@ZoloNN 

ZoloNN wrote

Hi @Clive_A,

 

based on my observation:

• in source code of Omada router ER605 I can find dnsmasq and unbound
• primary DNS server is unbound
  • the default configuration is disabled (recursive search using root hints)
  • instead it relies exclusively on forwarders defined in Internet settings - DNS servers of ISP or google, etc....
    • that means, if there is no DNS defined in Internet settings, the router will resolbe nothing......
• the dnsmasq is used only as a DHCP server with no connection to unbound

 

why is the recursive search using root hints disabled? I would very appreciate the configuration option to not rely on forwarders due privacy concerns

 

(dnsmasq-unbound integration was alread discussed in another thread and even if there are requests from other users (even in this thread), I don't want to re-open this topic again )

 

I know that you are an experienced network user. Yet, I am no longer interested in discussing the code-level stuff or explaining how and why from the dev's perspective, as I have been told many times by our supervisor and the NA team not to discuss any subjects or topics with any users. 

If you are interested in this matter, you can find some other community members to discuss this. You don't have to mention me for these subjects.

I will dismiss any discussions over this stuff. It's the team's decision. There is nothing I can do. 

I no longer provide the following information or join the discussion on the subjects:

1. Firmware ETA.

2. Feature request development progress. And the design aspect discussion.

3. Code-level or device-based LINUX topics.

4. Dev or internal perspective and opinions. 

5. Sensitive product information.

The reason why the root is disabled, you can find existing posts regarding that. I don't have a comment on this.

  @arrmo 

arrmo wrote

  @Clive_A Sorry, this one is still a bit open :(. A couple questions,

- the CLI does not seem to be available for the gateway / router ... or how to turn it "on" / enable it?

- from the Controller web interface, do I need to add a new LAN DNS ("profile") for every single entry? Thinking there should be multiple within a LAN DNS? Or is this a single entry?

 

Thanks!

1. Controller mode, you gotta enable SSH access before you telnelt/ssh the device. I explained in the firmware roll-back CG. 

2. Not sure what you mean. It is what the feature looks like now. 

Hi @Clive_A,

I understand your unfortunate limitation in answering questions.

Anyway, I would lke to thank you for your active participation in user talks. This isn't very common at other vendors.

Yes, you're right, I'm a kind of experienced user, I was IT customer engineer, L3 windows server admin, solution architect and nowadays I'm freelance consultant. that's the reason behind my targeted questions and technical analysis (e.g. the LDAP communication with Active Directory).

With all respect, talking with another users about problem without any ability to trace and try to fix the issues itself - that means having no root access - and without someone competent listening on TP-Link side (that should be you!) - it's like to chat about weather in senior club.... .

Be aware, that there are lot of users/admins out there with extensive knowledge of OpenWRT - and maybe the management may think about an option to start special program for active experienced users to allow them root access, which purpose should be a pure technical feedback and system configuration suggestions/changes to TP-Link. Of course, after signing some long legal text including NDA with own blood.....

btw: and as you mentioned root in your answer - in my post I've asked about disabled "DNS root hints" in unbound configuration - what have nothing to do with root access to router. see www.iana(.)org/domains/root/servers

question: why is iana(.)org clasified as invalid external link?

  @ZoloNN 

ZoloNN wrote

Hi @Clive_A,

 

I understand your unfortunate limitation in answering questions.

Anyway, I would lke to thank you for your active participation in user talks. This isn't very common at other vendors.

 

Yes, you're right, I'm a kind of experienced user, I was IT customer engineer, L3 windows server admin, solution architect and nowadays I'm freelance consultant. that's the reason behind my targeted questions and technical analysis (e.g. the LDAP communication with Active Directory).

 

With all respect, talking with another users about problem without any ability to trace and try to fix the issues itself - that means having no root access - and without someone competent listening on TP-Link side (that should be you!) - it's like to chat about weather in senior club.... .

Be aware, that there are lot of users/admins out there with extensive knowledge of OpenWRT - and maybe the management may think about an option to start special program for active experienced users to allow them root access, which purpose should be a pure technical feedback and system configuration suggestions/changes to TP-Link. Of course, after signing some long legal text including NDA with own blood.....

