Info: Stubby 0.2.3 (latest) is on entware.

[ColinTaylor]

dnsmasq will listen for dns requests on 127.0.0.1 port 53 by default so those IP tables are still good for that.
dnsmasq will then forward the requests to stubby at 127.0.0.1 on what ever port you have selected for it. Stubby will then do its encryption magic and forward the request to the upstream dns on port 853

Just to be pedantic, the LAN client's requests will be coming in on interface br0 (i.e. 192.168.1.1) not 127.0.0.1. But the iptables rules will still work because dnsmasq also listens on that. And to be doubly pedantic, the stubby port number is 5453 according to post #67.

 

[john9527]

the stubby port number is 5453

That's the stubby 'listening' port.....dnsmasq is sending the port 53 request to 5453 as dnsmasq's upstream server. Then stubby sends out on port 853 after encrypting it.

 

[ColinTaylor]

That's the stubby 'listening' port.....dnsmasq is sending the port 53 request to 5453 as dnsmasq's upstream server. Then stubby sends out on port 853 after encrypting it.

Indeed. I thought it was a typo because it was in response to DonnyJohnny's question "does the dns queries goes thru 53 then reroute to 127.0.0.1#8453". But reading it again I realise that tomsk's answer was referring to the upstream server port. That part of the reply should have been directed to DonnyJohnny.

 

[tomsk]

Indeed. I thought it was a typo because it was in response to DonnyJohnny's question "does the dns queries goes thru 53 then reroute to 127.0.0.1#8453". But reading it again I realise that tomsk's answer was referring to the upstream server port. That part of the reply should have been directed to DonnyJohnny.

Well i'm still more wrong than right... haha...i was under the false impression that dnsmasq was listening on the loopback address.... that you for correcting me sir.. the dead giveaway was the
$(nvram get lan_ipaddr) in the iptables rule... as i said..."clever like that"

 

[ColinTaylor]

i was under the false impression that dnsmasq was listening on the loopback address....

No you are correct, it is. It listens on br0 as well. So if you're logged into the router and did a lookup it would indeed go to 127.0.0.1 because that's what's in resolv.conf.

# cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver ::1
# nslookup bbc.co.uk
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      bbc.co.uk
Address 1: 2a04:4e42:600::81
Address 2: 151.101.128.81
Address 3: 151.101.192.81
Address 4: 151.101.0.81
Address 5: 151.101.64.81

Compare that to the resolv.conf file of a Linux client on the LAN:

# cat /etc/resolv.conf
# Generated by NetworkManager
search home.lan
nameserver 192.168.1.1

 

[tomsk]

No you are correct, it is. It listens on br0 as well. So if you're logged into the router and did a lookup it would indeed go to 127.0.0.1 because that's what's in resolv.conf.

# cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver ::1
# nslookup bbc.co.uk
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      bbc.co.uk
Address 1: 2a04:4e42:600::81
Address 2: 151.101.128.81
Address 3: 151.101.192.81
Address 4: 151.101.0.81
Address 5: 151.101.64.81

Ok got it... thanks for the enlightenment......now.... if only i could retain all this information at the same time.....

 

[DonnyJohnny]

Thx all. @john9527 @tomsk @ColinTaylor
The iptables I mentioned on my post works.
Tested by changing my wifi dns server to Google dns. Did a dnsleak test and the dns is still as per stubby defined dns.

I don’t use QOS so I am fine.

 

[bbunge]

Any recommendation for best install steps on Asus?

Sent from my P01M using Tapatalk

 

[Xentrk]

Any recommendation for best install steps on Asus?

Sent from my P01M using Tapatalk

You need to have entware installed. I am writing an install script and estimate to have it ready by the weekend. If you want to install now, see post #10 for the steps.

 

[DonnyJohnny]

Ok this is my steps.
First you need to have entware do the command below.

opkg update
opkg install stubby
opkg install ca-certificates

Create a file S61stubby in /opt/etc/init.d/

nano /opt/etc/init.d/S61stubby

Copy the following inside and save

#!/bin/sh

ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

After you save the above file. You need to make it executable.

chmod 755 /opt/etc/init.d/S61stubby

You probably already have ca-certificates installed. Look in /opt/etc/ssl

nano /opt/etc/stubby/stubby.yml

Copy this inside.

