What's new

Stubby-Installer-Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

So after installing Stubby on my AC86U and the patch by @Odkrys, I decided to try the commands from https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin to see if my install went ok. I have a feeling that a certificate info is missing from this configuration. Two commands that I tried that I am not getting same results are shown below:

Code:
@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs
 -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4146480336:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:126
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: CF552B1FB807282FACB210771979BB6C270C86E6D445E4499FBB044DA881FB3D
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1544965779
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

and the other one:

Code:
@RT-AC86U-99A8:/tmp/home/root# getdns_query -s @127.0.0.1 github.com
Killed

Then when I access Cloudflare's Help Page, I get the info below. The interesting part is that at one point, I had connection to 1.1.1.1 as YES, DOT = N0 and DOH (Yes??).

I am also using a VPN and adjusted the Accept DNS Config to Disabled per Stubby install recommendations on the site.

Obviously, something is missing from my configuration or I am not doing something right? Any ideas?
 

Attachments

  • Screen Shot 2018-12-16 at 7.19.48 AM.png
    Screen Shot 2018-12-16 at 7.19.48 AM.png
    71.8 KB · Views: 317
Including all the validation commands from Github:

Code:
@RT-AC86U-99A8:/tmp/home/root# ps | grep stubby | grep -v grep
 9326 xxxx  5536 S    stubby -C /opt/etc/stubby/stubby.yml

Code:
@RT-AC86U-99A8:/tmp/home/root# /opt/etc/init.d/S61stubby check
 Checking stubby...              alive.

Code:
@RT-AC86U-99A8:/tmp/home/root# netstat -lnptu | grep stubby
tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      9326/stubby
udp        0      0 127.0.0.1:5453          0.0.0.0:*                           9326/stubby

Code:
@RT-AC86U-99A8:/tmp/home/root# netstat -lnpt | grep -P '^Active|^Proto|/stubby'
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      9326/stubby

Code:
@RT-AC86U-99A8:/tmp/home/root# nslookup github.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      github.com
Address 1: 192.30.253.112 lb-192-30-253-112-iad.github.com
Address 2: 192.30.253.113 lb-192-30-253-113-iad.github.com

Code:
@RT-AC86U-99A8:/tmp/home/root# getdns_query -s @127.0.0.1 github.com
Killed

Code:
@RT-AC86U-99A8:/tmp/home/root# stubby -l
[13:40:31.326581] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[13:40:31.327548] STUBBY: DNSSEC Validation is OFF
[13:40:31.327684] STUBBY: Transport list is:
[13:40:31.327800] STUBBY:   - TLS
[13:40:31.327916] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[13:40:31.328039] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[13:40:31.328118] STUBBY: Starting DAEMON....

Code:
@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs
 -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4151383248:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:126
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 4E23B1390BBDEC8E66FF413892BA811B177D0C158588FD4EF4F201D5A137F304
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1544967704
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

and it does not look like Quad 9 it is blocking this one:

Code:
@RT-AC86U-99A8:/tmp/home/root# nslookup isitblocked.org
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      isitblocked.org
Address 1: 74.208.236.124 74-208-236-124.elastic-ssl.ui-r.com
Address 2: 2607:f1c0:100f:f000::2d1 2607-f1c0-100f-f000-0000-0000-0000-02d1.elastic-ssl.ui-r.com
 
I don’t think you really are running the patched version since you’re still getting the Killed error.
 
I don’t think you really are running the patched version since you’re still getting the Killed error.

That is what I am thinking....The only step from that patch that I am still having hard time is:

Code:
opkg install /path/getdns_1.4.2-1a_aarch64-3.10.ipk

Isn't this installed from Stubby's original script?

If not where can I download this from so I can specify the path?
 
That is what I am thinking....The only step from that patch that I am still having hard time is:

Code:
opkg install /path/getdns_1.4.2-1a_aarch64-3.10.ipk

Isn't this installed from Stubby's original script?

