Closed acejacek closed 3 years ago
Since the config file still contains all of your configuration, it seems that the integration templates are missing from your router under the conditions you describe above. Also, the configure path to check is:
show service dns forwarding blacklist
Did you switch images?
I made typo, of curse I ment show service dns forwarding blacklist
.
The problem is that I force router to use locally run name-server. Efectivelly, there is a short period of time between boot and when dnsmasq gets connection to locally run dns-proxy (it's dnscrypt-proxy). This period is long enough, that other services don't have connention to network, for a short time (excepition is ntpd, as it's pointed to IP address, and does not care if nameserver is present or not).
I think the easiest way to reproduce is:
delete system name-server
set interfaces ethernet eth0 dhcp-options name-server no-update
set system name-server 1.1.1.1
From the other hand, if I keep system nameserver pointed to 1.1.1.1, all works fantastically, no issue, every reboot brings blacklist operational.
Your use case is unusual, so not sure if I can provide a solution. However, I have fixed the bug with the safe switch. If you're using the debian packup upgrade to update edgeos-dnsmasq-blacklist, you will need to make a change to your system package repository. See the README.md.
The repository URL has changed:
configure
set system package repository blacklist components main
set system package repository blacklist description 'Britannic blacklist debian stretch repository'
set system package repository blacklist distribution stretch
set system package repository blacklist url 'https://raw.githubusercontent.com/britannic/debian-repo/master/blacklist/public/'
commit;save;exit
I rest my case. No matter what I tried, when DNS in time of boot is not fully operational, blacklist
branch in show service dns forwarding
becomes non existent. When internet connenction is finally restored, running sudo /config/scripts/update-dnsmasq
(with all possible switches) does not resolve the issue. Only full sudo dpkg-reconfigure edgeos-dnsmasq-blacklist
brings back things to life. Until next reboot.
@acejacek, so the edgerouter boot sequence rebuilds the entire configuration tree from the config.boot file each boot. Each layer of the config tree references a node.def file to see what its boot order is. The blacklist node is 9999 and sits at the end of the service dns forwarding node chain. If anything upstream doesn't complete, then it won't get to the blacklist node and build complete its config.
You will need to figure out what breaks upstream that prevents the blacklisting node buildout from completing. Or, you could add a script to /config/scripts/post-config.d
to run update-dnsmasq -safe
to ensure you have blacklisting configured after each boot for your use case.
You don't even need to use /config/config.boot
, instead you can extract the blacklist stanza from it and run update-dnsmasq -f /config/user-data/<your_config.boot>
from /config/scripts/post-config.d
and additionally use task scheduler for a standalone setup.
EdgeRouter ERLite-3, with EdgeOS 1.10.11
In situation when booting router and internet connenction is not fully ready yet (in my case caused by not ready DNS resolver) blacklist update fails:
This is quite normal. The problem is, that existing blacklist configuration is not saved and router is wide open.
When running update (or waiting for cron/task scheduler to do that):
Still, no blackllist active. Addig
-safe
switch changes nothig. Manually pointing to config file:makes all updates:
However, the configuration is not active anyway. There is no
blacklist
branch inshow services dns resolver
.The only method I foud to bring back backlist is full reconfiguration with
sudo dpkg-reconfigure edgeos-dnsmasq-blacklist
. This means all custiomizations and exception lists go to waste.Am I doing something wrong?