Menu
What's new
By:
Filters Better Search

Stubby-Installer-Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DonnyJohnny said:
By using Firefox trr, you are NOT USING stubby to resolve your dns queries. Everything is passed thru DOH via firefox built in resolver. That mean Diversion WILL NOT be working for you as they are intercepted by firefox. (That makes Stubby and diversion redundant.



Yes Stubby seem working with DOT but because u have firefox built in DOH, that's why you see DOH and DOT as YES.
Click to expand...

Yes I am noticing that Diversion is not working when DOH is taking over. Thank you for pointing this!
 
Enabling DNSSEC will break the Cloudflare tests. We've been through this for some time so it is nothing new. Supposedly the only way to test if DNSSEC is working is to use dig and look for an "ad" flag (hope I have this right this time!).
To enable DNSSEC in Stubby add this line to stubby.yml:
Code: 
dnssec_return_status: GETDNS_EXTENSION_TRUE

You should also add this to dnsmasq.conf.add
Code: 
proxy-dnssec
server=/pool.ntp.org/1.1.1.1

As I said you can use DNSSEC in either Merlin settings or Stubby. Both work but you should have the proxy-dnssec added to dnsmasq.conf.add
 
bbunge said:
Enabling DNSSEC will break the Cloudflare tests. We've been through this for some time so it is nothing new. Supposedly the only way to test if DNSSEC is working is to use dig and look for an "ad" flag (hope I have this right this time!).
To enable DNSSEC in Stubby add this line to stubby.yml:
Code: 
dnssec_return_status: GETDNS_EXTENSION_TRUE

You should also add this to dnsmasq.conf.add
Code: 
proxy-dnssec
server=/pool.ntp.org/1.1.1.1

As I said you can use DNSSEC in either Merlin settings or Stubby. Both work but you should have the proxy-dnssec added to dnsmasq.conf.add
Click to expand...

Ah, there it is!
 
i really wish you guys would post critical fixes without
assuming the reader knows what you are talking about o_O

/opt/ent/stubby/stubby.yml

/jffs/configs/dnsmasq.conf.add
 
consorts said:
i really wish you guys would post critical fixes without
assuming the reader knows what you are talking about o_O

/opt/ent/stubby/stubby.yml

/jffs/configs/dnsmasq.conf.add
Click to expand...
If you do not understand something as said then please, ask a question and wait for a follow up. Also you may want to be a little less condescending in your tone. :rolleyes:
 
bbunge said:
dnssec_return_status: GETDNS_EXTENSION_TRUE
Click to expand...

adding this statement to: /opt/ent/stubby/stubby.yml
leaves the cloudflare test results "may not be" inconclusive
for secure dns, while dnssec feedback remains the same.


4rUMS4J.jpg


could you explain more clearly why i would want this?
from my novice vantage point, your statement seems to
break something that may be working, while having no
actual effect on what it may have intended to improve,
or is the cloudflare test just giving us inaccurate results?
 
Last edited:
When using dnssec with stubby the tests become unreliable. You can test the situation with an Ubuntu live install using kdig. Run this command if you have that option:
Code: 
$ kdig -d @1.1.1.1 +dnssec +tls-ca +tls-host=cloudflare-dns.com  example.com
If not then there is no real easy method to test this. The help site on Cloudflare test doesn't support dnssec.
 
consorts said:
adding this statement to: /opt/ent/stubby/stubby.yml
leaves the cloudflare test results "may not be" inconclusive
for secure dns, while dnssec feedback remains the same.


4rUMS4J.jpg


could you explain more clearly why i would want this?
from my novice vantage point, your statement seems to
break something that may be working, while having no
actual effect on what it may have intended to improve,
or is the cloudflare test just giving us inaccurate results?
Click to expand...
That is the $64,000 question best answered by this:
https://blog.apnic.net/2018/08/17/sunrise-dns-over-tls-sunset-dnssec/

Sent from my SM-T380 using Tapatalk
 
consorts said:
i really wish you guys would post critical fixes without
assuming the reader knows what you are talking about o_O

/opt/ent/stubby/stubby.yml

/jffs/configs/dnsmasq.conf.add
Click to expand...
I will review and update the Repo README.md to clarify the location of key files.
 
