[Fork] Asuswrt-Merlin 374.43 LTS - DNS over TLS Beta - CLOSED

[jrmwvu04]

I upgraded to the B6 from the B5 without doing a factory reset and now my wireless clients don't show in the network map, but they do show in the log and they are connected.

I don't mind, but I thought people will like to know.

No problems here on B6. I never loaded B5 though, if that could make any difference. Straight from B1, haven't factory reset in quite a while now.

 

[joe a]

No problems here on B6. I never loaded B5 though, if that could make any difference. Straight from B1, haven't factory reset in quite a while now.

Should there be a Stubby log file? I don't see that either. I don't mean to be difficult.

The "/tmp/var/tmp/stubby" folder is empty.

 

[joe a]

No problems here on B6. I never loaded B5 though, if that could make any difference. Straight from B1, haven't factory reset in quite a while now.

Mea culpa. I re-applied the update, and everything seems ok, again.

 

[john9527]

Should I have done a factory reset?

No, no factory reset should be needed.

The only other thing that I've seen cause networkmap not to populate is that a client gets 'stuck' in an arpstorm (I have a HDHomerun Prime that does this about once every 6 months....Apple TV can sometimes also get stuck like that). If it happens again there is some debug code that can be turned on to isolate the device.

See your post that reloading cleared it....router gremlins at work....

 

[JWoo]

Stubby folder is empty for me too. Very progressive to introduce DNS encryption for us! Below are my settings

Lots of log file activity... Does this look normal (for example "syslog: password for 'admin' changed" and "WAN_Connection: ISP's DHCP did not function properly.") .... Let me know if this looks correct..

 

[john9527]

Should there be a Stubby log file? I don't see that either. I don't mean to be difficult.

The "/tmp/var/tmp/stubby" folder is empty.

The logging in stubby is VERY minimal.....errors only....no file...no errors....
In fact, all of the syslog entries are ones that I generate otherwise it would be dead quiet.

The development team has hinted that they intend some improvements here.

 

[blueshark]

I can't install on my router and I am on last stock version

 

[john9527]

Stubby folder is empty for me too. Very progressive to introduce DNS encryption for us! Below are my settings

View attachment 14009

Lots of log file activity... Does this look normal (for example "syslog: password for 'admin' changed" and "WAN_Connection: ISP's DHCP did not function properly.") .... Let me know if this looks correct..

Regarding your config.....it's fine. Just be aware that the google servers won't be used at all with DoT active.

On the logs.....
I have never seen the 'password changed' message myself, although I've seen it in some logs. What router do you have?

The 'DHCP did not function properly' will generally show up once on every boot (it's a timing artifact where the first time it tries to connect all the services may not be up yet). Only worry if it shows up after boot completes.

 

[JWoo]

I can't install on my router and I am on last stock version

Probably the firmware checking introduced by Asus. You could put the TRX file on a USB drive and do as follows

cd tmp/mnt
ls

/tmp/mnt/*/

Regarding your config.....it's fine. Just be aware that the google servers won't be used at all with DoT active.

On the logs.....
I have never seen the 'password changed' message myself, although I've seen it in some logs. What router do you have?

The 'DHCP did not function properly' will generally show up once on every boot (it's a timing artifact where the first time it tries to connect all the services may not be up yet). Only worry if it shows up after boot completes.

You rock! I have the RT-AC68U

 

[john9527]

I can't install on my router and I am on last stock version

To move from stock/Merlin to this fork you need to use the Firmware Recovery Tool or CFE mini-server. There are instructions in my main LTS fork thread (sticky near the top of the page).

 

[john9527]

On the logs.....
I have never seen the 'password changed' message myself, although I've seen it in some logs.

@JWoo
Do you have the FTP server or any AICloud functions active?

 

[jeff288]

Aug 11 17:43:45 (none) daemon.info dnsmasq[703]: using nameserver 127.0.0.1#5453

B6 on N66U with DoTLS, working well. Good work, John. You saved many people on having to buy new routers when these older models work well for the majority of us using "high speed broadband", well, by American standards. 10mb ftw!

 

[ColinTaylor]

The logging in stubby is VERY minimal.....errors only....no file...no errors....
In fact, all of the syslog entries are ones that I generate otherwise it would be dead quiet.

The development team has hinted that they intend some improvements here.

