .google.com.ni .google.nl .google.no .google.com.np .google.nr .google.nu .google.co.nz .google.com.om .google.com.pa .google.com.pe .google.com.ph .google.com.pk .google.pl .google.pn .google.com.pr .google.pt .google.com.py .google.ro .google.ru .google.rw .google.com.sa .google.com.sb .google.sc .google.se .google.com.sg .google.sh .google.sk .google.sn .google.sm .google.com.sv .google.co.th .google.com.tj .google.tm .google.to .google.tp .google.com.tr .google.tt .google.com.tw .google.com.ua .google.co.ug .google.co.uk .google.com.uy .google.uz .google.com.vc .google.co.ve .google.vg .google.co.vi .google.com.vn .google.vu .google.ws .google.co.za .google.co.zm "
    mkdir -m 777 -p /tmp/etc/dnsmasq/hosts

    {
    for tld in $tlds
    do
    echo "216.239.38.120 www.google.$tld"
    done
    } > /tmp/etc/dnsmasq/hosts/safesearh.hosts

    or without the "google" part and just have the .ae .af, etc?
     
  91. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Or would it look like this?

    tlds="com ae af ag off.ai am ar as at au az ba bd be bg bi bo br bs bw bz ca cd cg ch ci co.ck cl co co.cr cu de dj dk dm do ec es et fi fj fm fr gg gi gl gm gr gt hk hn hr co.hu co.id ie co.il co.im co.in is it co.je jm jo co.jp co.ke kg co.kr kz li lk co.ls lt lu lv ly mn ms mt mu mw mx my na nf ni nl no np nr nu co.nz om pa pe ph pk pl pn pr pt py ro ru rw sa sb sc se sg sh sk sn sm sv co.th tj tm totp tr tt tw ua co.ug co.uk uy uz vc co.ve vg co.vi vn vu ws co.za co.zm"

    mkdir -m 777 -p /tmp/etc/dnsmasq/hosts


    {

    for tld in $tlds

    do

    echo "216.239.38.120 www.google.$tld"

    done

    } > /tmp/etc/dnsmasq/hosts/safesearh.hosts
     
  92. jerrm

    jerrm Network Guru Member

    This one.
     
  93. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    @jerrm so, what that codes says is for every domain for google to be redirected to 216.239.38.120, in a nutshell?
     
  94. jerrm

    jerrm Network Guru Member

    Yes
     
  95. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Thank you so much for your patience man. I know must be irritating to deal with someone with no knowledge (or extremely little) whatsoever on the subject. I will try this once I get home.. hopefully this will work :)
     
  96. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    @jerrm YAHOOOOO!!!!!!
    YES MAN!!!.. THAT WORKED LIKE A CHARM!!!!
    Thank you..thank you...thank you :)
    ping.JPG
     
    Last edited: Apr 15, 2015
  97. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Dang.. I was so excited that safesearch is working...now I realized last night that Tomato doesn't seem to block https websites :(

    I have a couple of websites listed in the Access Restriction..but if I manually type https://www."anywebsite".com, I can pull it up.

    I guess people were right about internet security.. it is s reall cat and mouse game, lol.

    There wouldn't be a code for Tomato to be able to block both http and https, right?
     

Share This Page