amtm amtm - the Asuswrt-Merlin Terminal Menu

[cmkelley]

hi all, can anyone shortly share what are or could be the pros/cons of StubbyDNS vs. DNSCrypt?

Note: I am using DNSCrypt, and I've noticed it has a fallback option which can be set (i.e. to 1.1.1.1). Is that making DNSCrypt more of a reliable script? I haven't used Stubby DNS (yet), so I cannot comment on it. I've seen Stubby was added as an option, and I am now wondering which one should I use (as obviously both cannot be used at the same time).

See: https://www.reddit.com/r/privacy/comments/89pr15/dnsoverhttps_vs_dns_overtls_vs_dnscrypt/

Short answer: Stubby = DNS over TLS (DoT). DNSCrypt is not a standard, DoT is.

 

[2992]

Thank you @kernol and @cmkelley!

 

[bbunge]

Not expert enough to comment fully on a comparison - all I can say is that I could never get DNSCrypt to work properly [probably my short-comings not DNSCrypt itself] in these respects ...

• lots of "INVALID Security" issues [with Wegbui DNSSEC enabled]; and
• never could fully pass the DNS leak Extended test here https://www.dnsleaktest.com/ [most often found my ISP's dns sneaking in!].

With stubby installed [using its own built in dnssec] - stock standard from amtm - I no longer have the invalid security issues and fully pass the DNS leak test. Feeling much more secure - and force all clients through stubby [see Github for script additions if needed].
Happy camper .

F.Y.I. DNSSEC is not enabled by default with the current installs.

Sent from my SM-T380 using Tapatalk

 

[Zonkd]

See: https://www.reddit.com/r/privacy/comments/89pr15/dnsoverhttps_vs_dns_overtls_vs_dnscrypt/

Short answer: Stubby = DNS over TLS (DoT). DNSCrypt is not a standard, DoT is.

Thinking out loud here - With any luck Mozilla and Cloudflare will push DoH to become more than an ugly hack and make it a competing standard for the tens of millions who can't use DoT due to telco blocking and crazy regimes. There is a place for DoT and DoH. There are many people arguing to smother DoH in it's crib but I can't understand the justifications for doing so. Nightmare for network administrators? Yes more difficult to monitor but there's no getting rid of it and malicious actors have it already. It's available in the stable build of Firefox. Worse performance than DoT? Be lazy, let Mozilla and Cloudflare work on it. Besides we already readily accept there is a performance trade-off with all encryption, VPNs, proxies and obfuscation. The point is that sometimes it is necessary.

The day stubby supports DoH is the day I stotp using DNSCrypt.

 

[heysoundude]

See: https://www.reddit.com/r/privacy/comments/89pr15/dnsoverhttps_vs_dns_overtls_vs_dnscrypt/

Short answer: Stubby = DNS over TLS (DoT). DNSCrypt is not a standard, DoT is.

I'm sure you mean TL;DR- ;-p

Crazy how much good debate and information comes from reddit, isn't it?

 

[Xentrk]

hi all, can anyone shortly share what are or could be the pros/cons of StubbyDNS vs. DNSCrypt?

Note: I am using DNSCrypt, and I've noticed it has a fallback option which can be set (i.e. to 1.1.1.1). Is that making DNSCrypt more of a reliable script? I haven't used Stubby DNS (yet), so I cannot comment on it. I've seen Stubby was added as an option, and I am now wondering which one should I use (as obviously both cannot be used at the same time).

Here is a nice summary of the DNS solutions available https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+-+The+Solutions

https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt

 

[Zonkd]

Here is a nice summary of the DNS solutions available https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+-+The+Solutions

https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt

The second link was 100% worth reading, not least because it made me learn about that penisland website
Tremendous!

 

[thelonelycoder]

Awesome - thanks for adding Stubby installer ... just a minor fix to avoid confusion.
Following an install of Stubby via AMTM - the text on option 6 to open stubby from AMTM says ...

...4 . default to Cloudflare DNS 1.1.1.1. You can change to other supported DNS over TLS providers by modifying /opt/var/stubby/stubby.xml
Not there anymore ... it is now found in /opt/etc/stubby/stubby.yml [see Github link https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin item 6 under "Stubby Installer ..." / Description.

Otherwise - confirm all good ... stubby installed and running without issues so far .

That's part of Stubby, not amtm. Post the inconsistency in their thread.

 

[djtech2k]

I am new to amtm. I used it to install skynet and all seems good. I just used it to install diversion, but I want to uninstall diversion now. Is there an option to do that? I did not realize before I installed it that it requires you to use the router as its DNS server. I have some DNS servers that run on my home network so all of my clients point to them because they host some private DNS zones. So I guess diversion is not going to do anything in my config. I also noticed that diversion has a lot of stuff to it, like files/scripts/post script additions/cron jobs, etc. Its pretty complicated and has a lot of moving parts.

