XIII
Very Senior Member
I'm not using the installer, I was hoping to learn from the people using it.
Stubby-Installer-Asuswrt-Merlin
- Thread starter Xentrk
- Start date
It seems when I use 192.168.1.1, thus Stubby, as my DNS resolver. It seems that sometimes a page can't be found/domain name not found, then if I refresh the page a couple of times... it suddenly can find it again.
This doesn't happen when I set the WAN DNS to 1.1.1.1 directly, so it's not Cloudflare.
Anyone experiencing the same thing?
This doesn't happen when I set the WAN DNS to 1.1.1.1 directly, so it's not Cloudflare.
Anyone experiencing the same thing?
bbunge
Part of the Furniture
Yes. But not when using Cloudflare. With DNSSEC enabled and resolvers set to Quad9 or Cleanbrowsing Secure after a day or so of successful operation I suddenly can't resolve addresses. Yesterday I was using DNSSEC in dnsmasq and logged an error "Insecure DS reply recieved...."
Sent from my SM-T380 using Tapatalk
Martin_D
Regular Contributor
Working Now. If i have missed anything or it looks wrong just let me know thank you all for the help
Looks like this was the problem
Code:
administrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# opkg list_installed | grep ge
tdns
getdns - 1.4.2-1a
administrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# getdns_query -s @127.0.0.1 gi
thub.com
{
"answer_type": GETDNS_NAMETYPE_DNS,
"canonical_name": <bindata for github.com.>,
"replies_full":
[
<bindata of 0x18288180000100080000000106676974...>
],
"replies_tree":
[
{
"additional":
[
{
"do": 0,
"extended_rcode": 0,
"rdata":
{
"rdata_raw": <bindata of 0x>
},
"type": GETDNS_RRTYPE_OPT,
"udp_payload_size": 1452,
"version": 0,
"z": 0
}
],
"answer":
[
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns2.p16.dynect.net.>,
"rdata_raw": <bindata for ns2.p16.dynect.net.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns3.p16.dynect.net.>,
"rdata_raw": <bindata for ns3.p16.dynect.net.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns4.p16.dynect.net.>,
"rdata_raw": <bindata for ns4.p16.dynect.net.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns-421.awsdns-52.com.>,
"rdata_raw": <bindata for ns-421.awsdns-52.com.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns-520.awsdns-01.net.>,
"rdata_raw": <bindata for ns-520.awsdns-01.net.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns-1283.awsdns-32.org.>,
"rdata_raw": <bindata for ns-1283.awsdns-32.org.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns-1707.awsdns-21.co.uk.>,
"rdata_raw": <bindata for ns-1707.awsdns-21.co.uk.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns1.p16.dynect.net.>,
"rdata_raw": <bindata for ns1.p16.dynect.net.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
}
],
"answer_type": GETDNS_NAMETYPE_DNS,
"authority": [],
"canonical_name": <bindata for github.com.>,
"header":
{
"aa": 0,
"ad": 0,
"ancount": 8,
"arcount": 1,
"cd": 0,
"id": 6184,
"nscount": 0,
"opcode": GETDNS_OPCODE_QUERY,
"qdcount": 1,
"qr": 1,
"ra": 1,
"rcode": GETDNS_RCODE_NOERROR,
"rd": 1,
"tc": 0,
"z": 0
},
"question":
{
"qclass": GETDNS_RRCLASS_IN,
"qname": <bindata for github.com.>,
"qtype": GETDNS_RRTYPE_NS
}
}
],
"status": GETDNS_RESPSTATUS_GOOD
}
Code:
Debug Information
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) Yes
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center BUD
Code:
dministrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# stubby -l
[16:41:02.123357] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[16:41:02.123929] STUBBY: DNSSEC Validation is OFF
[16:41:02.123959] STUBBY: Transport list is:
[16:41:02.123973] STUBBY: - TLS
[16:41:02.123989] STUBBY: Privacy Usage Profile is Strict (Authentication requir ed)
[16:41:02.124004] STUBBY: (NOTE a Strict Profile only applies when TLS is the ON LY transport!!)