If not where can I download this from so I can specify the path?
Try
Code:
/usr/sbin/curl -L -s --retry 3 "https://github.com/jackyaz/Stubby-Installer-Asuswrt-Merlin/raw/master/getdns_1.4.2-1a_aarch64-3.10.ipk" -o /var/tmp/patchedgetdns.ipk
opkg install /var/tmp/patchedgetdns.ipk && printf "getdns successfully patched\n" || printf "An error occurred patching getdns\n" || exit 1
rm /var/tmp/patchedgetdns.ipk
 
I think this did it @Jack Yaz! I will try the other steps from @Odkrys patch and see how is goes. If you have any other commands from your patch that you can share, that would be appreciated!! Thank you!!

Code:
@RT-AC86U-99A8:/tmp/home/root# /usr/sbin/curl -L -s --retry 3 "https://github.com/jackyaz/St
ubby-Installer-Asuswrt-Merlin/raw/master/getdns_1.4.2-1a_aarch64-3.10.ipk" -o /var/tmp/patchedgetdns.ipk
xxxxxx@RT-AC86U-99A8:/tmp/home/root#             opkg install /var/tmp/patchedgetdns.ipk && printf
 "getdns successfully patched\n" || printf "An error occurred patching getdns\n" || exit 1
Upgrading getdns on root from 1.4.2-1 to 1.4.2-1a...
Configuring getdns.
getdns successfully patched
xxxxxx@RT-AC86U-99A8:/tmp/home/root#             rm /var/tmp/patchedgetdns.ipk
 
@Jack Yaz, @Odkrys (and others) can you please clarify the following below from: https://www.snbforums.com/threads/dot-on-86u.50122/#post-449794?

When I use:
nano /opt/etc/init.d/S61stubby

Do I wipe out everything that initially comes up on the text editor screen (from the original script) and use the info below?

Code:
#!/bin/sh

ENABLED=yes
PROCS=stubby
ARGS="-C /opt/etc/stubby/stubby.yml"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

and after I use:

nano /opt/etc/stubby/stubby.yml

I wipe out everything from there and literally paste in the following:

Code:
#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions

resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

tls_query_padding_blocksize: 128

edns_client_subnet_private : 0

round_robin_upstreams: 1

idle_timeout: 10000

listen_addresses:
  - 127.0.0.1@5453
#  -  0::1@5453

upstream_recursive_servers:
# IPv6 addresses
# # Cloudflare IPv6
#  - address_data: 2606:4700:4700::1111
#    tls_auth_name: "cloudflare-dns.com"

# # Quad 9 IPv6
#  - address_data: 2620:fe::10
#    tls_auth_name: "dns.quad9.net"

# IPv4 addresses
# # Cloudflare servers
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

# Quad 9 service
#  - address_data: 9.9.9.10
#    tls_auth_name: "dns.quad9.net"

And finally on the Stubby's info on Github (https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin), it says this installation will, among others,:
  • Set WAN DNS1 to the Router's IP Address and set the WAN DNS2 entry to null.
I did notice this, however, I am also told to leave WAN DNS settings blank. What is the verdict with this piece?

Thank you all!
 
And finally on the Stubby's info on Github (https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin), it says this installation will, among others,:
  • Set WAN DNS1 to the Router's IP Address and set the WAN DNS2 entry to null.
I did notice this, however, I am also told to leave WAN DNS settings blank. What is the verdict with this piece?

Thank you all!
Yes, this is the desired outcome. You want the WAN DNS server 1 to be your router's IP. DNS server 2 should remain blank.
 
So I was able to install Stubby in my AC86U using the original @Xentrk script, patches from @Odkrys and @Jack Yaz (thank you guys!). From Cloudflare's Help Page I see that I have a DOT connection, however, the ESNI Checker website shows that I am not using any TLS certificate and SNI is not encrypted. Am I missing something here? It has been quite the challenge to keep my internet from crashing upon installation of the original script (which causes my DNS 1 to be my router's IP).
 

