• March 28, 2024, 12:38:24 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: DIR-845 DNS relay problem  (Read 8670 times)

pik256

  • Level 1 Member
  • *
  • Posts: 3
DIR-845 DNS relay problem
« on: September 24, 2014, 01:07:05 AM »

I purchased a new DIR-845 (EU) and configured it to use at home. I realised that it catch all DNS queries and return answers from DNS set on Internet WAN page. It would be proper behavior on parental control enabled system but I set parental control to "None: Static IP or Obtain Automatically From ISP" and disabled DNS relay at LAN network settings.
Sometimes I need to verify my own DNS from home. It is primary DNS for some domains and I want to check if it is properly configured. But with DIR-845 I cannot: I ask my DNS but allways receive responses from DNS set on the router. I cannot set here my own DNS because it is not recursive, it is only authoritative for several domains.
How can I disable this "feature"? I suspect it could be associated with mydlink cloud because at mydlink I can see last connections (by name) from all LAN machines, thus cloud software watch DNS queries from LAN. But it is completely different behavior: to watch them and or catch them and send to another server. I repeat: parental control and DNS relays are disabled. I set mydlink as well and I cannot see any setting to disable it temporarily.
« Last Edit: September 24, 2014, 01:09:23 AM by pik256 »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-845 DNS relay problem
« Reply #1 on: September 24, 2014, 06:53:15 AM »

Link>Welcome!

  • Link>What Firmware version is currently loaded? Found on the routers web page under status.

Internet Service Provider and Modem Configurations
  • What ISP Service do you have? Cable or DSL?
  • What ISP Modem Mfr. and model # do you have?

Do you have custom DNS entered under Setup/Internet/Manual?
Please post a picture of what your seeing:
Adding Screenshots In A Post
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

pik256

  • Level 1 Member
  • *
  • Posts: 3
Re: DIR-845 DNS relay problem
« Reply #2 on: September 25, 2014, 01:25:00 AM »


  • What Firmware version is currently loaded?
  • What ISP Service do you have? Cable or DSL?
  • What ISP Modem Mfr. and model # do you have?

Do you have custom DNS entered under Setup/Internet/Manual?
Please post a picture of what your seeing:

  • The Firmware version is 1.00
    I considered upgrade but this bug is not mentioned on a fix list for 1.02.
  • The ISP Service I have is radio line 5GHz
  • AFAIK ISP Modem Mfr. I have is MikroTik but I am not sure. They change it occasionally. This is irrelevant to the problem, The proof is below.

Yes, I have custom DNS entered. The answers from DNS depends on settings in this field. When I enter here my own DNS server



and ask it then I receive the following response:

Code: [Select]
Header:
   ID=52001, QR=Response, Opcode=QUERY, RCODE=NO ERROR
   Authoritative Answer=Yes, Truncation=No
   Recursion Desired=No, Recursion Available=Yes
   QDCOUNT=1, ANCOUNT=1, NSCOUNT=2, ARCOUNT=1
Question:
   Name=samekonkrety.pl, QTYPE=A, QCLASS=1
Answer Section:
- Name=samekonkrety.pl
    Type=A, Class=1, TTL=15000 (4 Hours 10 Minutes), RDLENGTH=4
    IP Address=62.181.5.62
Authority Records Section:
- Name=samekonkrety.pl
    Type=NS, Class=1, TTL=15000 (4 Hours 10 Minutes), RDLENGTH=10
    Name Server=ns2.wdc.pl
- Name=samekonkrety.pl
    Type=NS, Class=1, TTL=15000 (4 Hours 10 Minutes), RDLENGTH=18
    Name Server=wdc.sponsor.com.pl
Additional Records Section:
- Name=wdc.sponsor.com.pl
    Type=A, Class=1, TTL=15000 (4 Hours 10 Minutes), RDLENGTH=4
    IP Address=62.181.5.62

This is response partially from my DNS because it is authoritative. Partially, because my DNS do not return Recursion Available flag. But this flag is not used: when I ask for something my DNS is not authoritative then I receive:

Code: [Select]
Header:
   ID=52379, QR=Response, Opcode=QUERY, RCODE=REFUSED
   Authoritative Answer=No, Truncation=No
   Recursion Desired=Yes, Recursion Available=Yes
   QDCOUNT=1, ANCOUNT=0, NSCOUNT=0, ARCOUNT=0
Question:
   Name=forums.dlink.com, QTYPE=A, QCLASS=1

When I enter another DNS, i.e. openDNS here (in fact I use them but they are manually entered, not by parental control):



and ask also MY DNS (62.181.5.62) then I receive the following response:

Code: [Select]
Header:
   ID=51058, QR=Response, Opcode=QUERY, RCODE=NO ERROR
   Authoritative Answer=No, Truncation=No
   Recursion Desired=No, Recursion Available=Yes
   QDCOUNT=1, ANCOUNT=1, NSCOUNT=0, ARCOUNT=0
Question:
   Name=samekonkrety.pl, QTYPE=A, QCLASS=1
Answer Section:
- Name=samekonkrety.pl
    Type=A, Class=1, TTL=0 (), RDLENGTH=4
    IP Address=62.181.5.62

That is not response from my DNS. It is not authoritative. When I ask theoretically my DNS with this setting about a host my DNS should response with RCODE=REFUSED i.e. forums.dlink.com I receive proper response:

Answer Section:
    forums.dlink.com, A, 54.68.115.19

When ask "my DNS" for something what should be blocked by openDNS settings then I receive opendns response:
    ****o.com, A, 67.215.65.130
(IP Address: 67.215.65.130 Hostname: hit-adult.opendns.com)

Hence - DNS queries allways are relayed to servers entered under Setup/Internet/Manual. And even then response is not exactly from DNS because recursion available flag is set by the router.


