DoT on 86u

[maxsteel]

Hello,

Is it possible to setup Cloudflare as DNS over TLS on 86u router with Merlin firmware? if so how please?

Thanks,

 

[Zastoff]

Hello,

Is it possible to setup Cloudflare as DNS over TLS on 86u router with Merlin firmware? if so how please?

Thanks,

Check/Search for Unbound maybe that can work, Dont think Stubby installer works with the 86u yet

 

[Odkrys]

Check/Search for Unbound maybe that can work, Dont think Stubby installer works with the 86u yet

Now it works.

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-11#post-446335

 

[Zastoff]

Now it works.

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-11#post-446335

Nice

 

[DroidST]

Hello,

Is it possible to setup Cloudflare as DNS over TLS on 86u router with Merlin firmware? if so how please?

Thanks,

I proposed how I'd like to see it with DNSFilter to force Cloudflare DoH and/or DoT on local cients here

https://www.snbforums.com/threads/question-about-dns-filtering.47739/#post-446236

and more clear starting here:
https://www.snbforums.com/threads/question-about-dns-filtering.47739/#post-446245

I envision having the Global Filter Mode option Cloudflare HTTPS (or 1.1.1.1 HTTPS) listed/available with those other 5 options currently there. The router code handles HTTPS required with Cloudflare's servers. Maybe TLS option as well but probably only need one.

So, the local network clients wouldn't change anything, the router admin simply would select Cloudflare HTTPS under DNSFilter Global Filter Mode. Cloudflare's servers are public and free so don't need to have an account and DNSOMatic with OpenDNS.

I'd be fine with a Cloudflare TLS | Cloudflare DoT option instead of a HTTPS / DoH option. Firefox only supports HTTPS but I didn't even realize the 1.1.1.1 android app supports both.

I'll read up on why DoT may be better and switch accordingly.

Regardless, the router would handle this. The local client's would be configured as they are now with the router intercepting the requests (except the phones/tablets running the 1.1.1.1 app).

.

 

[maxsteel]

Now it works.

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-11#post-446335

Thank you, Can you please tell me how to install it? should I use the same method mentioned in the first topic of the quoted thread to have it installed on my 86u?

 

[Odkrys]

opkg remove stubby --autoremove
opkg install /path/getdns_1.5.0-tls1.3_aarch64-3.10.ipk
opkg install /path/stubby_0.2.4-tls1.3_aarch64-3.10.ipk
opkg install fake-hwclock haveged

nano /opt/etc/init.d/S61stubby

#!/bin/sh

ENABLED=yes
PROCS=stubby
ARGS="-C /opt/etc/stubby/stubby.yml"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

chmod 755 /opt/etc/init.d/S61stubby

nano /opt/etc/stubby/stubby.yml

#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions

resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000

listen_addresses:
  - 127.0.0.1@5453
#  -  0::1@5453

upstream_recursive_servers:
# IPv6 addresses
# # Cloudflare IPv6
#  - address_data: 2606:4700:4700::1111
#    tls_auth_name: "cloudflare-dns.com"

# # Quad 9 IPv6
#  - address_data: 2620:fe::10
#    tls_auth_name: "dns.quad9.net"

# IPv4 addresses
# # Cloudflare servers
  - address_data: 1.1.1.1,
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1,
    tls_auth_name: "cloudflare-dns.com"

# Quad 9 service
#  - address_data: 9.9.9.10
#    tls_auth_name: "dns.quad9.net"

nano /jffs/configs/dnsmasq.conf.add

no-resolv
server=127.0.0.1#5453

chmod +x /jffs/configs/dnsmasq.conf.add

echo "cru a SaveSystemTime \"0 * * * * /opt/bin/fake-hwclock\"" >> /jffs/scripts/services-start
cru a SaveSystemTime "0 * * * * /opt/bin/fake-hwclock"
/opt/etc/init.d/S01fake-hwclock stop
/opt/etc/init.d/S02haveged start
/opt/etc/init.d/S61stubby start
service restart_dnsmasq

WAN -> Internet Connection -> WAN DNS Setting
Connect to DNS Server automatically -> No
DNS Server1 -> blank
DNS Server2 -> blank

 

[Marin]

opkg install stubby fake-hwclock
opkg install /path/getdns_1.4.2-1a_aarch64-3.10.ipk

So I tried above and I get this:

@RT-AC86U-99A8:/tmp/home/root# opkg install /path/getdns_1.4.2-1a_aarch64-3.10.ipk
Collected errors:
 * wfopen: /path/getdns_1.4.2-1a_aarch64-3.10.ipk: No such file or directory.
 * pkg_init_from_file: Failed to extract control file from /path/getdns_1.4.2-1a_aarch64-3.10.ipk.

