nslookup works fine from my computer but not on TO:
nslookup: can’t resolve ‘(null)’: Name does not resolve
nslookup: can’t resolve ‘sync.afraid.org’: Try again
I have been experimenting with different settings with dns forwarding or without forwarding, but no success.
The only was I could make this work was, when I disabled DNSSEC
Is there any other way to make this work? I wouldn’t want to disable a security feature if it is possible.
I’m unable to reproduce that with this particular domain – it appears correctly insecured below afraid.org. (I can’t look deeper soon.)
Hmmm…
I do not have have DNSSEC disabled, and it works for me:
root@router:~# nslookup sync.afraid.org nslookup: can't resolve '(null)': Name does not resolve Name: sync.afraid.org Address 1: 50.23.197.94 ns1.afraid.org root@-router:~# nslookup sync.afraid.org 8.8.8.8 Server: 8.8.8.8 Address 1: 8.8.8.8 google-public-dns-a.google.com Name: sync.afraid.org Address 1: 50.23.197.94 ns1.afraid.org
You say DDNS doesn’t work, or do you mean DNS doesn’t work?
If you mean DDNS, then you can configure an alternative DNS server to be testing for you DDNS hostname’s current IP address. The parameter is called dns_server. For example:
root@sr-router:~# uci show | grep ddns ddns.namecheap=service ddns.namecheap.enabled='1' ddns.namecheap.lookup_host='host.domain.com' ddns.namecheap.dns_server='ns1.afraid.org' ddns.namecheap.interface='wan' ddns.namecheap.ip_source='web' ddns.namecheap.ip_url='http://myip.dnsomatic.com/' ddns.namecheap.service_name='namecheap.com' ddns.namecheap.domain='domain.com' ddns.namecheap.username='@' ddns.namecheap.password='99999999999'
I think the nameserver for afraid.org is ns1.afraid.org, if so, then you could test via: nslookup sync.afraid.org ns1.afraid.org and see where that takes you.
I feel that it is better to use your DDNS providers’ nameserver because that is the nearest to the reality (assume the caches have steeled).
nslookup from busybox is broken (known for almost a decade). It doesn’t use the second parameter and always asks the default resolver (silently).
Hi,
tx for the answers. DDNS is not working in luci and when I check the logs, I can see this:
232849 : nslookup: can’t resolve ‘(null)’: Name does not resolve
So basically I see the same thing. DDNS does not work because nslookup does not work, cannot resolve the needed hostnames with DNSSEC for some reason.
I do not have this parameter in my list. Btw can you tell me how to configure an alternative DNS servers for the router? I see you are using google DNS servers, I tried to switch to it as well, editing /etc/config/network. However I have now this in my /tmp/resolv.conf.auto:
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 213.46.246.53
nameserver 213.46.246.54
Is there anyway to config this in Luci as well? Or what is the best way to do it?
As you can see for some reason the old dns servers are still there for some reason in the last 2 lines.
The first 2 are google dns, but I still cannot resolve the sync.afraid.org.
Also can you send me your config /etc/config/network?
do you know why is there this bug for a decade? will it be fixed? or is there any special reason that it has not yet been fixed?
How can I check which dns server is really being used by nslookup?
Is there any way to disable DNSSEC only for certain selected (listed) hostnames?
trust_anchors.negative = { 'dnssec-failed.org' }
Hi,
thanks it is useful, I tried it but unfortunately it still cannot resolve it. I have added this line:
$ cat /etc/kresd/custom.conf
trust_anchors.negative = { ‘sync.afraid.org’ }
and modified kres section of /etc/config/resolver:
config resolver 'kresd’
option rundir '/tmp/kresd’
option log_stderr '0’
option log_stdout '0’
option forks '1’
option include_config ‘/etc/kresd/custom.conf’
$ nslookup sync.afraid.org
nslookup: can’t resolve ‘(null)’: Name does not resolve
nslookup: can’t resolve ‘sync.afraid.org’: Try again
What could be wrong?
This doesn’t necessarily mean there’s a problem - it could well be ‘normal’ and there is no reason why ddns wouldn’t work even with this error.
This is a problem. You could do the following & try again (you would best reboot the router after):
root@router:~# opkg update; opkg install knot-host
This allows ddns-scripts (which is a very well-maintained piece of shell script written specifically for OpenWrt & thus for TO) to use khost for name resolution. I am not sure if dig is installed by default on TO, but you can get ddns to use that as well. So try khost sync.afraid.org and dig sync.afraid.org before you go any further (AFAIK they both use an internal resolver).
I do remember setting up afraid.org was a bit difficult (I use a different domain now) - I think I had to go via dnsomatic.com in the end - have you tried that? At least it will tell you if you ddns client is working.
