ASUSWRT-Merlin and NextDNS issue

[RejZoR]

@Martineau
I've tried logging into it with WinSCP and after logging in it keeps bitching for the password. Which one?! Using router login password does nothing.

And even if I upload the script with WinSCP I still need to use SSH to set it as executable or whatever and god this is all so stupidly overcomplicated for what should essentially be a simple task...

 

[gattaca]

Just for punishment, who is using my ID, I put to block web services. lol

Was that your config cut/shown on NextDNS sample page on routers? I thought it looked rather long and detailed. I copied it but did edit to use "myid".xxxx. I also did not enable it for fear of breaking my perfectly working for months DNL-over-TLS to Quad9. I wanted to do more research and reading here. If I break the setups, all h*@(@* breaks loose!

Being we are running amtm/diversion/skynet, is this overkill or just another layer to keep the *@@ at bay?

 

[dave14305]

Was that your config cut/shown on NextDNS sample page on routers? I thought it looked rather long and detailed. I copied it but did edit to use "myid".xxxx. I also did not enable it for fear of breaking my perfectly working DNL-over-TLS to Quad9.

Being we are running amtm/diversion/skynet, is this overkill or just another layer to keep the *@@ at bay?

No, I think his screenshot in post 31 originally included his endpoint name, but has now been redacted.

 

[Martineau]

@Martineau
I've tried logging into it with WinSCP and after logging in it keeps bitching for the password.

Which one?! Using router login password does nothing.

The router's login credentials that you set!

And even if I upload the script with WinSCP I still need to use SSH to set it as executable or whatever

No not necessarily so, i.e. if you follow my WinSCP tutorial, you can do 99% of everything script related using WinSCP.

The only thing you can't do is run a script (such as amtm etc.) in WinSCP's terminal window that is interactive that will require you to enter replies to prompts, so then you will need to login with a fullscreen interactive SSH client.

and god this is all so stupidly overcomplicated for what should essentially be a simple task...

Perhaps you can find a passing 10-year old to assist?

 

[RejZoR]

@Martineau
It didn't work because some other tutorial said you need to use "root" as username even if you changed it to something else. Sigh...

I've uploaded the script to jffs/scripts folder, how can I set things to it via WinSCP ? The "set as executable" and "restart stubby" command?

 

[dave14305]

@Martineau
It didn't work because some other tutorial said you need to use "root" as username even if you changed it to something else. Sigh...

I've uploaded the script to jffs/scripts folder, how can I set things to it via WinSCP ? The "set as executable" and "restart stubby" command?

 

[Martineau]

@Martineau
It didn't work because some other tutorial said you need to use "root" as username even if you changed it to something else. Sigh...

I've uploaded the script to jffs/scripts folder, how can I set things to it via WinSCP ?

The "set as executable"

Right-click the script

Click Properties, (or press F9) and click the 'x' boxes marked

"restart stubby" command?

To execute a script or router command, open the 'command terminal' (see post #46)

 

[fuzzynet]

Did you use your unique endpoint name (<unique ID>.dns.nextdns.io) in the TLS Hostname field?

Yes I am, but it's still not working.

I will try again when I get home from work.

 

[dave14305]

Yes I am, but it's still not working.

I will try again when I get home from work.

This is important. Tell your boss you have to go home sick.

 

[RejZoR]

So, after setting this script thing, I can add all the NextDNS servers I want and it won't crap out randomly during use? Or do I need to use only one so it doesn't do that? I'd like to add both IPv4 and IPv6 for maximum redundancy.

 

[fuzzynet]

This is important. Tell your boss you have to go home sick.

I agree and the office is empty.

Time to work from home after lunch.

 

[rgnldo]

If anyone still complains that the Merlin forum doesn't help, have holy patience.

 

[RejZoR]

Could JFFS management be done via ASUSWRT-Merlin GUI itself? Would be useful a ton if you could easily manage scripts and set them as executable without having to use SSH, WinSCP, Terminal or whatever. Seems incredibly fiddly to use all this stuff instead of just doing it via its GUI. Unless that requires so much work and space on routers it can't be done.

 

[rgnldo]

Seems incredibly fiddly to use all this stuff instead of just doing it via its GUI.

Almost 100% of FW functions are done in the GUI. There is no way to add all users' wishes to a firmware. Great work. It turns out that FW is developed by ASUS. FW Merlin organizes customization and enhancements. For reasons of codes, legislation and copyright, not many modifications are possible.

 

[RejZoR]

A compatibility switch for NextDNS would help. The sort of switch that would drop the script there, make it executable and restart Stubby. Or that it sorts this out somehow, whatever way it can be done easier "natively". Surely that can be coded into FW. Coz what we had to do here manually is just WAY too fiddly. And NextDNS is a very nice service and if you use it, you want to use it on router level for maximum effect.

 

[fuzzynet]

Working from home now.

Here is my WAN Settings page:

My /jffs/scripts/stubby.postconf:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG

I have given execution permission to stubby.postconf and restarted stubby and router.

 

[dave14305]

Working from home now.

Here is my WAN Settings page:

View attachment 20105

My /jffs/scripts/stubby.postconf:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG

I have given execution permission to stubby.postconf and restarted stubby and router.

Maybe consider disabling DNS Rebind protection if you’re using a blocking list. I saw some rebind log messages for blocked domains answering with 0.0.0.0.

 

[fuzzynet]

Maybe consider disabling DNS Rebind protection if you’re using a blocking list. I saw some rebind log messages for blocked domains answering with 0.0.0.0.

I have disabled DNS rebinding in both the router control panel and nextdns control. Still no work.

 

[dave14305]

I have disabled DNS rebinding in both the router control panel and nextdns control. Still no work.

I’ve configured mine just now and the only difference I notice between your setup and mine is the order of the resolvers in the DoT list.

If you run this command, compare my config to yours:

cat /etc/stubby/stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
appdata_dir: "/var/lib/misc"
resolvconf: "/tmp/resolv.conf"
edns_client_subnet_private: 1
round_robin_upstreams: 0
idle_timeout: 9000
tls_connection_retries: 2
tls_backoff_time: 900
timeout: 3000
listen_addresses:
  - 127.0.1.1@53
upstream_recursive_servers:
  - address_data: 45.90.28.0
    tls_auth_name: "PREFIX.dns1.nextdns.io"
  - address_data: 2a07:a8c0::0
    tls_auth_name: "PREFIX.dns1.nextdns.io"
  - address_data: 45.90.30.0
    tls_auth_name: "PREFIX.dns2.nextdns.io"
  - address_data: 2a07:a8c1::0
    tls_auth_name: "PREFIX.dns2.nextdns.io"

Edit: I had an extra postconf modification to reduce idle timeout to 2000 when I was using Quad9. Removed it now. Will keep an eye for any conn shuts...

 

[Martineau]

FYI...

For convenience, i.e. you wish to test/switch between different servers, for those of you that can login to your router (without blaming others for PEBKAC) and use an editor to modify scripts/text files on the router you can update the 'Preset servers' drop-down

e.g. Mount '/jffs/configs/dot-servers.dat' ==> '/rom/dot-servers.dat'

although if you already have a 'Unique prefix' you would obviously hard-code it by overwriting the '?????', but I'm not sure if this mod would make it formally into the firmware?

P.S. I did also add the NextDNS IPv6 servers to the menu.