D
Deleted member 27741
Guest
I have noticed my dns getting a bit buggy and would like to update stubby. Is there a reasonably simple way to do this?
I have noticed my dns getting a bit buggy and would like to update stubby. Is there a reasonably simple way to do this?
John’s dev build 40E9 contains newer Stubby/GetDNS code, but it’s broken on MIPS routers.Thanks, rmerlin. In that case I will look into my stubby settings and see if I can find something that works reliably for me.
Thanks, rmerlin. In that case I will look into my stubby settings and see if I can find something that works reliably for me.
Cloudflare by any chance? I can’t say whether it is cloudflare, 40E9, some combination of both, or none of the above, but I started having a lot of lookup problems with it a few weeks ago. After some troubleshooting, switching off DoT and using typical dns fixed it.John’s dev build 40E9 contains newer Stubby/GetDNS code, but it’s broken on MIPS routers.
Yup, I had this problem since long ago, because the router seems to need DNS resolving before it is able to properly start Entware and DoT. I solved it this way: flashed OpenWRT to an old RT-N16, which has become my DNS server (running stubby). Both my routers are behind the modem/router from my internet provider.Cloudflare by any chance? I can’t say whether it is cloudflare, 40E9, some combination of both, or none of the above, but I started having a lot of lookup problems with it a few weeks ago. After some troubleshooting, switching off DoT and using typical dns fixed it.
I created a stubby.postconf for the fork that ensures Stubby can resolve hostnames apart from dnsmasq during startup. Stole the idea from Merlin’s implementation.Yup, I had this problem since long ago, because the router seems to need DNS resolving before it is able to properly start Entware and DoT. I solved it this way: flashed OpenWRT to an old RT-N16, which has become my DNS server (running stubby). Both my routers are behind the modem/router from my internet provider.
#!/bin/sh
. /usr/sbin/helper.sh
CONFIG="$1"
[ $(uname -o) = "ASUSWRT-Merlin-LTS" ] && pc_append 'resolvconf: "/tmp/resolv.conf"' "$CONFIG"
Same here .. cloudflare issues started a few weeks ago.Cloudflare by any chance? I can’t say whether it is cloudflare, 40E9, some combination of both, or none of the above, but I started having a lot of lookup problems with it a few weeks ago. After some troubleshooting, switching off DoT and using typical dns fixed it.
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "tls_min_version: GETDNS_TLS1_3" "tls_min_version: GETDNS_TLS1_2" $CONFIG
chmod 777 /jffs/scripts/stubby.postconf
Like mentioned above .. have a try to add "tmp/resolv.conf".This fixed the Cloudflare DoT issue for me:
Save this file as /jffs/scripts/stubby.postconf
Run this command to make the file executable:Code:#!/bin/sh CONFIG=$1 source /usr/sbin/helper.sh pc_replace "tls_min_version: GETDNS_TLS1_3" "tls_min_version: GETDNS_TLS1_2" $CONFIG
Then reboot the routerCode:chmod 777 /jffs/scripts/stubby.postconf
I created a stubby.postconf for the fork that ensures Stubby can resolve hostnames apart from dnsmasq during startup. Stole the idea from Merlin’s implementation.
Code:#!/bin/sh . /usr/sbin/helper.sh CONFIG="$1" [ $(uname -o) = "ASUSWRT-Merlin-LTS" ] && pc_append 'resolvconf: "/tmp/resolv.conf"' "$CONFIG"
I created a stubby.postconf for the fork that ensures Stubby can resolve hostnames apart from dnsmasq during startup. Stole the idea from Merlin’s implementation.
Code:#!/bin/sh . /usr/sbin/helper.sh CONFIG="$1" [ $(uname -o) = "ASUSWRT-Merlin-LTS" ] && pc_append 'resolvconf: "/tmp/resolv.conf"' "$CONFIG"
resolvconf: "/tmp/resolv.conf"
tail -f /var/tmp/stubby/stubby.log
[10:14:21.487405] STUBBY: *FAILURE* no valid transports or upstreams available!
[10:14:21.531755] STUBBY: *FAILURE* no valid transports or upstreams available!
[10:14:38.400879] STUBBY: *FAILURE* no valid transports or upstreams available!
[10:14:48.018173] STUBBY: *FAILURE* no valid transports or upstreams available!
[10:14:53.828763] STUBBY: *FAILURE* no valid transports or upstreams available!
[10:14:56.820409] STUBBY: *FAILURE* no valid transports or upstreams available!
[10:14:56.820724] STUBBY: *FAILURE* no valid transports or upstreams available!
[10:14:56.820957] STUBBY: *FAILURE* no valid transports or upstreams available!
[10:14:56.821249] STUBBY: *FAILURE* no valid transports or upstreams available!
stubby -C /etc/stubby.yml -l
[10:45:26.260719] STUBBY: Read config from file /etc/stubby.yml
[10:45:26.261528] STUBBY: DNSSEC Validation is OFF
[10:45:26.261614] STUBBY: Transport list is:
[10:45:26.261663] STUBBY: - TLS
[10:45:26.261719] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[10:45:26.261773] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[10:45:26.261820] STUBBY: Starting DAEMON....