Before that, try this from TOs CLI (NB: namecheap is my chosen name, yours will be called something else (try uci show ddns | grep service):
root@router:~# /etc/init.d/ddns stop root@router:~# /usr/lib/ddns/dynamic_dns_updater.sh namecheap 3
and you could post the result here for us to check for you. You could even try this:
root@router:~# /usr/lib/ddns/dynamic_dns_updater.sh namecheap 3 | grep -i detected root@router:~# /etc/init.d/ddns restart
If things look good with 3 (which does everything but send an update), then try 2, which also sends an update).
Hi,
thanks for suggestions. Here are my resultls:
I have tried: “opkg update; opkg install knot-host”, but first it didn’t help.
Yes, dig is installed in my router by default. Neither dig, nor nslookup nor khost helped first:
dig sync.afraid.org
<<>> DiG 9.11.2-P1 <<>> sync.afraid.org
global options: +cmd
connection timed out; no servers could be reached
khost sync.afraid.org
WARNING: response timeout for 127.0.0.1@53(UDP)
WARNING: response timeout for 127.0.0.1@53(UDP)
WARNING: failed to query server 127.0.0.1@53(UDP)
WARNING: response timeout for 127.0.0.1@53(UDP)
uci show ddns | grep service
ddns.myddns_ipv4=service
ddns.myddns_ipv4.service_name='dyndns.org’
ddns.myddns_ipv6=service
ddns.dnet_ipv4=service
ddns.dnet_ipv4.service_name='freedns.afraid.org’
ddns.test=service/etc/init.d/ddns stop
usr/lib/ddns/dynamic_dns_updater.sh freedns 3
161313 : ************ ************** ************** **************
161313 note : PID ‘25125’ started at 2018-03-15 16:13
161313 : ddns version : 2.6.4-1
161313 : uci configuration:
ddns.dnet_ipv4=service
ddns.myddns_ipv4=service
ddns.myddns_ipv6=service
ddns.test=service
161313 WARN : Service section ‘freedns’ not defined - TERMINATE
161313 WARN : PID ‘25125’ exit WITH ERROR ‘1’ at 2018-03-15 16:13And then some MAGIC started to happen, it started to work, but I do not understand exactly why:
khost sync.afraid.org
sync.afraid.org. is an alias for freedns.afraid.org.
freedns.afraid.org. has IPv4 address 50.23.197.94dig sync.afraid.org
<<>> DiG 9.11.2-P1 <<>> sync.afraid.org
global options: +cmd
Got answer:
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47363
flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
OPT PSEUDOSECTION:
EDNS: version: 0, flags:; udp: 4096
QUESTION SECTION:
sync.afraid.org. IN A
ANSWER SECTION:
sync.afraid.org. 300 IN CNAME freedns.afraid.org.
freedns.afraid.org. 60 IN A 50.23.197.94
Query time: 186 msec
SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Thu Mar 15 16:25:59 CET 2018
;MSG SIZE rcvd: 82
nslookup sync.afraid.org
nslookup: can’t resolve ‘(null)’: Name does not resolve
Name: sync.afraid.org
Address 1: 50.23.197.94 ns1.afraid.orgPlease note my previous post. I have DNSSEC disabled for sync.afraid.org, but this config didn’t work so far for some reason. Your tip made it work though, I don’t know why or how. All we did was actually restarting ddns service. But it should have been restarted by router restart anyway. And it is restarted every day for me. But it only started to work now. I made some more testing and it is now working as expected. If i comment out my config in /etc/kresd/custom.conf and restart kresd, nslookup/dig/khost still wont work. If i enable it (means disable DNSSEC), then it works.
After all that, I am not sure if you’ve got it working, or not. Ha!
If required, here’s a work-around: use dnsomatic.com. The TO’s DDNS client talks to dnsomatic (so your router doesn’t need to resolve sync.afraid.org) & dnsomatic’s talks to afraid.org’s name servers.
When you ran this command, it said you’ve 3 ddns services configured: myddns_ipv4, myddns_ipv6, dnet_ipv4 and test. (I note freedns is not one of these).
When you ran this command, it said “Service section ‘freedns’ not defined”, which is correct.
as mentioned it is only working with DNSSEC disabled but for security I only disabled it specifiacally for sync.afraid.org. With DNSSEC enabled, it does not work. As I remember you told in your first post, it is working for you even with DNSSEC.
Before using dnsomatic, I checked if it would work, but it would be the same issue with it:
nslookup dnsomatic.com
nslookup: can’t resolve ‘(null)’: Name does not resolve
nslookup: can’t resolve ‘dnsomatic.com’: Try again