Stubby-Installer-Asuswrt-Merlin

[JemTheWire]

You may want to add:

proxy-dnssec

to the dnsmasq.conf.add file if you plan to use dnssec.

Edit: I decided to add to this post instead of creating another...

Several folks have had the same "issue" with Stubby install recently. Everything one needs is in the Github post

https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin

One should not attempt to install Stubby without reading the instructions first.
If you do not understand a procedure, ask first.
For Windows users I recommend you get and install on your PC WinSCP and Putty. WInSCP is a great tool for browsing and editing files on a remote device such as an Asus router. Putty is needed to issue commands and check if processes work.

Some other things you need to know:
The Stubby Installer disables DNSSEC in Merlin. There is some debate if you really need DNSSEC if you have encrypted DNS provided by Stubby. So, it is you choice to turn DNSSEC back on or not.
Enabling DNSSEC will break the Cloudflare help test.
Most DNSSEC tests on the web only check if the remote resolver is capable of DNSSEC not that your DNSSEC is working. Using Dig is about the only way to test your connection. Yes, there are iOS and Android apps for this.
DNSSEC can be enabled in Stubby or Merlin (dnsmasq). Either work and neither is preferred. At this time I'm using Clean Browsing Security DNS with DNSSEC enabled in Merlin.
As a temporary fix for the time server issue you can use an IP address of a time server in NTP Server setting. Although the fix to /jffs/configs/dnsmasq.conf.add is preferred.

Thank you for this. My bad. I have now bookmarked the GitHub page for future reference.

 

[DAVID LONG]

It was suggested to me to use ...

opkg install stubby fake-hwclock

and it seems to be working on my AC86U.

Is this not a good option?

 

[skeal]

It was suggested to me to use ...

opkg install stubby fake-hwclock

and it seems to be working on my AC86U.

Is this not a good option?

For some people adding fake-hwclock does nothing as in my case. For me I used server=/pool.ntp.org/1.1.1.1

 

[bbunge]

It was suggested to me to use ...

opkg install stubby fake-hwclock

and it seems to be working on my AC86U.

Is this not a good option?

We tested the fake-hwclock with stubby before the public release. It seemed to work for reboot but we were concerned that it would not work for a prolonged power off/shutdown.
What does work in a pinch is to use an IP address in Administration/System/NTP server. The default of pool.ntp.org is an anycast URL so doing a ping on a regional time server gets you an IP address (for me us.pool.ntp.org gives me IP 192.73.244.251). The recommended way is to use server=/pool.ntp.org/1.1.1.1 in /jffs/configs/dnsmasq.conf.add

 

[DAVID LONG]

I have an IP address in there as well.. 128.138.140.44

Not sure which fix is working, that or fake-hwclock

Is this line (server=/pool.ntp.org/1.1.1.1) added to /jffs/configs/dnsmasq.conf.add, or does it replace whats in there now, in my case...

proxy-dnssec
server=127.0.0.1#5453
server=0::1#5453

 

[bbunge]

I have an IP address in there as well.. 128.138.140.44

Not sure which fix is working, that or fake-hwclock

Is this line (server=/pool.ntp.org/1.1.1.1) added to /jffs/configs/dnsmasq.conf.add, or does it replace whats in there now, in my case...

proxy-dnssec
server=127.0.0.1#5453
server=0::1#5453

Added

 

[DAVID LONG]

OK, Thanks.

 

[Xentrk]

administrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# getdns_query -s @127.0.0.1 gi
thub.com
Killed

Looks like an incompatibility with the processor in the AC88X. Probably will need to create an issue with the Stubby team on their GitHub repo and make mods to the source code, similar what @Jack Yaz did to get it to work on the AC86U. I wait for @Jack Yaz to chime in on the issue first.

 

[Jack Yaz]

Looks like an incompatibility with the processor in the AC88X. Probably will need to create an issue with the Stubby team on their GitHub repo and make mods to the source code, similar what @Jack Yaz did to get it to work on the AC86U. I wait for @Jack Yaz to chime in on the issue first.