 

btw: and as you mentioned root in your answer - in my post I've asked about disabled "DNS root hints" in unbound configuration - what have nothing to do with root access to router. see www.iana(.)org/domains/root/servers

 

question: why is iana(.)org clasified as invalid external link?

 

 

Really appreciate your understanding of my position. It is rare to have people like you to share and understand my position. I always believe in transparency for the general public and progress for the community as a whole. I also hope I can push the dev progress for many features people asked as I build my home network with various services. I know many are quite useful for an advanced home or SMB setup. Yet, my ability is limited, and my effort is not seen or appreciated by some community members. I have argued for transparency for the community members like you, as I know many of you are quite knowledgeable in this. Some decisions are not for me to make. 

The community is set to accept only tp-link.com or other famous and well-known websites. 

Many other websites are not allowed and thought to be external links. For the sake of safety and anti-spam on the forum, other domains are not allowed. Some are new users, and we are concerned if they are scammed, if full access to other domains is allowed. 

About the recursive DNS server, the root hints, I think that the router DNS is not yet ready for that. Maybe manually disabled it in the system. I am not certain I follow you. 

Do you have details on this part? I have recently built a recursive DNS server in my LAN. However, I am not sure which part you mean on the Omada router. 

Or you mean this one? Is the root server working for the Omada routers? 

https://community.tp-link.com/en/business/forum/topic/749242

Hi @Clive_A,

re understanding: last 20 years I'm operating inside of several corporate environments and I really understand process restrictions. Please, preserve your positive attitude! 

re root hints: yes, that's the one.

ER605 uses unbound as his primary DNS server subsystem.

unbound is defined by creator as "a validating, recursive, caching DNS resolver" with accent on recursive.

There are two options to configure a DNS server:

• using forwarder
  • server is completely dependent on upstream DNS server <-- current configuration
• using recursive feature <-- default behavior of unbound, which is disabled on ER605
  • recursive means, when DNS server cannot resolve a hostname, he goes to root DNS servers first asking for authoritative DNS server for the domain and then going to this one asking for IP address

Usage of recursive resolver has some pros and cons:

• pros:
  • independence from ISPs DNS (or google, etc...)
  • getting resolution from authoritative DNS servers
  • avoiding request tracking via ISP
  • overcome potential resolution blocking on ISP side
• cons:
  • no resolve restrictions by default, even there is a possibility to configure local blacklists, but manage those on router requite quite much attention and some storage space (and, of course, CPU overhead)

My current DNS chain in my environment is: 

Client -> AD integrated DNS -> piHole -> router -> external DNS

pros of this setup: all AD DNS internal hostnames for static devices and those, which able to selfregister in AD are resolved. piHole blocks the ad-servers and tracking sites

cons: this setup ("thanks" to missing integration between router's DHCP (dnsmasq) and DNS(unbound) subsystems) isn't able to resolve any device with dynamic address on network, which is unable to selfregister in AD DNS (IoT, mobile phones, guest devices, ....). as I've wrote in my previous threads, OpenWRT based home routers have no problem with this and fix is quite easy and the integration configuration is well documented on OpenWRT pages​​​​​​​. tl;dr: to fix this issue no software change is required, just simple configuration change...

Hi @arrmo,

what for SSH client are you using?

just tried from windows using putty: no problem

from debian: 

~$ ssh 192.168.0.1 -l admin
The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
RSA key fingerprint is SHA256:pgRG/ckfnMMlyVOhqOQxG0QCxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.1' (RSA) to the list of known hosts.
admin@192.168.0.1's password:

Note:This gateway is being managed by Controller. Some functions of CLI Server are prohibited.

>

Hi  @arrmo 

quite strange.... Normally no keys are requested for SSH login, unless you want to login without username/password - then the user key must be stored at SSH server - which generally doesn't apply for router logins

Questions:

 * what firmware version do you have on router?

 * do you use a controller?

 * is the SSH enabled?