Any idea what I am doing wrong. Again, I installed Stubby first and now I am following these steps to apply the patch. Was able to add all other steps with no issues.

Thank you

 

[bbunge]

Now it works.

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-11#post-446335

Keep in mind that the resolver test for DNSSEC only tests that the resolver you use is able to do DNSSEC. Cloudflare has a test for DoT and DoH but as soon as you add DNSSEC the test fails.
The Stubby add on with Merlin DNSSEC is working well for me with Cloudflare. Cleanbrowsing resolvers also seem to work well. Mixed results with others.

Sent from my SM-T380 using Tapatalk

 

[Marin]

Tried to install it for the second time in my AC86U and still failed. Used the original instructions and he patch ones but still not able to start Stubby. The internet stops and on the WAN tab the router IP is inserted under DNS 1. I understand that Stubby is doing this somehow.

Also, downloading the getdns package does not work from above command. I am thinking that is why my install is not going as expected.

Steps I followed:

1. Installed Stubby by using the original curl per @Xentrk. This stops my internet completely and the Network Map shows my internet status as Disconnected.

2. I completely uninstalled/wiped out my VPN profiles thinking that this was the culprit but didn’t help out at all.

3. Then tried to install the patch for Stubby using @Odkrys instructions but then I realized that I had to have an internet connection in order to download Stubby packages.

4. This forced me to wipe out my router’s IP from the WAN tab and include Cloudflaire’s DNS servers there instead.

5. Now I have internet connection established I was able to install fake-hwclock as described via above command but not the getdns one. See my previous post on the error that I get when I try to install that.

6. Was able to follow the other steps in the patch installation but when attempting to see if Stubby is working by using the “check” command I get the: Stubby........dead.

7. Uninstalled Stubby using the initial curl and reinstalled it again but no success. Going back to DNSCrypt and installed my VPN client config. Everything is working just fine now.


Unless someone is willing to re-write the entire installation guide using the original instructions and those from the patch in a very clear, step-by-step and thorough steps, I guess I will have to wait until there is a more complete script to install Stubby in AC86U in the future.




Sent from my iPhone using Tapatalk

 

[Odkrys]

path mean location of ipk file lol.

e.g.) opkg install /opt/getdns_1.4.2-1a_aarch64-3.10.ipk
opkg install /mnt/sda1/~~~~/getdns_1.4.2-1a_aarch64-3.10.ipk

 

[Marin]

Got ya! Thank you!


Sent from my iPhone using Tapatalk

 

[Marin]

path mean location of ipk file lol.

e.g.) opkg install /opt/getdns_1.4.2-1a_aarch64-3.10.ipk
opkg install /mnt/sda1/~~~~/getdns_1.4.2-1a_aarch64-3.10.ipk

To clarify....after a successful installation of Stubby, do the DNS settings stay as:

DNS 1 = router’s IP

DNS = null ?





Sent from my iPhone using Tapatalk

 

[Marin]

And does such WAN DNS setup cause any interference with Diversion (more specifically pixelserve) since the latter uses xxx.xxx.xx.2 as an IP?

 

[Odkrys]

To clarify....after a successful installation of Stubby, do the DNS settings stay as:

DNS 1 = router’s IP

DNS = null ?





Sent from my iPhone using Tapatalk

Are you meaning DNS settings in LAN tab?
LAN DNS push specific dns server to clients if you set it. Normally it doesn't need to change.
WAN DNS should be null.
No idea about Diversion, maybe it will not interfere it.

 

[Marin]

No, the DNS settings under the WAN tab (Automatically connect to the DNS servers Yes or No).



Sent from my iPhone using Tapatalk

 

[Marin]

When I install Stubby using the original curl, it automatically places my router’s IP on one of the DNS IP spaces under the WAN tab and my internet stops completely. Whereas the second space is null.


Sent from my iPhone using Tapatalk

 

[Odkrys]

No, the DNS settings under the WAN tab (Automatically connect to the DNS servers Yes or No).


Sent from my iPhone using Tapatalk

leave it blank.

 

[Marin]

But then do I leave this “Automatically connect to DNS” setting as Yes or No?


Sent from my iPhone using Tapatalk

 

[bbunge]

Check the time on your router. Stubby will not allow the time to sync on router start. Fix this by using a time server IP address in lieu of a URL or the fix Skeal came up with.

Sent from my SM-T380 using Tapatalk