#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions
resolution_type: GETDNS_RESOLUTION_STUB
dnssec_return_status: GETDNS_EXTENSION_TRUE
appdata_dir: "/opt/var/cache/stubby"
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_backoff_time: 900
listen_addresses:
  - 127.0.0.1@5453
upstream_recursive_servers:
# IPv4 addresses
# # Cloudflare servers
  - address_data: 1.1.1.1
    tls_port: 853
    tls_auth_name: "cloudflare-dns.com"
              
# # Cloudflare servers
  - address_data: 1.0.0.1 
    tls_port: 853         
    tls_auth_name: "cloudflare-dns.com"

nano /jffs/configs/dnsmasq.conf.add (also, disable DNSSEC in webgui)

no-resolv
server=127.0.0.1#5453

Lastly, go to web GUI, under WAN, Internet Connection, WAN DNS Setting
Set DNS to Manual.
Dns#1 : your router ip eg. 192.168.1.1
Dns#2 : leave blank

Now final step. You can immediately start stubby to see if working by using the following command

/opt/etc/init.d/S61stubby start

If you want restart
/opt/etc/init.d/S61stubby restart

Or stop
/opt/etc/init.d/S61stubby stop

Next try save net and go https://1.1.1.1/help to see if tls working.

Last final test, restart router to see if everything goes well.

These are not my steps. I am just summarising what @Xentrk did over the past weeks. For those who are impatient to try it out.

 

[bbunge]

With "dnssec_return_status: GETDNS_EXTENSION_TRUE" in stubby.yml, Enable DNSSEC support (Merlin 384.7_B2, LAN, DHCP Server) should be set to "No"?
What about "Enable DNS Rebind protection" in Merlin?

 

[DonnyJohnny]

With "dnssec_return_status: GETDNS_EXTENSION_TRUE" in stubby.yml, Enable DNSSEC support (Merlin 384.7_B2, LAN, DHCP Server) should be set to "No"?
What about "Enable DNS Rebind protection" in Merlin?

That dnssec_return_status is same stuff as in Merlin LAN dnssec setting. Do not enable for quad9 or cloudflare. Also don’t use the stubby dnssec setting as stubby have problem with generating logs. So you would know what is going on. If really need to do dnssec verification, then activate via Merlin webgui.

Enable dns rebind protection got nothing to do with dnssec. It is to prevent dns rebinding Attack by filtering Private IP addresses out of DNS responses. See here

 

[owine]

Ok this is my steps.
First you need to have entware do the command below.

opkg update
opkg install stubby
opkg install ca-certificates

Create a file S61stubby in /opt/etc/init.d/

nano /opt/etc/init.d/S61stubby

Copy the following inside and save

#!/bin/sh

ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

After you save the above file. You need to make it executable.

chmod +755 /opt/etc/init.d/S61stubby

You probably already have ca-certificates installed. Look in /opt/etc/ssl

nano /opt/etc/stubby/stubby.yml

Copy this inside.

#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions
resolution_type: GETDNS_RESOLUTION_STUB
dnssec_return_status: GETDNS_EXTENSION_TRUE
appdata_dir: "/opt/var/cache/stubby"
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_backoff_time: 900
listen_addresses:
  - 127.0.0.1@5453
upstream_recursive_servers:
# IPv4 addresses
# # Cloudflare servers
  - address_data: 1.1.1.1
    tls_port: 853
    tls_auth_name: "cloudflare-dns.com"
             
# # Cloudflare servers
  - address_data: 1.0.0.1
    tls_port: 853        
    tls_auth_name: "cloudflare-dns.com"

nano /jffs/configs/dnsmasq.conf.add (also, disable DNSSEC in webgui)

no-resolv
server=127.0.0.1#5453

Lastly, go to web GUI, under WAN, Internet Connection, WAN DNS Setting
Set DNS to Manual.
Dns#1 : your router ip eg. 192.168.1.1
Dns#2 : leave blank

Now final step. You can immediately start stubby to see if working by using the following command

/opt/etc/init.d/S61stubby start

If you want restart
/opt/etc/init.d/S61stubby restart

Or stop
/opt/etc/init.d/S61stubby stop

Next try save net and go https://1.1.1.1/help to see if tls working.

Last final test, restart router to see if everything goes well.

These are not my steps. I am just summarising what @Xentrk did over the past weeks. For those who are impatient to try it out.

Great summary. One minor thing, no + needed in your chmod command.

Anyone experimented with putting stubby in jffs so as to not rely on Entware/external drive mounting?

How does stubby handle a fresh boot with no time set, does it need a successful NTP sync?