With the log level set to 7 the output goes to stdout so there's nothing in this file. Is it worth also redirecting stdout or do you want just errors in this file?

I see that there are now some extra messages on startup that have strange characters .

dict_get_names: append ØR dns_transport_list
dict_get_names: append ØR edns_client_subnet_private
dict_get_names: append ØR idle_timeout
dict_get_names: append ØR resolution_type
dict_get_names: append ØR round_robin_upstreams
dict_get_names: append ØR tls_query_padding_blocksize
dict_get_names: append x appdata_dir
dict_get_names: append x dns_transport_list
dict_get_names: append x edns_client_subnet_private
dict_get_names: append x idle_timeout
dict_get_names: append x resolution_type
dict_get_names: append x round_robin_upstreams
dict_get_names: append x tls_authentication
dict_get_names: append x tls_backoff_time
dict_get_names: append x tls_ca_file
dict_get_names: append x tls_query_padding_blocksize
dict_get_names: append x upstream_recursive_servers
[23:11:43.748904] STUBBY: Read config from file /etc/stubby.yml
dict_get_names: append È all_context
dict_get_names: append È api_version_number
dict_get_names: append È api_version_string
dict_get_names: append È compilation_comment
dict_get_names: append È default_hosts_location
dict_get_names: append È default_resolvconf_location
dict_get_names: append È default_trust_anchor_location
dict_get_names: append È implementation_string
dict_get_names: append È openssl_build_version_number
dict_get_names: append È resolution_type
dict_get_names: append È version_number
dict_get_names: append È version_string
dict_get_names: append È add_warning_for_bad_dns
dict_get_names: append È appdata_dir
dict_get_names: append È append_name
dict_get_names: append È dns_transport_list
dict_get_names: append È dnssec_allowed_skew
dict_get_names: append È dnssec_return_all_statuses
dict_get_names: append È dnssec_return_full_validation_chain
dict_get_names: append È dnssec_return_only_secure
dict_get_names: append È dnssec_return_status
dict_get_names: append È dnssec_return_validation_chain
dict_get_names: append È edns_client_subnet_private
dict_get_names: append È edns_cookies
dict_get_names: append È edns_do_bit
dict_get_names: append È edns_extended_rcode
dict_get_names: append È edns_version
dict_get_names: append È follow_redirects
dict_get_names: append È hosts
dict_get_names: append È idle_timeout
dict_get_names: append È limit_outstanding_queries
dict_get_names: append È max_backoff_value
dict_get_names: append È namespaces
dict_get_names: append È resolution_type
dict_get_names: append È resolvconf
dict_get_names: append È return_both_v4_and_v6
dict_get_names: append È return_call_reporting
dict_get_names: append È round_robin_upstreams
dict_get_names: append È specify_class
dict_get_names: append È suffix
dict_get_names: append È timeout
dict_get_names: append È tls_authentication
dict_get_names: append È tls_backoff_time
dict_get_names: append È tls_ca_file
dict_get_names: append È tls_cipher_list
dict_get_names: append È tls_connection_retries
dict_get_names: append È tls_query_padding_blocksize
dict_get_names: append È trust_anchors_url
dict_get_names: append È trust_anchors_verify_CA
dict_get_names: append È trust_anchors_verify_email
dict_get_names: append È upstream_recursive_servers
[23:11:44.749594] STUBBY: 9.9.9.9                                  : Conn opened: TLS - Strict Profile
[23:11:44.820149] STUBBY: 9.9.9.9                                  : Verify passed : TLS
[23:11:54.876757] STUBBY: 9.9.9.9                                  : Conn closed: TLS - Resps=     2, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)= 10000
[23:11:54.877000] STUBBY: 9.9.9.9                                  : Upstream   : TLS - Resps=     2, Timeouts  =     0, Best_auth =Success
[23:11:54.877128] STUBBY: 9.9.9.9                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:12:15.075370] STUBBY: 9.9.9.9                                  : Conn opened: TLS - Strict Profile
[23:12:26.496726] STUBBY: 9.9.9.9                                  : Conn closed: TLS - Resps=     2, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)= 10000
[23:12:26.496930] STUBBY: 9.9.9.9                                  : Upstream   : TLS - Resps=     4, Timeouts  =     0, Best_auth =Success
[23:12:26.497059] STUBBY: 9.9.9.9                                  : Upstream   : TLS - Conns=     2, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:12:45.302743] STUBBY: 9.9.9.9                                  : Conn opened: TLS - Strict Profile
[23:12:45.371450] STUBBY: 9.9.9.9                                  : Verify passed : TLS
[23:13:06.256753] STUBBY: 9.9.9.9                                  : Conn closed: TLS - Resps=     4, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)= 10000
[23:13:06.256945] STUBBY: 9.9.9.9                                  : Upstream   : TLS - Resps=     8, Timeouts  =     0, Best_auth =Success
[23:13:06.257072] STUBBY: 9.9.9.9                                  : Upstream   : TLS - Conns=     3, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:13:45.915406] STUBBY: 9.9.9.9                                  : Conn opened: TLS - Strict Profile
[23:14:03.756920] STUBBY: 9.9.9.9                                  : Conn closed: TLS - Resps=     3, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)= 10000
[23:14:03.757110] STUBBY: 9.9.9.9                                  : Upstream   : TLS - Resps=    11, Timeouts  =     0, Best_auth =Success