[10:45:28.540867] STUBBY: --- SETUP(TLS): : Verify locations loaded
[10:45:28.541406] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[10:45:28.576086] STUBBY: 1.1.1.1 : Conn closed: TLS - *Failure*
[10:45:28.576563] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[10:45:28.576785] STUBBY: 1.1.1.1 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0
[10:45:28.577055] STUBBY: 1.1.1.1 : Upstream : TLS - Resps= 0, Timeouts = 0, Best_auth = None
[10:45:28.577292] STUBBY: 1.1.1.1 : Upstream : TLS - Conns= 0, Conn_fails= 1, Conn_shuts= 0, Backoffs = 0
[10:45:28.611253] STUBBY: 1.0.0.1 : Conn closed: TLS - *Failure*
[10:45:28.611842] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[10:45:28.612057] STUBBY: *FAILURE* no valid transports or upstreams available!
[10:45:28.613141] STUBBY: 1.0.0.1 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0
[10:45:28.613462] STUBBY: 1.0.0.1 : Upstream : TLS - Resps= 0, Timeouts = 0, Best_auth = None
[10:45:28.613701] STUBBY: 1.0.0.1 : Upstream : TLS - Conns= 0, Conn_fails= 1, Conn_shuts= 0, Backoffs = 0
[10:45:28.653157] STUBBY: 1.1.1.1 : Conn closed: TLS - *Failure*
[10:45:28.653755] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[10:45:28.653980] STUBBY: 1.1.1.1 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0
[10:45:28.654248] STUBBY: 1.1.1.1 : Upstream : TLS - Resps= 0, Timeouts = 0, Best_auth = None
[10:45:28.654485] STUBBY: 1.1.1.1 : Upstream : TLS - Conns= 0, Conn_fails= 2, Conn_shuts= 0, Backoffs = 0
[10:45:28.688670] STUBBY: 1.0.0.1 : Conn closed: TLS - *Failure*
[10:45:28.689263] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[10:45:28.689472] STUBBY: *FAILURE* no valid transports or upstreams available!
[10:45:28.689922] STUBBY: 1.0.0.1 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0
[10:45:28.690224] STUBBY: 1.0.0.1 : Upstream : TLS - Resps= 0, Timeouts = 0, Best_auth = None
[10:45:28.690465] STUBBY: 1.0.0.1 : Upstream : TLS - Conns= 0, Conn_fails= 2, Conn_shuts= 0, Backoffs = 0
[10:45:28.715978] STUBBY: 1.1.1.1 : Conn closed: TLS - *Failure*
[10:45:28.716557] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[10:45:28.716776] STUBBY: 1.1.1.1 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0
[10:45:28.717043] STUBBY: 1.1.1.1 : Upstream : TLS - Resps= 0, Timeouts = 0, Best_auth = None
[10:45:28.717283] STUBBY: 1.1.1.1 : Upstream : TLS - Conns= 0, Conn_fails= 3, Conn_shuts= 0, Backoffs = 0
[10:45:28.756008] STUBBY: 1.0.0.1 : Conn closed: TLS - *Failure*
[10:45:28.756582] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[10:45:28.756794] STUBBY: *FAILURE* no valid transports or upstreams available!
tls_min_version: GETDNS_TLS1_2
idle_timeout: 10000
timeout: 3000
resolvconf: "/tmp/resolv.conf"
There is nothing bad about guest network (only a second beacon is sent out using about 1% airtime, not worth to mention), you could even hide it.So I can avoid having a guest network spinned up just for this reason?
Here AC56U with 40E9, using stubby with Cleanbrowsing. I don't have this problem. Too lazy to try Quad1.Qickly tested this stuff ..
The stubby.postconf script is adding ..in to stubby.yml .. same if you add the line to stubby.yml.add .. 2 ways to reach the same result.Code:resolvconf: "/tmp/resolv.conf"
Nevertheless it's not working .. still get tons of timeouts ..
I have RT-AC68U device running on 40E9 now .. same problem with 39E3.
How to get (back) stable TLS_V13 connection with cloudflare (1.1.1.1) ?
Can you runQickly tested this stuff ..
The stubby.postconf script is adding ..in to stubby.yml .. same if you add the line to stubby.yml.add .. 2 ways to reach the same result.Code:resolvconf: "/tmp/resolv.conf"
Nevertheless it's not working .. still get tons of timeouts ..
