Menu
What's new
By:
Filters Better Search

Stubby-Installer-Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bbunge said:
Jack, this is to patch the AC86 Stubby install, right.

Will updating entware on say an AC68U still break stubby?

Sent from my SM-T380 using Tapatalk
Click to expand...
Not as far as I know - the patch needed is specific to the 86U (and AX88U too most likely, I suspect it affects the HND platform)
 
I had reinstalled Stubby a week ago. My installed Stubby version is 0.2.3-1 and getdns is 1.4.2-1
opkg list-upgradeable shows stubby can be ugraded to 0.2.3-3 and getdns to 1.4.2-2

As it is late and I do not want to chance messing up the router tonight I will wait for morning to push the upgrade.

Edit: this on my RT-AC66U_B1 with Merlin 384.8_2 RT-AC68U firmware.
 
Last edited:
This is so cool.
I didn't know about Stubby yet, I was looking for a DNSSec sollution for Merlin.

Awesome, thank you!

Edit:
Reading a bit into the topic.
I'm not sure, but, will the DNSCrypt for Merlin cause issues with Stubby?
Or do I just have to set it up correctly or in a specific order?
 
bmn1 said:
This is so cool.
I didn't know about Stubby yet, I was looking for a DNSSec sollution for Merlin.

Awesome, thank you!
Click to expand...
Stubby has support for DNSSEC with getdns so yes it is awesome. Stubby, DNSSEC, and Rebind protection. A great trio!
 
skeal said:
Stubby has support for DNSSEC with getdns so yes it is awesome. Stubby, DNSSEC, and Rebind protection. A great trio!
Click to expand...
I was just reading a bit into the topic.
I have installed DNSCrypt for Merlin. But it seems some people have issue's with combining the two?
 
bmn1 said:
I was just reading a bit into the topic.
I have installed DNSCrypt for Merlin. But it seems some people have issue's with combining the two?
Click to expand...
The only thing it causes is the test site https://1.1.1.1/help won't report properly. There are in my opinion better ways to test its full function. I would use an Ubuntu live or Ubuntu desktop and use the included terminal to run a kdig command. Something like this:
Code: 
kdig -d @1.1.1.1 +dnssec +tls-ca +tls-host=cloudflare-dns.com  example.com
 
skeal said:
The only thing it causes is the test site https://1.1.1.1/help won't report properly. There are in my opinion better ways to test its full function. I would use an Ubuntu live or Ubuntu desktop and use the included terminal to run a kdig command. Something like this:
Code: 
kdig -d @1.1.1.1 +dnssec +tls-ca +tls-host=cloudflare-dns.com  example.com
Click to expand...

On my Debian OS it resulted in this:
https://i.imgur.com/1GJ3n4g.png

https://ipleak.net/ shows two IP's, even when using a VPN, it shows my ISP's IP.
So it seems to be leaking here still. (Edit: now even three)

I am using a RT-AC5300 on Merlin's Firmware Version: 384.8_2, if that helps.

Devision, Skynet and DNSCrypt are also installed.
 
Xentrk said:
I developed the Stubby installer on an AC88U and did not experience a similar issue until recently. I was out of town for several days a few weeks ago. When I returned home and turned on the router, I had the no WAN access issue. I uninstalled Stubby and everything worked again. After finishing some work on it, I reinstalled Stubby with no issues. After a reboot though, no WAN access. I applied the NTP fix and it worked good after testing on two reboots.

Right before I left on my next trip, I did another reboot. I had the no WAN access issue again. I was surprised to have this issue after applying the NTP fix. I did not have time to analyze the issue any further. I have to check the DNS probe setting myself. I have to look into more after I return home the second week of January. Hoping the new version of Stubby will be rolled into entware by that time.
Click to expand...
Thank you and all for replies. Seems that I managed to make dnscrypt-proxy work. Possible in Stubby to work too.
In my case it was not working because I had a custom NTP. So I put my NTP to 1.1.1.1 and it work. I did not tried with Stubby yet, but is a good idea I think to check if you have a custom NTP.
Code: 
server=/pool.ntp.org/1.1.1.1 to /jffs/configs/dnsmasq.conf.add
server=/ntp.alsysdata.net/1.1.1.1 to /jffs/configs/dnsmasq.conf.add
I updated my initial post and dnscrypt-proxy post with this.
Thank you again!
Great community!
 
Yes. I tried them separately. I tried DoH, then restored all settings from a backup done before DoH (nvram-save) and entware restored too. Then installed DoT.
Always separately 100%.
Thank you so much!

Sent from my ONE A2003 using Tapatalk
 
Just ran the Entware upgrade
Code: 
opkg update
opkg upgrade
Got a Collected errors warning about a confile being placed in /opt/etc/syubby/stubby.yml-opkg. The file has this notice which seems to apply to OpenWRT
Code: 
# Note: by default on OpenWRT stubby configuration is handled via
# the UCI system and the file /etc/config/stubby. If you want to
# use this file to configure stubby, then set "option manual '1'"
# in /etc/config/stubby.
Rebooted the router with no changes to the existing stubby.yml and all is working as before.
For the folks with the newer routers, AC86U AX88U, do not do the upgrade without reapplying the Jack Yaz fix.
 
Thanks for confirming DNSCrypt could cause issues with Stubby/DNSSec, @Xentrk.

Would it be enough to just uninstall DNSCrypt, and try some DNSLeak tests again?
Or should I be more careful, uninstalling things in a certain order? (Because of dependencies maybe)

Are there even any benefits of having DNSCrypt running in addition to DNSSec/Stubby?

@amplatfus, have you tried running DNSLeak tests, as you seem to be running DNSCrypt along with Stubby/DNSSec?
 