 

[blueshark]

for some strange reason i never get it to work, i reinstall last merlin (beta) and full reset i don’t restore backup, very clean!

i have iptv configured probably the problem! i dont know..

edit: obviously i install entware in a new usb drive ext2

 

[skeal]

Ok this is my steps.
First you need to have entware do the command below.

opkg update
opkg install stubby
opkg install ca-certificates

Create a file S61stubby in /opt/etc/init.d/

nano /opt/etc/init.d/S61stubby

Copy the following inside and save

#!/bin/sh

ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

After you save the above file. You need to make it executable.

chmod 755 /opt/etc/init.d/S61stubby

You probably already have ca-certificates installed. Look in /opt/etc/ssl

nano /opt/etc/stubby/stubby.yml

Copy this inside.

#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions
resolution_type: GETDNS_RESOLUTION_STUB
dnssec_return_status: GETDNS_EXTENSION_TRUE
appdata_dir: "/opt/var/cache/stubby"
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_backoff_time: 900
listen_addresses:
  - 127.0.0.1@5453
upstream_recursive_servers:
# IPv4 addresses
# # Cloudflare servers
  - address_data: 1.1.1.1
    tls_port: 853
    tls_auth_name: "cloudflare-dns.com"
             
# # Cloudflare servers
  - address_data: 1.0.0.1
    tls_port: 853        
    tls_auth_name: "cloudflare-dns.com"

nano /jffs/configs/dnsmasq.conf.add (also, disable DNSSEC in webgui)

no-resolv
server=127.0.0.1#5453

Lastly, go to web GUI, under WAN, Internet Connection, WAN DNS Setting
Set DNS to Manual.
Dns#1 : your router ip eg. 192.168.1.1
Dns#2 : leave blank

Now final step. You can immediately start stubby to see if working by using the following command

/opt/etc/init.d/S61stubby start

If you want restart
/opt/etc/init.d/S61stubby restart

Or stop
/opt/etc/init.d/S61stubby stop

Next try save net and go https://1.1.1.1/help to see if tls working.

Last final test, restart router to see if everything goes well.

These are not my steps. I am just summarising what @Xentrk did over the past weeks. For those who are impatient to try it out.

I tried these steps but I get this for a test:

Connection Information
Please include this URL when you create a post in the community forum.

https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJObyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJObyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6IllWUiIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==
Click to copy
Debug Information
Connected to 1.1.1.1    No
Using DNS over HTTPS (DoH)    No
Using DNS over TLS (DoT)    No
AS Name    Cloudflare
AS Number    13335
Cloudflare Data Center    YVR
Connectivity to Resolver IP Addresses
1.1.1.1    Yes
1.0.0.1    Yes
2606:4700:4700::1111    No
2606:4700:4700::1001    No

 

[DonnyJohnny]

I tried these steps but I get this for a test:

Connection Information
Please include this URL when you create a post in the community forum.

https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJObyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJObyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6IllWUiIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==
Click to copy
Debug Information
Connected to 1.1.1.1    No
Using DNS over HTTPS (DoH)    No
Using DNS over TLS (DoT)    No
AS Name    Cloudflare
AS Number    13335
Cloudflare Data Center    YVR
Connectivity to Resolver IP Addresses
1.1.1.1    Yes
1.0.0.1    Yes
2606:4700:4700::1111    No
2606:4700:4700::1001    No

Ensure you disable dnssec verification in webgui under LAN, DHCP server.

Assuming your webgui WAN dns is already set to router ip. It mean stubby proxy is working just that dnssec verification is enable causing it unable to function properly.

Testing: Try stop stubby to see if you can surf net. If you can’t surf, mean everything is good.

 

[skeal]

It would seem DoT is not working.

Ensure you disable dnssec verification in webgui under LAN, DHCP server.

View attachment 14563

Assuming your webgui WAN dns is already set to router ip. It mean stubby proxy is working just that dnssec verification is enable causing it unable to function properly.

Testing: Try stop stubby to see if you can surf net. If you can’t surf, mean everything is good.

Do we overwrite what is in stubby.yml or append to what's there?

 

[skeal]

Ensure you disable dnssec verification in webgui under LAN, DHCP server.

View attachment 14563

Assuming your webgui WAN dns is already set to router ip. It mean stubby proxy is working just that dnssec verification is enable causing it unable to function properly.

Testing: Try stop stubby to see if you can surf net. If you can’t surf, mean everything is good.

How do you reinstall stubby?

 

[blueshark]

how to check if entware is we’ll installed thats probably my problem

 

[skeal]

Anybody....do we append the .yml or replace the text in it?