[16:41:02.124018] STUBBY: Starting DAEMON....
[16:41:20.710298] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[16:41:20.775141] STUBBY: 1.1.1.1 : Verify passed : TLS
[16:41:20.799516] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[16:41:20.869289] STUBBY: 1.0.0.1 : Verify passed : TLS
[16:41:36.183899] STUBBY: 1.0.0.1 : Conn closed: TLS - Resps= 6, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 10000
[16:41:36.183956] STUBBY: 1.0.0.1 : Upstream : TLS - Resps= 6, Timeouts = 0, Best_auth =Success
[16:41:36.183965] STUBBY: 1.0.0.1 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 1, Backoffs = 0
[16:41:39.498309] STUBBY: 1.1.1.1 : Conn closed: TLS - Resps= 7, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 10000
[16:41:39.498364] STUBBY: 1.1.1.1 : Upstream : TLS - Resps= 7, Timeouts = 0, Best_auth =Success
[16:41:39.498373] STUBBY: 1.1.1.1 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 1, Backoffs = 0
[16:41:40.638299] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[16:41:50.751349] STUBBY: 1.0.0.1 : Conn closed: TLS - Resps= 1, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 10000
[16:41:50.751406] STUBBY: 1.0.0.1 : Upstream : TLS - Resps= 7, Timeouts = 0, Best_auth =Success
[16:41:50.751415] STUBBY: 1.0.0.1 : Upstream : TLS - Conns= 2, Conn_fails= 0, Conn_shuts= 2, Backoffs = 0
[16:42:00.870654] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[16:42:00.901129] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
Jack Yaz
Part of the Furniture
Fork has been updated
For HND routers (RT-AC86U, GT-AC5300, RT-AX88U)
I have built stubby 0.2.4 and getdns 1.5.0 with openssl 1.1.1a statically.
stubby_0.2.4-tls1.3
https://drive.google.com/file/d/1kZu3y5HeoMw6YfLxt6aQCEedHvhewwtU/view
getdns_1.5.0-tls1.3
https://drive.google.com/file/d/1DEwc0uJ3plYC6AS2reFK1wczVmnsL79B/view
I have built stubby 0.2.4 and getdns 1.5.0 with openssl 1.1.1a statically.
stubby_0.2.4-tls1.3
https://drive.google.com/file/d/1kZu3y5HeoMw6YfLxt6aQCEedHvhewwtU/view
getdns_1.5.0-tls1.3
https://drive.google.com/file/d/1DEwc0uJ3plYC6AS2reFK1wczVmnsL79B/view
Jack Yaz
Part of the Furniture
Am i OK to put these on github for use with the fork?
sure.
XIII
Very Senior Member
Cool!
I would like to do something similar for unbound (with openssl 1.1.1a statically), for AC86U and AC68U.
Where can I find how to do this? Do you have any pointers?
https://github.com/Entware/Entware/wiki/Compile-packages-from-sources
https://github.com/cotequeiroz/openwrt-1/tree/openssl-1.1_devcrypto/package/libs/openssl
I added this in getdns Makefile.
Code:
CONFIGURE_VARS += \
LIBS="-Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic -lpthread -lc -lgcc_eh"
joegreat
Very Senior Member
Same here: I have for Quad9 and Cloudfare setup the Primary/Secondary servers - totally 4 - in round robin mode - normally it works fine, but I also experienced the not found problem (with reload it works).
My interpretation was the heavy load on my router with Deluge (Torrent-Client) - but it could be a different issue...
Update: While checking the setup via Cloudflare "Browsing Experience Security Check" I saw mixed results for the Secure DNS status. Removing Quad9 from the configuration showed good results - even when refreshing the test multiple times - so Quad9 seems to be the culprit of my issue...
Code:
chief@RT-AC87U:/tmp/home/root# stubby -l
[17:33:31.047284] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[17:33:31.067819] STUBBY: DNSSEC Validation is OFF
[17:33:31.067905] STUBBY: Transport list is:
[17:33:31.067924] STUBBY: - TLS
[17:33:31.067945] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[17:33:31.067959] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[17:33:31.067972] STUBBY: Starting DAEMON....