Last edited:
Dear @bmn1

I am on DoH because I use to spin down my HDD when not using it, and dnscrypt is installed on jffs so my HDD could spin down when not using.
When on Stubyy I was not trying a lot of tests because internet was not running after restart because of NTP. The same was with dnscrypt until I entered this:
Code: 
server=/pool.ntp.org/1.1.1.1 to /jffs/configs/dnsmasq.conf.add
server=/ntp.alsysdata.net/1.1.1.1 to /jffs/configs/dnsmasq.conf.add
Now, using DoH (dnscrypt) DNSLeak tests from https://www.dnsleaktest.com looks OK:

Test complete

Query round Progress... Servers found
1..............1
2..............1
3..............1
4..............1
5..............1
6..............1
IP Hostname ISP Country
172.68.225.83 none Cloudflare Hungary
hu.png


Also https_://1.1.1.1/help results here)
Hope this helps. If I can help with other info please let me know.

All the best!
 
Thanks @amplatfus
I'm not sure what your situation is regarding having a HDD hooked up for storage/swap etc, I'm just using a USB stick. :oops:

I'd prefer to have Stubby or DNSCrypt on all the time.
If you have the time, could you try http://dnsleak.com/?
https://www.dnsleaktest.com is kinda odd to me.

In the end I'd just like to know what the best option is, to have a more private DNS setup, and prevent DNS Leaking. Be it with just Stubby or a combination, which seems to cause issues.

DNSCrypt alone is not enough for true privacy from what I've read.
 
Happy to help. I already did and post the results here #375 for https://www.dnsleaktest.com
On the other hand http://dnsleak.com show me a red warning:

Looks like your DNS might be leaking...
  • Your IP: 86.xxx.xxx.xxx
  • DNS IP: 172.68.225.71
  • Hostname: 172.68.225.71
  • Country: Hungary (I am from Romania)
  • City: Budapest
Good luck!
 
So far for me, I tested some more, and had these results:

https://www.cloudflare.com/ssl/encrypted-sni/
"(X) Encrypted SNI"

https://1.1.1.1/help
"Using DNS over HTTPS (DoH) Yes"
"Using DNS over TLS (DoT) No"

The DoT error is because of having DNSCrypt set up, right?
Encrypted SNI is a client side (read browser) issue, correct? Or can this be achieved by say Stubby?

I'll try turning off DNSCrypt now, hope it doesn't break anything.

Edit:
Uninstalling DNSCrypt resulted in this:

https://1.1.1.1/help
"Using DNS over HTTPS (DoH) No"
"Using DNS over TLS (DoT) Yes"

So, is DNSCrypt actually causing a conflict/issue or is the test just not returning the correct results?
 
bmn1 said:
So far for me, I tested some more, and had these results:

https://www.cloudflare.com/ssl/encrypted-sni/
"(X) Encrypted SNI"

https://1.1.1.1/help
"Using DNS over HTTPS (DoH) Yes"
"Using DNS over TLS (DoT) No"

The DoT error is because of having DNSCrypt set up, right?
Encrypted SNI is a client side (read browser) issue, correct? Or can this be achieved by say Stubby?

I'll try turning off DNSCrypt now, hope it doesn't break anything.

Edit:
Uninstalling DNSCrypt resulted in this:

https://1.1.1.1/help
"Using DNS over HTTPS (DoH) No"
"Using DNS over TLS (DoT) Yes"

So, is DNSCrypt actually causing a conflict/issue or is the test just not returning the correct results?
Click to expand...
amplatfus said:
With DNSCrypt clean install I have Encrypted SNI failed.
PS:
For backup/ restore you could use:
NVRAM/factory default reset info: https://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/
and
Backuping Entware on a regular basis https://www.snbforums.com/threads/backuping-entware-on-a-regular-basis.37834/

All the best!
Click to expand...
Esni only works with using the built in doh of Firefox. If the rest of the test is good like dnssec/doh/dot then it is good when using the cloudflare test page.
 
You must log in or register to reply here.

Similar threads

RMerlin
Release Asuswrt-Merlin 3006.102.1 is now available for Wifi 7 devices
4 5 6
Replies
106
Views
17K
jksmurf
J
RMerlin
ANNOUNCEMENT: Asuswrt-Merlin support underway for 3 Wifi 7 routers
5 6 7
Replies
130
Views
27K
scasapending
S
DMcD-EMS-USMC
  • Locked
3006.102 alpha 2 Build(s) Now Available
Replies
2
Views
1K
octopus
octopus
RMerlin
Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices
2 3 4
Replies
62
Views
7K
RMerlin
RMerlin
octopus
  • Locked
[ 3006.102 alpha Build(s) ] Testing available build(s)
2 3
Replies
59
Views
11K
octopus
octopus
Similar threads
Thread starter Title Forum Replies Date
RMerlin Release Asuswrt-Merlin 3004.388.8_4 is now available Asuswrt-Merlin 72
RMerlin Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices Asuswrt-Merlin 62
B Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14 Asuswrt-Merlin 1
F Several Questions Re:Asuswrt-Merlin Feature Implementation Asuswrt-Merlin 2
Yota How to enable port randomization in Asuswrt-Merlin? Asuswrt-Merlin 4
RMerlin Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices Asuswrt-Merlin 70
J Does Asuswrt-Merlin support AiMesh over Wifi? Asuswrt-Merlin 4
Siff Printing from Guest Network (ASUSWRT-Merlin 3004.388.8_2) Asuswrt-Merlin 5
Siff Setting dnsmasq on Asuswrt-Merlin Asuswrt-Merlin 8
Rob Bowlby fwupdate.asuswrt-merlin.net - diversion.ch Down? Asuswrt-Merlin 7

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 732 (members: 24, guests: 708)
Top