What's new

[Beta] Asuswrt-Merlin 384.11 Beta is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

So I need to install stubby? I thought stubby was going away now that it's functionality is built into 384.11
no stubby is built into the firmware that is why the script is going away. merlin made it possible for you to create postconf scripts for it and .add scripts for it for you to add your own modifications.
 
no stubby is built into the firmware that is why the script is going away. merlin made it possible for you to create postconf scripts for it and .add scripts for it for you to add your own modifications.

Thank you @Swistheater for being patient with my questions.. this is all new to me.
 
Alternatively you could turn off dnssec on the router and make two scripts using ssh and putty
Code:
cat << EOF > /jffs/configs/dnsmasq.conf.add
#
proxy-dnssec
EOF

and

Code:
cat << EOF > /jffs/scripts/stubby.postconf
#
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
EOF

and type service restart_stubby
into putty terminal
then run your dnssec test - this should provide enough dnssec.
*note it will still show you fail the cloudflare test page because of their lack of dnssec support.

Any pointers for what to call the scripts? I am assuming they would go into /jffs/scripts/
 
If you copy and paste them exactly as they are they will get named as the name listed next to the cat command. The cat command makes them right after you press enter after copying and pasting it into putty. It makes the file and places it where it needs to go
 
If you copy and paste them exactly as they are they will get named as the name listed next to the cat command. The cat command makes them right after your press enter after copying and pasting it into putty.

Code:
cat << EOF > /jffs/scripts/stubby.postconf
#
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
EOF

and type service restart_stubby
into putty terminal
then run your dnssec test - this should provide enough dnssec.
*note it will still show you fail the cloudflare test page because of their lack of dnssec support.[/QUOTE]

Is this second one right.. in the file it has
#!/bin/sh
CONFIG=
source /usr/sbin/helper.sh
pc_insert " - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE"

The $1 and $CONFIG get evaluated immediately to nothing
 
Code:
cat << EOF > /jffs/scripts/stubby.postconf
#
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
EOF

and type service restart_stubby
into putty terminal
then run your dnssec test - this should provide enough dnssec.
*note it will still show you fail the cloudflare test page because of their lack of dnssec support.

Is this second one right.. in the file it has
#!/bin/sh
CONFIG=
source /usr/sbin/helper.sh
pc_insert " - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE"

The $1 and $CONFIG get evaluated immediately to nothing[/QUOTE]
Yes
 
It gets evaluated to the associated service files location I.e. /etc/stubby/stubby.yml once the router invokes the arguement via the helper script
 
It gets evaluated to the associated service files location I.e. /etc/stubby/stubby.yml once the router invokes the arguement via the helper script
so the file should be..

----cut----
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert " - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
----end cut----
 
so the file should be..

----cut----
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert " - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
----end cut----

This works even when I turn back on "Enable DNSSEC support" and "Validate unsigned DNSSEC replies" in the gui.
 
This works even when I turn back on "Enable DNSSEC support" and "Validate unsigned DNSSEC replies" in the gui.
you won't need the firmware validation any more, because the built in stubby will do the validation- you wont have to have the gui dnssec option enabled. i wouldn't mix the two.
 
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

note the $CONFIG should be at the end of the pc_insert line
you can also make this using the command nano /jffs/scripts/stubby.postconf

copy and paste the script - and ctrl-x and y enter to save the file
if you don't like the cat command style
 
Had an issue tonight where my network wouldn't resolve www.youtube.com . RT-AC86U running 384.11 Beta2. I had DoT on with the two cloudfare servers (1.1.1.1 and 1.0.0.1).. with DNSSEC to yes and "Validate unsigned DNSSEC replies" to yes. This setup worked fine for about 4 hours. Then I tried to get to youtube and found it wouldn't resolve. When I set "Validate unsigned DNSSEC replies" to no it worked again. I can get it to fail again by just setting "Validate unsigned DNSSEC replies" back to yes.

thoughts?

Okay... there's something odd about this. I have DoT enabled with the Cloudflare servers and DNSSEC enabled, as well as "Validate unsigned DNSSEC replies" checked. Youtube.com doesn't even have a DNSSEC signature to validate. You can check it here: https://dnssec-debugger.verisignlabs.com/youtube.com

Anyway, I've never had any issues with Youtube since enabling all this.
Code:
>dig youtube.com +dnssec +multi

; <<>> DiG 9.14.0 <<>> youtube.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52699
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;youtube.com.           IN A

;; ANSWER SECTION:
youtube.com.            175 IN A 172.217.4.78

;; Query time: 187 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed May 08 22:25:51 Central Daylight Time 2019
;; MSG SIZE  rcvd: 67
 
Okay... there's something odd about this. I have DoT enabled with the Cloudflare servers and DNSSEC enabled, as well as "Validate unsigned DNSSEC replies" checked. Youtube.com doesn't even have a DNSSEC signature to validate. You can check it here: https://dnssec-debugger.verisignlabs.com/youtube.com

Anyway, I've never had any issues with Youtube since enabling all this.
Code:
>dig youtube.com +dnssec +multi

; <<>> DiG 9.14.0 <<>> youtube.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52699
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;youtube.com.           IN A

;; ANSWER SECTION:
youtube.com.            175 IN A 172.217.4.78

;; Query time: 187 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed May 08 22:25:51 Central Daylight Time 2019
;; MSG SIZE  rcvd: 67
so you can type in the address for youtube in your browser and no issues loading this page?
 
Last edited:
so you can type in the address for youtube in your browser and no issues loading this page?

No problem, it loads right up in both Firefox and Chrome. Since youtube.com doesn't have a DNSSEC record to begin with, there's nothing to fail so that's why all this seems weird to me.
 
No problem, it loads right up in both Firefox and Chrome. Since youtube.com doesn't have a DNSSEC record to begin with, there's nothing to fail so that's why all this seems weird to me.
yea i was having issues with cloudflare and the dnssec built in like this as well-- false errors inside the syslog and not loading pages that do not have dnssec records like you said- i switch and tested quad 9 and google and the issues went away.
 
yea i was having issues with cloudflare and the dnssec built in like this as well-- false errors inside the syslog and not loading pages that do not have dnssec records like you said- i switch and tested quad 9 and google and the issues went away.

I didn't think google supported DNSSEC
 
Sorry @RMerlin ,
now with 384.11 final release (AC86u), udpxy is starting at boot time but the spicified multicast interface is wrong. I don't know if it's closed source or not.

in iptv movistar profile, the correct video vlan interface must be vlan2 instead vlan6 (data interface)

thanks a lot

Wait for Asus to fix it then. I have no way of testing it, and I don't know the technical details of its implementation either.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top