Anyway, I'd like to completely remove all of the diversion stuff. Can I do it with AMTM or is there another way?

 

[skeal]

I am new to amtm. I used it to install skynet and all seems good. I just used it to install diversion, but I want to uninstall diversion now. Is there an option to do that? I did not realize before I installed it that it requires you to use the router as its DNS server. I have some DNS servers that run on my home network so all of my clients point to them because they host some private DNS zones. So I guess diversion is not going to do anything in my config. I also noticed that diversion has a lot of stuff to it, like files/scripts/post script additions/cron jobs, etc. Its pretty complicated and has a lot of moving parts.

Anyway, I'd like to completely remove all of the diversion stuff. Can I do it with AMTM or is there another way?

Launch Diversion from amtm, then select d, under that menu you can uninstall.

 

[djtech2k]

Launch Diversion from amtm, then select d, under that menu you can uninstall.

Thanks! I did not know that the "d" option would do that.

 

[djtech2k]

I ran the uninstall but I noticed there are several leftovers. I have extra scripts and modifications to existing scripts.

In the services-stop script, is this from diversion?:

/opt/etc/init.d/rc.unslung stop

I do not know if thats for skynet or diversion.

I am trying to completely remove diversion. I have gone back and checked all the scripts in /jffs/scripts and deleted ones from diversion and removed all lines I know were from diversion. Where else should I look that diversion puts files?

 

[dave14305]

Thanks! I did not know that the "d" option would do that.

I uninstalled Diversion immediately after I originally installed it because I didn’t understand what it was doing. I spent a lot of time reading this thread and the Pixelserv thread and now I won’t ever run my Asus-based network without them.

Keep reading and learning how they work. Then come back and ask questions. There is probably a way to make it work for your network.

 

[dave14305]

/opt/etc/init.d/rc.unslung stop

I do not know if thats for skynet or diversion.

Entware

 

[djtech2k]

Ok, thanks. Where else should I look to find residual stuff of diversion? I just want to make sure 100% of it is gone. Maybe I will reevaluate down the road, but for now I cannot use the router as my DNS and there are far too many pieces to diversion for me to get a good handle on it before I use it. If it were as simple as skynet, then I would consider digging deeper now, but I just can't do it now. That's why I want to make sure its gone until I do have the time.

 

[dave14305]

Ok, thanks. Where else should I look to find residual stuff of diversion? I just want to make sure 100% of it is gone. Maybe I will reevaluate down the road, but for now I cannot use the router as my DNS and there are far too many pieces to diversion for me to get a good handle on it before I use it. If it were as simple as skynet, then I would consider digging deeper now, but I just can't do it now. That's why I want to make sure its gone until I do have the time.

If it’s not in any jffs scripts or configs files and you restart your router it should be gone. It only changes dnsmasq behavior but has other Cron jobs for convenience.

 

[Gitsum]

Can you add FreshJR QOS script to this?

 

[thelonelycoder]

I ran the uninstall but I noticed there are several leftovers. I have extra scripts and modifications to existing scripts.

In the services-stop script, is this from diversion?:

/opt/etc/init.d/rc.unslung stop

I do not know if thats for skynet or diversion.

I am trying to completely remove diversion. I have gone back and checked all the scripts in /jffs/scripts and deleted ones from diversion and removed all lines I know were from diversion. Where else should I look that diversion puts files?

When you installed Diversion it also installed Entware. When you then uninstalled Diversion, it gave you two options:
- Only remove Diversion and leave Entware installed
- Completely remove both
You selected the first option. Be assured that Diversion completely removes itself without a trace when uninstalling.
You are now left with Entware and the necessary start and stop scripts there for it to work.

To completely remove Entware, do this:
- Delete line ". /jffs/scripts/post-mount.div # Added by Diversion" in /jffs/scripts/post-mount
- Delete file /jffs/scripts/post-mount.div
- Delete line "/opt/etc/init.d/rc.unslung stop # Added by Diversion" in /jffs/scripts/services-stop
- Reboot router
- Delete folder "entware" on your attached USB device

 

[thelonelycoder]

Can you add FreshJR QOS script to this?

That's up to @FreshJR and weather the script is compatible with the minimum amtm requirements to be included.

 

[Xentrk]

That's part of Stubby, not amtm. Post the inconsistency in their thread.

@kernol - noted! I'll try to make the correction tomorrow. Thanks you for pointing it out.