Attachments

  • Screen Shot 2018-12-17 at 8.38.00 PM.png
    Screen Shot 2018-12-17 at 8.38.00 PM.png
    63.3 KB · Views: 355
  • Screen Shot 2018-12-17 at 8.30.15 PM.png
    Screen Shot 2018-12-17 at 8.30.15 PM.png
    71.1 KB · Views: 383
But then I look at this and I think the culprit is here:

Code:
@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4147033296:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 6FBA9F3D5C208BA9DBC7E6A3BB9BA883CC5D8FC0AF8B2BE7BBBE2EEF7858BE41
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1545101249
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

How do I install the TLS certificate?
 
But then I look at this and I think the culprit is here:

Code:
@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4147033296:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 6FBA9F3D5C208BA9DBC7E6A3BB9BA883CC5D8FC0AF8B2BE7BBBE2EEF7858BE41
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1545101249
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

How do I install the TLS certificate?
Did you enable DNSSEC in Stubby? If so try the DNSSEC in Merlin.

Sent from my SM-T380 using Tapatalk
 
Yes it is enabled in Stubby and this automatically turns off DNSSEC in firmware.
 

Attachments

  • Screen Shot 2018-12-17 at 8.58.23 PM.png
    Screen Shot 2018-12-17 at 8.58.23 PM.png
    197.6 KB · Views: 276
  • Screen Shot 2018-12-17 at 8.58.38 PM.png
    Screen Shot 2018-12-17 at 8.58.38 PM.png
    280.4 KB · Views: 351
Did you enable DNSSEC in Stubby? If so try the DNSSEC in Merlin.

Sent from my SM-T380 using Tapatalk

You are saying to try turn it on in Merlin's instead?
 
...if I turn on DNSSEC in Merlin then I get this....:(
 

Attachments

  • Screen Shot 2018-12-17 at 9.03.04 PM.png
    Screen Shot 2018-12-17 at 9.03.04 PM.png
    70 KB · Views: 310
So I was able to install Stubby in my AC86U using the original @Xentrk script, patches from @Odkrys and @Jack Yaz (thank you guys!). From Cloudflare's Help Page I see that I have a DOT connection, however, the ESNI Checker website shows that I am not using any TLS certificate and SNI is not encrypted. Am I missing something here? It has been quite the challenge to keep my internet from crashing upon installation of the original script (which causes my DNS 1 to be my router's IP).
The TLS 1.3 and SNI settings are made in the browser. I set this up myself on the Firefox nightly edition two months ago. I believe it has since rolled out to the production Firefox. A google search will give you the most recent information.
 
...if I turn on DNSSEC in Merlin then I get this....:(
If you read thru the thread you can see a lot of discussion on DNSSEC with Stubby. Myself and the test team spent many hours experimenting with it. I don't want to spend anymore time on it until the next version of Stubby comes out. The OpenWRT forums also have discussion on the topic as well as the Stubby GitHub site. I'm sure we can get the DNSSEC issues resolved once Stubby matures. One of the issues is the Cloudflare test page does not work when DNSSEC is enabled. I wanted people to have confirmation that DNS over TLS was working using the CF test page. For now, I recommend saving yourself some grief and using the configuration of the Stubby installer.

During the development of the Stubby installer, I installed a DNSSEC detection plug-in on Firefox. I recommend installing it. I was surprised to find out that many of the sites I reference are not configured to use DNSSEC.
 
The TLS 1.3 and SNI settings are made in the browser. I set this up myself on the Firefox nightly edition two months ago. I believe it has since rolled out to the production Firefox. A google search will give you the most recent information.
Thank you @Xentrk! Was able to set up TLS 1.3 in Chrome and Safari but have yet to figure out a way to encrypt SNI. I use both Chrome and Safari.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top