Merry Christmas everyone. Here is the link containing the details on the Christmas release of 1.5.0 getdns and 0.2.4 stubby.

https://getdnsapi.net/releases/getdns-1-5-0/

I have no idea when entware will be updated with the new version though. Will need to do some testing, especially with DNSSEC changes, once entware has been updated.
 
Xentrk said:
Merry Christmas everyone. Here is the link containing the details on the Christmas release of 1.5.0 getdns and 0.2.4 stubby.

https://getdnsapi.net/releases/getdns-1-5-0/

I have no idea when entware will be updated with the new version though. Will need to do some testing, especially with DNSSEC changes, once entware has been updated.
Click to expand...
Are these new packages dependent on OpenSSL 1.1.1 or did I misread that? Might be a while from entware, unfortunately.

Regardless, looking forward to getting stubby a bit more idiot proof on the ac86 and even getting it on AMTM.
 
Xentrk said:
Merry Christmas everyone. Here is the link containing the details on the Christmas release of 1.5.0 getdns and 0.2.4 stubby.

https://getdnsapi.net/releases/getdns-1-5-0/

I have no idea when entware will be updated with the new version though. Will need to do some testing, especially with DNSSEC changes, once entware has been updated.
Click to expand...
I think entware recently picked up getdns 1.4.2 so ac86u may now work ootb with your script
 
Jack Yaz said:
I think entware recently picked up getdns 1.4.2 so ac86u may now work ootb with your script
Click to expand...
Code: 
# opkg list | grep getdns
getdns - 1.4.2-2 - This package contains the getdns library (libgetdns). This package also contains the "getdns_query" command line wrapper for getdns exposing the features of this implementation (both in the official API and the additional API functions).
stubby - 0.2.3-3 - This package contains the Stubby daemon (which utilizes the getdns library).  See https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md for more details.
#
 
vesalius said:
Are these new packages dependent on OpenSSL 1.1.1 or did I misread that? Might be a while from entware, unfortunately.

Regardless, looking forward to getting stubby a bit more idiot proof on the ac86 and even getting it on AMTM.
Click to expand...
I would think it would "just" require being statically linked against OpenSSL 1.1.1 a la pixelserve-tls. TLS 1.3 requires OpenSSL 1.1.1.
 
Just upgraded Entware via amtm:

Code: 
 Continue? [1=Yes e=Exit] 1

Downloading http://bin.entware.net/aarch64-k3.10/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware
Upgrading wget on root from 1.19.5-2 to 1.20-1a...
Downloading http://bin.entware.net/aarch64-k3.10/wget_1.20-1a_aarch64-3.10.ipk
Installing libpcre2 (10.32-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/libpcre2_10.32-1_aarch64-3.10.ipk
Upgrading zoneinfo-europe on root from 2018e-1 to 2018g-1...
Downloading http://bin.entware.net/aarch64-k3.10/zoneinfo-europe_2018g-1_aarch64-3.10.ipk
Upgrading jq on root from 1.5-2b to 1.6-1...
Downloading http://bin.entware.net/aarch64-k3.10/jq_1.6-1_aarch64-3.10.ipk
Upgrading getdns on root from 1.4.2-1a to 1.4.2-2...
Downloading http://bin.entware.net/aarch64-k3.10/getdns_1.4.2-2_aarch64-3.10.ipk
Upgrading pixelserv-tls on root from 2.1.2-1 to 2.2.0-1...
Downloading http://bin.entware.net/aarch64-k3.10/pixelserv-tls_2.2.0-1_aarch64-3.10.ipk
Upgrading zoneinfo-asia on root from 2018e-1 to 2018g-1...
Downloading http://bin.entware.net/aarch64-k3.10/zoneinfo-asia_2018g-1_aarch64-3.10.ipk
Upgrading oniguruma on root from 6.8.2-1 to 6.9.1-1...
Downloading http://bin.entware.net/aarch64-k3.10/oniguruma_6.9.1-1_aarch64-3.10.ipk
Upgrading sqlite3-cli on root from 3230100-1 to 3250300-1...
Downloading http://bin.entware.net/aarch64-k3.10/sqlite3-cli_3250300-1_aarch64-3.10.ipk
Upgrading libpng on root from 1.6.34-1 to 1.6.35-1...
Downloading http://bin.entware.net/aarch64-k3.10/libpng_1.6.35-1_aarch64-3.10.ipk
Removing obsolete file /opt/lib/libpng16.so.16.34.0.
Upgrading stubby on root from 0.2.3-1 to 0.2.3-3...
Downloading http://bin.entware.net/aarch64-k3.10/stubby_0.2.3-3_aarch64-3.10.ipk
Upgrading libsqlite3 on root from 3230100-1 to 3250300-1...
Downloading http://bin.entware.net/aarch64-k3.10/libsqlite3_3250300-1_aarch64-3.10.ipk
Upgrading libopenssl on root from 1.0.2p-1 to 1.0.2p-1a...
 amtm 1.5                by thelonelycoder
 The SNBForum Asuswrt-Merlin Terminal Menu
 
