Stubby-Installer-Asuswrt-Merlin

[Jack Yaz]

Jack, this is to patch the AC86 Stubby install, right.

Will updating entware on say an AC68U still break stubby?

Sent from my SM-T380 using Tapatalk

Not as far as I know - the patch needed is specific to the 86U (and AX88U too most likely, I suspect it affects the HND platform)

 

[bbunge]

I had reinstalled Stubby a week ago. My installed Stubby version is 0.2.3-1 and getdns is 1.4.2-1
opkg list-upgradeable shows stubby can be ugraded to 0.2.3-3 and getdns to 1.4.2-2

As it is late and I do not want to chance messing up the router tonight I will wait for morning to push the upgrade.

Edit: this on my RT-AC66U_B1 with Merlin 384.8_2 RT-AC68U firmware.

 

[bmn1]

This is so cool.
I didn't know about Stubby yet, I was looking for a DNSSec sollution for Merlin.

Awesome, thank you!

Edit:
Reading a bit into the topic.
I'm not sure, but, will the DNSCrypt for Merlin cause issues with Stubby?
Or do I just have to set it up correctly or in a specific order?

 

[skeal]

This is so cool.
I didn't know about Stubby yet, I was looking for a DNSSec sollution for Merlin.

Awesome, thank you!

Stubby has support for DNSSEC with getdns so yes it is awesome. Stubby, DNSSEC, and Rebind protection. A great trio!

 

[bmn1]

Stubby has support for DNSSEC with getdns so yes it is awesome. Stubby, DNSSEC, and Rebind protection. A great trio!

I was just reading a bit into the topic.
I have installed DNSCrypt for Merlin. But it seems some people have issue's with combining the two?

 

[skeal]

I was just reading a bit into the topic.
I have installed DNSCrypt for Merlin. But it seems some people have issue's with combining the two?

The only thing it causes is the test site https://1.1.1.1/help won't report properly. There are in my opinion better ways to test its full function. I would use an Ubuntu live or Ubuntu desktop and use the included terminal to run a kdig command. Something like this:

kdig -d @1.1.1.1 +dnssec +tls-ca +tls-host=cloudflare-dns.com  example.com

 

[Marin]

Yes I can confirm that after applying @Jack Yaz's instructions and reinstall commands, Stubby is breathing again.

Thanks again @Jack Yaz!

 

[bmn1]

The only thing it causes is the test site https://1.1.1.1/help won't report properly. There are in my opinion better ways to test its full function. I would use an Ubuntu live or Ubuntu desktop and use the included terminal to run a kdig command. Something like this:

kdig -d @1.1.1.1 +dnssec +tls-ca +tls-host=cloudflare-dns.com  example.com

On my Debian OS it resulted in this:
https://i.imgur.com/1GJ3n4g.png

https://ipleak.net/ shows two IP's, even when using a VPN, it shows my ISP's IP.
So it seems to be leaking here still. (Edit: now even three)

I am using a RT-AC5300 on Merlin's Firmware Version: 384.8_2, if that helps.

Devision, Skynet and DNSCrypt are also installed.

 

[amplatfus]

I developed the Stubby installer on an AC88U and did not experience a similar issue until recently. I was out of town for several days a few weeks ago. When I returned home and turned on the router, I had the no WAN access issue. I uninstalled Stubby and everything worked again. After finishing some work on it, I reinstalled Stubby with no issues. After a reboot though, no WAN access. I applied the NTP fix and it worked good after testing on two reboots.

Right before I left on my next trip, I did another reboot. I had the no WAN access issue again. I was surprised to have this issue after applying the NTP fix. I did not have time to analyze the issue any further. I have to check the DNS probe setting myself. I have to look into more after I return home the second week of January. Hoping the new version of Stubby will be rolled into entware by that time.

Thank you and all for replies. Seems that I managed to make dnscrypt-proxy work. Possible in Stubby to work too.
In my case it was not working because I had a custom NTP. So I put my NTP to 1.1.1.1 and it work. I did not tried with Stubby yet, but is a good idea I think to check if you have a custom NTP.

server=/pool.ntp.org/1.1.1.1 to /jffs/configs/dnsmasq.conf.add
server=/ntp.alsysdata.net/1.1.1.1 to /jffs/configs/dnsmasq.conf.add

I updated my initial post and dnscrypt-proxy post with this.
Thank you again!
Great community!

 

[bbunge]

Please do not install dnscrypt and stubby on the same router! You will have problems.

Sent from my SM-T380 using Tapatalk

 

[Xentrk]

Since the DNSCrypt topic has come up in this thread and others, I wanted to share this article

https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt

One issue with DNSCrypt is that it never was approved as a standard. But it had been the only go to option for securing DNS until recently.

dnsprivacy.org also does a brief overview of the options available for securing DNS
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+-+The+Solutions

 

[amplatfus]

Yes. I tried them separately. I tried DoH, then restored all settings from a backup done before DoH (nvram-save) and entware restored too. Then installed DoT.
Always separately 100%.
Thank you so much!

