[Beta] Asuswrt-Merlin 384.11 Beta is now available

[Swistheater]

So I need to install stubby? I thought stubby was going away now that it's functionality is built into 384.11

no stubby is built into the firmware that is why the script is going away. merlin made it possible for you to create postconf scripts for it and .add scripts for it for you to add your own modifications.

 

[dvohwinkel]

no stubby is built into the firmware that is why the script is going away. merlin made it possible for you to create postconf scripts for it and .add scripts for it for you to add your own modifications.

Thank you @Swistheater for being patient with my questions.. this is all new to me.

 

[Swistheater]

Thank you @Swistheater for being patient with my questions.. this is all new to me.

You are very welcome. The goal is to find a middle ground with what makes you satisfied.

 

[dvohwinkel]

Alternatively you could turn off dnssec on the router and make two scripts using ssh and putty

cat << EOF > /jffs/configs/dnsmasq.conf.add
#
proxy-dnssec
EOF

and

cat << EOF > /jffs/scripts/stubby.postconf
#
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
EOF

and type service restart_stubby
into putty terminal
then run your dnssec test - this should provide enough dnssec.
*note it will still show you fail the cloudflare test page because of their lack of dnssec support.

Any pointers for what to call the scripts? I am assuming they would go into /jffs/scripts/

 

[Swistheater]

If you copy and paste them exactly as they are they will get named as the name listed next to the cat command. The cat command makes them right after you press enter after copying and pasting it into putty. It makes the file and places it where it needs to go

 

[dvohwinkel]

If you copy and paste them exactly as they are they will get named as the name listed next to the cat command. The cat command makes them right after your press enter after copying and pasting it into putty.

cat << EOF > /jffs/scripts/stubby.postconf
#
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
EOF

and type service restart_stubby
into putty terminal
then run your dnssec test - this should provide enough dnssec.
*note it will still show you fail the cloudflare test page because of their lack of dnssec support.[/QUOTE]

Is this second one right.. in the file it has
#!/bin/sh
CONFIG=
source /usr/sbin/helper.sh
pc_insert " - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE"

The $1 and $CONFIG get evaluated immediately to nothing

 

[Swistheater]

cat << EOF > /jffs/scripts/stubby.postconf
#
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
EOF

and type service restart_stubby
into putty terminal
then run your dnssec test - this should provide enough dnssec.
*note it will still show you fail the cloudflare test page because of their lack of dnssec support.

Is this second one right.. in the file it has
#!/bin/sh
CONFIG=
source /usr/sbin/helper.sh
pc_insert " - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE"

The $1 and $CONFIG get evaluated immediately to nothing[/QUOTE]
Yes

 

[Swistheater]

It gets evaluated to the associated service files location I.e. /etc/stubby/stubby.yml once the router invokes the arguement via the helper script

 

[dvohwinkel]

It gets evaluated to the associated service files location I.e. /etc/stubby/stubby.yml once the router invokes the arguement via the helper script

so the file should be..

----cut----
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert " - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
----end cut----

 

[dvohwinkel]

so the file should be..

----cut----
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert " - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
----end cut----

This works even when I turn back on "Enable DNSSEC support" and "Validate unsigned DNSSEC replies" in the gui.

 

[Swistheater]

This works even when I turn back on "Enable DNSSEC support" and "Validate unsigned DNSSEC replies" in the gui.

you won't need the firmware validation any more, because the built in stubby will do the validation- you wont have to have the gui dnssec option enabled. i wouldn't mix the two.