« Last Edit: September 25, 2014, 01:41:54 AM by pik256 »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-845 DNS relay problem
« Reply #3 on: September 25, 2014, 07:00:12 AM »

I notice that your gateway is a private gateway and not a Public IP address as recommended...
If the ISP modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems: Link>Double NAT and How NAT Works. To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged. If the modem can't be bridged then see if the modem has a DMZ option and input the IP address the router gets from the modem and put that into the modems DMZ.

Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: DIR-845 DNS relay problem
« Reply #4 on: September 25, 2014, 12:24:37 PM »

Hi pik256,

it looks like your DIR-845L operates as a kind of "transparent DNS proxy" (using its configured DNS servers), capturing any outgoing DNS query, even those destined  for external DNS servers, and even though you explicitely switched off DNS relay function (which if active should moreover only work for DNS queries sent to the LAN address of the DIR-845L).

According to the (german) manual I also cannot find any other configuration items except those you mentioned, that might have an influence on DNS proxying. Hence, this behaviour either seems to be a "feature" or a bug of the firmware you use.

Maybe using 53/tcp instead of 53/udp for testing your DNS server at 62.181.5.62 might fool your DIR-845L and hence be a workaround. As I can see, your server also replies to 53/tcp (NSLOOKUP mode "vc"):

Code: [Select]
C:\>nslookup
Standardserver:  fritz.box
Address:  fd0d:cf1e:63ee:0:9ec7:a6ff:fe39:d15

> server 62.181.5.62
Standardserver:  wdc.sponsor.com.pl
Address:  62.181.5.62

> set debug
> set vc
> set srchlist=.
> set q=A
> samekonkrety.pl
Server:  wdc.sponsor.com.pl
Address:  62.181.5.62

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, auth. answer, want recursion
        questions = 1,  answers = 1,  authority records = 2,  additional = 1

    QUESTIONS:
        samekonkrety.pl, type = A, class = IN
    ANSWERS:
    ->  samekonkrety.pl
        internet address = 62.181.5.62
        ttl = 15000 (4 hours 10 mins)
    AUTHORITY RECORDS:
    ->  samekonkrety.pl
        nameserver = ns2.wdc.pl
        ttl = 15000 (4 hours 10 mins)
    ->  samekonkrety.pl
        nameserver = wdc.sponsor.com.pl
        ttl = 15000 (4 hours 10 mins)
    ADDITIONAL RECORDS:
    ->  wdc.sponsor.com.pl
        internet address = 62.181.5.62
        ttl = 15000 (4 hours 10 mins)

------------
Name:    samekonkrety.pl
Address:  62.181.5.62

> forums.dlink.com
Server:  wdc.sponsor.com.pl
Address:  62.181.5.62

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = REFUSED
        header flags:  response, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        forums.dlink.com, type = A, class = IN

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = REFUSED
        header flags:  response, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        forums.dlink.com, type = A, class = IN

------------
*** forums.dlink.com wurde von wdc.sponsor.com.pl nicht gefunden: Query refused.
>

PT
« Last Edit: September 25, 2014, 01:42:04 PM by PacketTracer »
Logged

pik256

  • Level 1 Member
  • *
  • Posts: 3
Re: DIR-845 DNS relay problem
« Reply #5 on: September 26, 2014, 02:19:08 AM »

Maybe using 53/tcp instead of 53/udp for testing your DNS server at 62.181.5.62 might fool your DIR-845L and hence be a workaround. As I can see, your server also replies to 53/tcp (NSLOOKUP mode "vc"):

Unfortunately not. The router catches both 53/udp and 53/tcp queries.
The workaround I have found is to send queries via VPN connection. This is enough for me so I am not going to risk upgrading firmware.

I notice that your gateway is a private gateway and not a Public IP address as recommended...
If the ISP modem has a built in router, it's best to bridge the modem.

Yes I know it and I have problem with double NAT. But this is my ISP decision and I have no control over it. I would have to pay for a public IP to get rid of double NAT, but I can stand it for the time being.
« Last Edit: September 26, 2014, 02:22:22 AM by pik256 »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-845 DNS relay problem
« Reply #6 on: September 26, 2014, 01:14:28 PM »

Any chance you can place the 845L into the ISP modems DMZ?  ???
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

mtztraktoros

  • Level 1 Member
  • *
  • Posts: 23
Re: DIR-845 DNS relay problem
« Reply #7 on: September 29, 2014, 08:48:12 AM »

yep, double NAT.
Bridge mode...?
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-845 DNS relay problem
« Reply #8 on: September 29, 2014, 09:01:13 AM »

"Yes I know it and I have problem with double NAT. But this is my ISP decision and I have no control over it. I would have to pay for a public IP to get rid of double NAT, but I can stand it for the time being."

yep, double NAT.
Bridge mode...?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.