then when I try to see if Stubby is working well I get:

Code: 
@RT-AC86U-99A8:/tmp/home/root# getdns_query -s @127.0.0.1 github.com
Killed

then:

Code: 
@RT-AC86U-99A8:/tmp/home/root# stubby -l
[02:31:57.015200] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[02:31:57.016103] STUBBY: DNSSEC Validation is OFF
[02:31:57.016234] STUBBY: Transport list is:
[02:31:57.016349] STUBBY:   - TLS
[02:31:57.016465] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[02:31:57.016584] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY t
[02:31:57.016675] STUBBY: Starting DAEMON....
[02:32:00.015595] STUBBY: 1.1.1.1                                  : Conn opened: TL
[02:32:00.108157] STUBBY: 1.1.1.1                                  : Verify passed :
Killed

anything that I need to modify as result of this upgrade?
 
Of note, I did not reboot the router after upgrading Entware...I wonder if I should do this and rerun these commands again.
 
You must log in or register to reply here.

Similar threads

RMerlin
Release Asuswrt-Merlin 3006.102.1 is now available for Wifi 7 devices
4 5 6
Replies
106
Views
16K
jksmurf
J
RMerlin
ANNOUNCEMENT: Asuswrt-Merlin support underway for 3 Wifi 7 routers
5 6 7
Replies
130
Views
26K
scasapending
S
DMcD-EMS-USMC
  • Locked
3006.102 alpha 2 Build(s) Now Available
Replies
2
Views
1K
octopus
octopus
octopus
  • Locked
[ 3006.102 alpha Build(s) ] Testing available build(s)
2 3
Replies
59
Views
11K
octopus
octopus
RMerlin
  • Locked
Beta Asuswrt-Merlin 3006.102.1 Beta is now available for WIfi 7 devices
3 4 5
Replies
97
Views
14K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
RMerlin Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices Asuswrt-Merlin 24
B Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14 Asuswrt-Merlin 1
F Several Questions Re:Asuswrt-Merlin Feature Implementation Asuswrt-Merlin 2
Yota How to enable port randomization in Asuswrt-Merlin? Asuswrt-Merlin 4
RMerlin Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices Asuswrt-Merlin 70
J Does Asuswrt-Merlin support AiMesh over Wifi? Asuswrt-Merlin 4
Siff Printing from Guest Network (ASUSWRT-Merlin 3004.388.8_2) Asuswrt-Merlin 5
Siff Setting dnsmasq on Asuswrt-Merlin Asuswrt-Merlin 8
Rob Bowlby fwupdate.asuswrt-merlin.net - diversion.ch Down? Asuswrt-Merlin 7
R Wireguard on Asuswrt-Merlin Asuswrt-Merlin 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 665 (members: 23, guests: 642)
Top