FWIW @Odkrys did the patching, I just uploaded a copy of the binary

It may work with the AX88U - I don't know the specifics sadly. Worth a try using the commands I posted previously.

 

[XIII]

Out of curiosity: what do you guys get on http://1.1.1.1/help with stubby?

Cloudflare does not seem to detect 1.1.1.1 nor DoT on my router, so my unbound configuration might be less good than I thought...

 

[bbunge]

Out of curiosity: what do you guys get on http://1.1.1.1/help with stubby?

Cloudflare does not seem to detect 1.1.1.1 nor DoT on my router, so my unbound configuration might be less good than I thought...

With resolvers set to Cloudflare and dnssec off the help site shows DoT yes.

Sent from my SM-T380 using Tapatalk

 

[JemTheWire]

With resolvers set to Cloudflare and dnssec off the help site shows DoT yes.

Sent from my SM-T380 using Tapatalk

Same here.

 

[XIII]

Oh, wait, you guys mean DNSSEC off in LAN - DHCP Server settings in the router GUI?

If I do that the Cloudflare test page indeed reports 1.1.1.1 and DoT for my unbound setup!

I was trying to disable DNSSEC in unbound itself...

If it's indeed the setting in the router GUI I'm confused now: do you guys keep this setting enabled or disabled?

 

[JemTheWire]

IIRC. The Stubby installer disabled this automagically.

 

[skeal]

Oh, wait, you guys mean DNSSEC off in LAN - DHCP Server settings in the router GUI?

If I do that the Cloudflare test page indeed reports 1.1.1.1 and DoT for my unbound setup!

I was trying to disable DNSSEC in unbound itself...

If it's indeed the setting in the router GUI I'm confused now: do you guys keep this setting enabled or disabled?

This installer was never made to work with unbound. Yet.

 

[Martin_D]

FWIW @Odkrys did the patching, I just uploaded a copy of the binary

It may work with the AX88U - I don't know the specifics sadly. Worth a try using the commands I posted previously.

Just tried this sadly not working on the AX88U

 

[bbunge]

Oh, wait, you guys mean DNSSEC off in LAN - DHCP Server settings in the router GUI?

If I do that the Cloudflare test page indeed reports 1.1.1.1 and DoT for my unbound setup!

I was trying to disable DNSSEC in unbound itself...

If it's indeed the setting in the router GUI I'm confused now: do you guys keep this setting enabled or disabled?

Should not matter where you run dnssec. Just run it from one place.
Along that line running dnssec on cleanbrowsing messed up tonight. Back to Cloudflare DNS and dnssec in Stubby.

Sent from my SM-T380 using Tapatalk

 

[Odkrys]

Just tried this sadly not working on the AX88U

It should work on ax88u too.

opkg list_installed | grep getdns

 

[Odkrys]

FWIW @Odkrys did the patching, I just uploaded a copy of the binary

It may work with the AX88U - I don't know the specifics sadly. Worth a try using the commands I posted previously.

opkg install /var/tmp/patchedgetdns.ipk && printf "getdns successfully patched\n" || printf "An error occurred patching getdns\n" || exit 1

stubby successfully installed
Not downgrading package getdns on root from 1.4.2-2 to 1.4.2-1a.
getdns successfully patched

Your script need a fix.
opkg install /var/tmp/patchedgetdns.ipk --force-downgrade

Entware version has newer release number 1.4.2-2 on the other hand patched version is 1.4.2-1a.

 

[Jack Yaz]

opkg install /var/tmp/patchedgetdns.ipk && printf "getdns successfully patched\n" || printf "An error occurred patching getdns\n" || exit 1

stubby successfully installed
Not downgrading package getdns on root from 1.4.2-2 to 1.4.2-1a.
getdns successfully patched

Your script need a fix.
opkg install /var/tmp/patchedgetdns.ipk --force-downgrade

Entware version has newer release number 1.4.2-2 on the other hand patched version is 1.4.2-1a.

I'll update the fork, thanks. Typically entware would update shortly after I wrote the script!