 

[Swistheater]

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

note the $CONFIG should be at the end of the pc_insert line
you can also make this using the command nano /jffs/scripts/stubby.postconf

copy and paste the script - and ctrl-x and y enter to save the file
if you don't like the cat command style

 

[MarkRH]

Had an issue tonight where my network wouldn't resolve www.youtube.com . RT-AC86U running 384.11 Beta2. I had DoT on with the two cloudfare servers (1.1.1.1 and 1.0.0.1).. with DNSSEC to yes and "Validate unsigned DNSSEC replies" to yes. This setup worked fine for about 4 hours. Then I tried to get to youtube and found it wouldn't resolve. When I set "Validate unsigned DNSSEC replies" to no it worked again. I can get it to fail again by just setting "Validate unsigned DNSSEC replies" back to yes.

thoughts?

Okay... there's something odd about this. I have DoT enabled with the Cloudflare servers and DNSSEC enabled, as well as "Validate unsigned DNSSEC replies" checked. Youtube.com doesn't even have a DNSSEC signature to validate. You can check it here: https://dnssec-debugger.verisignlabs.com/youtube.com

Anyway, I've never had any issues with Youtube since enabling all this.

>dig youtube.com +dnssec +multi

; <<>> DiG 9.14.0 <<>> youtube.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52699
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;youtube.com.           IN A

;; ANSWER SECTION:
youtube.com.            175 IN A 172.217.4.78

;; Query time: 187 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed May 08 22:25:51 Central Daylight Time 2019
;; MSG SIZE  rcvd: 67

 

[Swistheater]

Okay... there's something odd about this. I have DoT enabled with the Cloudflare servers and DNSSEC enabled, as well as "Validate unsigned DNSSEC replies" checked. Youtube.com doesn't even have a DNSSEC signature to validate. You can check it here: https://dnssec-debugger.verisignlabs.com/youtube.com

Anyway, I've never had any issues with Youtube since enabling all this.

>dig youtube.com +dnssec +multi

; <<>> DiG 9.14.0 <<>> youtube.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52699
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;youtube.com.           IN A

;; ANSWER SECTION:
youtube.com.            175 IN A 172.217.4.78

;; Query time: 187 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed May 08 22:25:51 Central Daylight Time 2019
;; MSG SIZE  rcvd: 67

so you can type in the address for youtube in your browser and no issues loading this page?

 

[MarkRH]

so you can type in the address for youtube in your browser and no issues loading this page?

No problem, it loads right up in both Firefox and Chrome. Since youtube.com doesn't have a DNSSEC record to begin with, there's nothing to fail so that's why all this seems weird to me.

 

[Swistheater]

No problem, it loads right up in both Firefox and Chrome. Since youtube.com doesn't have a DNSSEC record to begin with, there's nothing to fail so that's why all this seems weird to me.

yea i was having issues with cloudflare and the dnssec built in like this as well-- false errors inside the syslog and not loading pages that do not have dnssec records like you said- i switch and tested quad 9 and google and the issues went away.

 

[dvohwinkel]

yea i was having issues with cloudflare and the dnssec built in like this as well-- false errors inside the syslog and not loading pages that do not have dnssec records like you said- i switch and tested quad 9 and google and the issues went away.

I didn't think google supported DNSSEC

 

[Swistheater]

I didn't think google supported DNSSEC

the DoT version does, but they have edns private subnet protocol disabled.

 

[rromeroa]

Should be fixed with https://github.com/RMerl/asuswrt-merlin.ng/commit/993112744fb2d1e94066b59b4223fdb9681c471d .

Sorry @RMerlin ,
now with 384.11 final release (AC86u), udpxy is starting at boot time but the spicified multicast interface is wrong. I don't know if it's closed source or not.

in iptv movistar profile, the correct video vlan interface must be vlan2 instead vlan6 (data interface)

thanks a lot

 

[RMerlin]

Sorry @RMerlin ,
now with 384.11 final release (AC86u), udpxy is starting at boot time but the spicified multicast interface is wrong. I don't know if it's closed source or not.

in iptv movistar profile, the correct video vlan interface must be vlan2 instead vlan6 (data interface)

thanks a lot

Wait for Asus to fix it then. I have no way of testing it, and I don't know the technical details of its implementation either.