Sent from my ONE A2003 using Tapatalk

 

[bbunge]

Just ran the Entware upgrade

opkg update
opkg upgrade

Got a Collected errors warning about a confile being placed in /opt/etc/syubby/stubby.yml-opkg. The file has this notice which seems to apply to OpenWRT

# Note: by default on OpenWRT stubby configuration is handled via
# the UCI system and the file /etc/config/stubby. If you want to
# use this file to configure stubby, then set "option manual '1'"
# in /etc/config/stubby.

Rebooted the router with no changes to the existing stubby.yml and all is working as before.
For the folks with the newer routers, AC86U AX88U, do not do the upgrade without reapplying the Jack Yaz fix.

 

[bmn1]

Thanks for confirming DNSCrypt could cause issues with Stubby/DNSSec, @Xentrk.

Would it be enough to just uninstall DNSCrypt, and try some DNSLeak tests again?
Or should I be more careful, uninstalling things in a certain order? (Because of dependencies maybe)

Are there even any benefits of having DNSCrypt running in addition to DNSSec/Stubby?

@amplatfus, have you tried running DNSLeak tests, as you seem to be running DNSCrypt along with Stubby/DNSSec?

 

[amplatfus]

Dear @bmn1

I am on DoH because I use to spin down my HDD when not using it, and dnscrypt is installed on jffs so my HDD could spin down when not using.
When on Stubyy I was not trying a lot of tests because internet was not running after restart because of NTP. The same was with dnscrypt until I entered this:

server=/pool.ntp.org/1.1.1.1 to /jffs/configs/dnsmasq.conf.add
server=/ntp.alsysdata.net/1.1.1.1 to /jffs/configs/dnsmasq.conf.add

Now, using DoH (dnscrypt) DNSLeak tests from https://www.dnsleaktest.com looks OK:

Test complete

Query round Progress... Servers found
1..............1
2..............1
3..............1
4..............1
5..............1
6..............1
IP Hostname ISP Country
172.68.225.83 none Cloudflare Hungary

Also https_://1.1.1.1/help results here)
Hope this helps. If I can help with other info please let me know.

All the best!

 

[bmn1]

Thanks @amplatfus
I'm not sure what your situation is regarding having a HDD hooked up for storage/swap etc, I'm just using a USB stick.

I'd prefer to have Stubby or DNSCrypt on all the time.
If you have the time, could you try http://dnsleak.com/?
https://www.dnsleaktest.com is kinda odd to me.

In the end I'd just like to know what the best option is, to have a more private DNS setup, and prevent DNS Leaking. Be it with just Stubby or a combination, which seems to cause issues.

DNSCrypt alone is not enough for true privacy from what I've read.

 

[amplatfus]

Happy to help. I already did and post the results here #375 for https://www.dnsleaktest.com
On the other hand http://dnsleak.com show me a red warning:

Looks like your DNS might be leaking...

• Your IP: 86.xxx.xxx.xxx
• DNS IP: 172.68.225.71
• Hostname: 172.68.225.71
• Country: Hungary (I am from Romania)
  
• City: Budapest

Good luck!

 

[bmn1]

So far for me, I tested some more, and had these results:

https://www.cloudflare.com/ssl/encrypted-sni/
"(X) Encrypted SNI"

https://1.1.1.1/help
"Using DNS over HTTPS (DoH) Yes"
"Using DNS over TLS (DoT) No"

The DoT error is because of having DNSCrypt set up, right?
Encrypted SNI is a client side (read browser) issue, correct? Or can this be achieved by say Stubby?

I'll try turning off DNSCrypt now, hope it doesn't break anything.

Edit:
Uninstalling DNSCrypt resulted in this:

https://1.1.1.1/help
"Using DNS over HTTPS (DoH) No"
"Using DNS over TLS (DoT) Yes"

So, is DNSCrypt actually causing a conflict/issue or is the test just not returning the correct results?

 

[amplatfus]

With DNSCrypt clean install I have Encrypted SNI failed.
PS:
For backup/ restore you could use:
NVRAM/factory default reset info: https://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/
and
Backuping Entware on a regular basis https://www.snbforums.com/threads/backuping-entware-on-a-regular-basis.37834/

All the best!

 

[DonnyJohnny]

So far for me, I tested some more, and had these results:

https://www.cloudflare.com/ssl/encrypted-sni/
"(X) Encrypted SNI"

https://1.1.1.1/help
"Using DNS over HTTPS (DoH) Yes"
"Using DNS over TLS (DoT) No"

The DoT error is because of having DNSCrypt set up, right?
Encrypted SNI is a client side (read browser) issue, correct? Or can this be achieved by say Stubby?

I'll try turning off DNSCrypt now, hope it doesn't break anything.

Edit:
Uninstalling DNSCrypt resulted in this:

https://1.1.1.1/help
"Using DNS over HTTPS (DoH) No"
"Using DNS over TLS (DoT) Yes"

So, is DNSCrypt actually causing a conflict/issue or is the test just not returning the correct results?

With DNSCrypt clean install I have Encrypted SNI failed.
PS:
For backup/ restore you could use:
NVRAM/factory default reset info: https://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/
and
Backuping Entware on a regular basis https://www.snbforums.com/threads/backuping-entware-on-a-regular-basis.37834/

All the best!

Esni only works with using the built in doh of Firefox. If the rest of the test is good like dnssec/doh/dot then it is good when using the cloudflare test page.