Code:tail -f /var/tmp/stubby/stubby.log [10:14:21.487405] STUBBY: *FAILURE* no valid transports or upstreams available! [10:14:21.531755] STUBBY: *FAILURE* no valid transports or upstreams available! [10:14:38.400879] STUBBY: *FAILURE* no valid transports or upstreams available! [10:14:48.018173] STUBBY: *FAILURE* no valid transports or upstreams available! [10:14:53.828763] STUBBY: *FAILURE* no valid transports or upstreams available! [10:14:56.820409] STUBBY: *FAILURE* no valid transports or upstreams available! [10:14:56.820724] STUBBY: *FAILURE* no valid transports or upstreams available! [10:14:56.820957] STUBBY: *FAILURE* no valid transports or upstreams available! [10:14:56.821249] STUBBY: *FAILURE* no valid transports or upstreams available! stubby -C /etc/stubby.yml -l [10:45:26.260719] STUBBY: Read config from file /etc/stubby.yml [10:45:26.261528] STUBBY: DNSSEC Validation is OFF [10:45:26.261614] STUBBY: Transport list is: [10:45:26.261663] STUBBY: - TLS [10:45:26.261719] STUBBY: Privacy Usage Profile is Strict (Authentication required) [10:45:26.261773] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!) [10:45:26.261820] STUBBY: Starting DAEMON.... [10:45:28.540867] STUBBY: --- SETUP(TLS): : Verify locations loaded [10:45:28.541406] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile [10:45:28.576086] STUBBY: 1.1.1.1 : Conn closed: TLS - *Failure* [10:45:28.576563] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile [10:45:28.576785] STUBBY: 1.1.1.1 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0 [10:45:28.577055] STUBBY: 1.1.1.1 : Upstream : TLS - Resps= 0, Timeouts = 0, Best_auth = None [10:45:28.577292] STUBBY: 1.1.1.1 : Upstream : TLS - Conns= 0, Conn_fails= 1, Conn_shuts= 0, Backoffs = 0 [10:45:28.611253] STUBBY: 1.0.0.1 : Conn closed: TLS - *Failure* [10:45:28.611842] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile [10:45:28.612057] STUBBY: *FAILURE* no valid transports or upstreams available! [10:45:28.613141] STUBBY: 1.0.0.1 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0 [10:45:28.613462] STUBBY: 1.0.0.1 : Upstream : TLS - Resps= 0, Timeouts = 0, Best_auth = None [10:45:28.613701] STUBBY: 1.0.0.1 : Upstream : TLS - Conns= 0, Conn_fails= 1, Conn_shuts= 0, Backoffs = 0 [10:45:28.653157] STUBBY: 1.1.1.1 : Conn closed: TLS - *Failure* [10:45:28.653755] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile [10:45:28.653980] STUBBY: 1.1.1.1 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0 [10:45:28.654248] STUBBY: 1.1.1.1 : Upstream : TLS - Resps= 0, Timeouts = 0, Best_auth = None [10:45:28.654485] STUBBY: 1.1.1.1 : Upstream : TLS - Conns= 0, Conn_fails= 2, Conn_shuts= 0, Backoffs = 0 [10:45:28.688670] STUBBY: 1.0.0.1 : Conn closed: TLS - *Failure* [10:45:28.689263] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile [10:45:28.689472] STUBBY: *FAILURE* no valid transports or upstreams available! [10:45:28.689922] STUBBY: 1.0.0.1 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0 [10:45:28.690224] STUBBY: 1.0.0.1 : Upstream : TLS - Resps= 0, Timeouts = 0, Best_auth = None [10:45:28.690465] STUBBY: 1.0.0.1 : Upstream : TLS - Conns= 0, Conn_fails= 2, Conn_shuts= 0, Backoffs = 0 [10:45:28.715978] STUBBY: 1.1.1.1 : Conn closed: TLS - *Failure* [10:45:28.716557] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile [10:45:28.716776] STUBBY: 1.1.1.1 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0 [10:45:28.717043] STUBBY: 1.1.1.1 : Upstream : TLS - Resps= 0, Timeouts = 0, Best_auth = None [10:45:28.717283] STUBBY: 1.1.1.1 : Upstream : TLS - Conns= 0, Conn_fails= 3, Conn_shuts= 0, Backoffs = 0 [10:45:28.756008] STUBBY: 1.0.0.1 : Conn closed: TLS - *Failure* [10:45:28.756582] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile [10:45:28.756794] STUBBY: *FAILURE* no valid transports or upstreams available!
My stubby.yml.add ..
Code:tls_min_version: GETDNS_TLS1_2 idle_timeout: 10000 timeout: 3000 resolvconf: "/tmp/resolv.conf"
I have RT-AC68U device running on 40E9 now .. same problem with 39E3.
How to get (back) stable TLS_V13 connection with cloudflare (1.1.1.1) ?
stubby -C /etc/stubby.yml -i
On 39E3 it should. On 40E9 Stubby won’t start on MIPS at all.Should this work on MIPS?
Can you run
and post the config results?Code:stubby -C /etc/stubby.yml -i
"openssl_version_string": <bindata of "OpenSSL 1.1.1b 26 Feb 2019">,
For stubby John has built and linked openssl 1.1 static lib.What version of OpenSSL does Stubby use in 39E? According to https://github.com/getdnsapi/stubby/issues/130#issuecomment-421774281 Stubby should use the system's version of OpenSSL, which in 39E is OpenSSL 1.0.2r . But stubby -C /etc/stubby.yml -i has this line:
OpenSSL 1.0.2r doesn't seem to support TLS 1.3. When I run echo | openssl s_client -tls1_3 -connect 1.1.1.1:853 I get the error unknown option -tls1_3
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!