skeal
Part of the Furniture
Outstanding my friend!!I've forked and PR'd a fix using @Odkrys patched version of getdns: https://github.com/jackyaz/Stubby-Installer-Asuswrt-Merlin
Outstanding my friend!!I've forked and PR'd a fix using @Odkrys patched version of getdns: https://github.com/jackyaz/Stubby-Installer-Asuswrt-Merlin
https://github.com/getdnsapi/getdns/releases/tag/v1.5.0-rc1I've forked and PR'd a fix using @Odkrys patched version of getdns: https://github.com/jackyaz/Stubby-Installer-Asuswrt-Merlin
@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs
-connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4146480336:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:126
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: CF552B1FB807282FACB210771979BB6C270C86E6D445E4499FBB044DA881FB3D
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1544965779
Timeout : 300 (sec)
Verify return code: 0 (ok)
@RT-AC86U-99A8:/tmp/home/root# getdns_query -s @127.0.0.1 github.com
Killed
@RT-AC86U-99A8:/tmp/home/root# ps | grep stubby | grep -v grep
9326 xxxx 5536 S stubby -C /opt/etc/stubby/stubby.yml
@RT-AC86U-99A8:/tmp/home/root# /opt/etc/init.d/S61stubby check
Checking stubby... alive.
@RT-AC86U-99A8:/tmp/home/root# netstat -lnptu | grep stubby
tcp 0 0 127.0.0.1:5453 0.0.0.0:* LISTEN 9326/stubby
udp 0 0 127.0.0.1:5453 0.0.0.0:* 9326/stubby
@RT-AC86U-99A8:/tmp/home/root# netstat -lnpt | grep -P '^Active|^Proto|/stubby'
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5453 0.0.0.0:* LISTEN 9326/stubby
@RT-AC86U-99A8:/tmp/home/root# nslookup github.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name: github.com
Address 1: 192.30.253.112 lb-192-30-253-112-iad.github.com
Address 2: 192.30.253.113 lb-192-30-253-113-iad.github.com
@RT-AC86U-99A8:/tmp/home/root# getdns_query -s @127.0.0.1 github.com
Killed
@RT-AC86U-99A8:/tmp/home/root# stubby -l
[13:40:31.326581] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[13:40:31.327548] STUBBY: DNSSEC Validation is OFF
[13:40:31.327684] STUBBY: Transport list is:
[13:40:31.327800] STUBBY: - TLS
[13:40:31.327916] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[13:40:31.328039] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[13:40:31.328118] STUBBY: Starting DAEMON....
@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs
-connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4151383248:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:126
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: 4E23B1390BBDEC8E66FF413892BA811B177D0C158588FD4EF4F201D5A137F304
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1544967704
Timeout : 300 (sec)
Verify return code: 0 (ok)
@RT-AC86U-99A8:/tmp/home/root# nslookup isitblocked.org
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name: isitblocked.org
Address 1: 74.208.236.124 74-208-236-124.elastic-ssl.ui-r.com
Address 2: 2607:f1c0:100f:f000::2d1 2607-f1c0-100f-f000-0000-0000-0000-02d1.elastic-ssl.ui-r.com
I don’t think you really are running the patched version since you’re still getting the Killed error.
opkg install /path/getdns_1.4.2-1a_aarch64-3.10.ipk
TryThat is what I am thinking....The only step from that patch that I am still having hard time is:
Code:opkg install /path/getdns_1.4.2-1a_aarch64-3.10.ipk
Isn't this installed from Stubby's original script?
If not where can I download this from so I can specify the path?
/usr/sbin/curl -L -s --retry 3 "https://github.com/jackyaz/Stubby-Installer-Asuswrt-Merlin/raw/master/getdns_1.4.2-1a_aarch64-3.10.ipk" -o /var/tmp/patchedgetdns.ipk
opkg install /var/tmp/patchedgetdns.ipk && printf "getdns successfully patched\n" || printf "An error occurred patching getdns\n" || exit 1
rm /var/tmp/patchedgetdns.ipk
@RT-AC86U-99A8:/tmp/home/root# /usr/sbin/curl -L -s --retry 3 "https://github.com/jackyaz/St
ubby-Installer-Asuswrt-Merlin/raw/master/getdns_1.4.2-1a_aarch64-3.10.ipk" -o /var/tmp/patchedgetdns.ipk
xxxxxx@RT-AC86U-99A8:/tmp/home/root# opkg install /var/tmp/patchedgetdns.ipk && printf
"getdns successfully patched\n" || printf "An error occurred patching getdns\n" || exit 1
Upgrading getdns on root from 1.4.2-1 to 1.4.2-1a...