 

[john9527]

With the log level set to 7 the output goes to stdout so there's nothing in this file. Is it worth also redirecting stdout or do you want just errors in this file?

I'm looking at that now....was thinking about no log data at all in the log file. Turns out I needed to educate myself. You can't redirect output from a daemon....you need to run some special calls to set up the file and make the switch. (And I need to add a new option to stubby to support it).
One thing I'm afraid of with doing everything, is that it will be easy to overrun the log with the all the TLS negotiation info (and fill up /tmp).

I see that there are now some extra messages on startup that have strange characters .

Some of my debug code....they should really be long ints, but I never bothered to update it. I'm going to pull out all my debug stuff for the final release.

 

[john9527]

Aug 11 17:43:45 (none) daemon.info dnsmasq[703]: using nameserver 127.0.0.1#5453

B6 on N66U with DoTLS, working well. Good work, John. You saved many people on having to buy new routers when these older models work well for the majority of us using "high speed broadband", well, by American standards. 10mb ftw!

Thanks for the confirmation on the N66!

 

[ColinTaylor]

One thing I'm afraid of with doing everything, is that it will be easy to overrun the log with the all the TLS negotiation info (and fill up /tmp).

Yes I was concerned about that as well. Over a 24 hour period my log file had 8625 lines and was 1,200,571 bytes in size. At that rate all my free RAM would be consumed in about 109 days.

EDIT: That's with just one upstream server being used. I'd guess that if you were using say 4 in round robin it would fill up much faster.

 

[JWoo]

Here is my sequence before and after the "password for admin changed" message. I do not have FTP active or AI Cloud.

Dec 31 18:00:30 stop_nat_rules: apply the redirect_rules!
Dec 31 18:00:30 stop_nat_rules: (/tmp/redirect_rules) success!
Dec 31 18:00:30 WAN_Connection: ISP's DHCP did not function properly.
Dec 31 18:00:30 haveged: haveged starting up
Dec 31 18:00:30 syslog: password for 'admin' changed
Dec 31 18:00:30 stubby-proxy: configured no-TLS mode
Dec 31 18:00:30 stubby-proxy: configured server 'Cloudflare' at address 1.1.1.1:853
Dec 31 18:00:30 stubby-proxy: configured server 'Cloudflare_alt' at address 1.0.0.1:853
Dec 31 18:00:30 stubby-proxy: configured server 'Quad 9' at address 9.9.9.9:853
Dec 31 18:00:31 stubby-proxy: start stubby (0)

 

[dcguru]

Aug 11 17:43:45 (none) daemon.info dnsmasq[703]: using nameserver 127.0.0.1#5453

B6 on N66U with DoTLS, working well. Good work, John. You saved many people on having to buy new routers when these older models work well for the majority of us using "high speed broadband", well, by American standards. 10mb ftw!

Totally agree, as someone who was trying (and failing) to get dnscryptproxy setup on the N66U because the packages wouldn't run on MIPS this is big news. Will be finding some time to flash this very shortly!

Thank you John

 

[bbunge]

Before I try it, is SMB2 included in this version?

Sent from my P01M using Tapatalk

 

[john9527]

Before I try it, is SMB2 included in this version?

Sent from my P01M using Tapatalk

Yes sir....the default is SMB1+SMB2 support for backwards compatibility. Can be changed to just SMB2.