Configuring getdns.
getdns successfully patched
xxxxxx@RT-AC86U-99A8:/tmp/home/root# rm /var/tmp/patchedgetdns.ipk
#!/bin/sh
ENABLED=yes
PROCS=stubby
ARGS="-C /opt/etc/stubby/stubby.yml"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 0
round_robin_upstreams: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5453
# - 0::1@5453
upstream_recursive_servers:
# IPv6 addresses
# # Cloudflare IPv6
# - address_data: 2606:4700:4700::1111
# tls_auth_name: "cloudflare-dns.com"
# # Quad 9 IPv6
# - address_data: 2620:fe::10
# tls_auth_name: "dns.quad9.net"
# IPv4 addresses
# # Cloudflare servers
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
# Quad 9 service
# - address_data: 9.9.9.10
# tls_auth_name: "dns.quad9.net"
Yes, this is the desired outcome. You want the WAN DNS server 1 to be your router's IP. DNS server 2 should remain blank.And finally on the Stubby's info on Github (https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin), it says this installation will, among others,:
I did notice this, however, I am also told to leave WAN DNS settings blank. What is the verdict with this piece?
- Set WAN DNS1 to the Router's IP Address and set the WAN DNS2 entry to null.
Thank you all!
Excellent, many thanks!I've forked and PR'd a fix using @Odkrys patched version of getdns: https://github.com/jackyaz/Stubby-Installer-Asuswrt-Merlin
@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4147033296:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: 6FBA9F3D5C208BA9DBC7E6A3BB9BA883CC5D8FC0AF8B2BE7BBBE2EEF7858BE41
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1545101249
Timeout : 300 (sec)
Verify return code: 0 (ok)
Did you enable DNSSEC in Stubby? If so try the DNSSEC in Merlin.But then I look at this and I think the culprit is here:
Code:@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853 verify depth is 0 CONNECTED(00000003) depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA verify error:num=20:unable to get local issuer certificate 4147033296:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 2074 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: 6FBA9F3D5C208BA9DBC7E6A3BB9BA883CC5D8FC0AF8B2BE7BBBE2EEF7858BE41 Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1545101249 Timeout : 300 (sec) Verify return code: 0 (ok)
How do I install the TLS certificate?
Did you enable DNSSEC in Stubby? If so try the DNSSEC in Merlin.
Sent from my SM-T380 using Tapatalk
The TLS 1.3 and SNI settings are made in the browser. I set this up myself on the Firefox nightly edition two months ago. I believe it has since rolled out to the production Firefox. A google search will give you the most recent information.So I was able to install Stubby in my AC86U using the original @Xentrk script, patches from @Odkrys and @Jack Yaz (thank you guys!). From Cloudflare's Help Page I see that I have a DOT connection, however, the ESNI Checker website shows that I am not using any TLS certificate and SNI is not encrypted. Am I missing something here? It has been quite the challenge to keep my internet from crashing upon installation of the original script (which causes my DNS 1 to be my router's IP).
If you read thru the thread you can see a lot of discussion on DNSSEC with Stubby. Myself and the test team spent many hours experimenting with it. I don't want to spend anymore time on it until the next version of Stubby comes out. The OpenWRT forums also have discussion on the topic as well as the Stubby GitHub site. I'm sure we can get the DNSSEC issues resolved once Stubby matures. One of the issues is the Cloudflare test page does not work when DNSSEC is enabled. I wanted people to have confirmation that DNS over TLS was working using the CF test page. For now, I recommend saving yourself some grief and using the configuration of the Stubby installer....if I turn on DNSSEC in Merlin then I get this....
Thank you @Xentrk! Was able to set up TLS 1.3 in Chrome and Safari but have yet to figure out a way to encrypt SNI. I use both Chrome and Safari.The TLS 1.3 and SNI settings are made in the browser. I set this up myself on the Firefox nightly edition two months ago. I believe it has since rolled out to the production Firefox. A google search will give you the most recent information.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!