[17:33:32.111851] STUBBY: 9.9.9.9 : Conn opened: TLS - Strict Profile
[17:33:32.184572] STUBBY: 9.9.9.9 : Verify passed : TLS
[17:33:34.198286] STUBBY: 9.9.9.9 : Conn closed: TLS - Resps= 1, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 2000
[17:33:34.198353] STUBBY: 9.9.9.9 : Upstream : TLS - Resps= 1, Timeouts = 0, Best_auth =Success
[17:33:34.198372] STUBBY: 9.9.9.9 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 0, Backoffs = 0
[17:33:42.251488] STUBBY: 149.112.112.112 : Conn opened: TLS - Strict Profile
[17:33:42.322313] STUBBY: 149.112.112.112 : Verify passed : TLS
[17:33:44.338481] STUBBY: 149.112.112.112 : Conn closed: TLS - Resps= 1, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 2000
[17:33:44.338654] STUBBY: 149.112.112.112 : Upstream : TLS - Resps= 1, Timeouts = 0, Best_auth =Success
[17:33:44.338672] STUBBY: 149.112.112.112 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 0, Backoffs = 0
[17:33:52.452192] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[17:33:52.644908] STUBBY: 1.1.1.1 : Verify passed : TLS
[17:33:54.657114] STUBBY: 1.1.1.1 : Conn closed: TLS - Resps= 1, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 2000
[17:33:54.657169] STUBBY: 1.1.1.1 : Upstream : TLS - Resps= 1, Timeouts = 0, Best_auth =Success
[17:33:54.657187] STUBBY: 1.1.1.1 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 0, Backoffs = 0
[17:33:56.969193] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
Last edited:
There are new options available in stubby 0.2.4.
Code:
tls_ciphersuites (for TLS >= 1.3)
tls_cipher_list (for TLS < 1.3)
tls_min_version
tls_max_version
Code:
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"Default cipher suites priority is
Code:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256I think this is not a big factor, anyway it gives me better feeling
HuskyHerder
Senior Member
You can add the RT-AC5300 to your list, I am passing all the tests for "validating-that-stubby-is-working" on the project page.
I am still reading over some of the topic, so I’ll hold a few questions that I have for a bit longer.
Jack Yaz
Part of the Furniture
Fork updated
cmkelley
Very Senior Member
Err, no. That's what the likes of Diversion and Skynet are for. Stubby only changes the transport method in which queries are made to DNS servers.
preacher65
Regular Contributor
Thanks Jack. I was just re-installing and noticed the install command on github points to https://raw.githubusercontent.com/Xentrk, I think it's probably always been like that, as I seem to remember manually changing it to https://raw.githubusercontent.com/jackyaz previously, or maybe it was correct before but changed back at some point. There's probably a post here in the thread with the correct command, but I had your github page bookmarked and copied & pasted the command line without noticing or remembering it needed changing. And then of course it installed the normal getdns and I had no internet until I reset my WAN DNS and started again.Fork updated
Thought I'd mention it in case it's easy to change and you have time. Big thanks to @Odkrys for the patched versions and yourself for the forked installer.
Edit: While I'm asking
Code:
echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853
Code:
echo | openssl s_client -verify on -CAfile /rom/etc/ssl/certs/ca-certificates.crt -connect 1.1.1.1:853
Last edited:
Jack Yaz
Part of the Furniture
Ah, that's an oversight on my part. I'll get that fixed
HuskyHerder
Senior Member
Well, we had a huge power blip/surge, the worst one in the 20 years I have been in this house.
Luckily my 5300 seems to have survived, however I was unable to get back online. This necessitated a complete reset, it was quicker and easier than troubleshooting with a wife and kids breathing down my neck. All kinds of issues, no problem with the selective restore. I had great backup's of my prized static IP address list
I did try a few steps like adding the command for the ntp to dnsmasq...add fearing it was that issue. However, that did not yield any successful results. So here goes round 2 from scratch.
Luckily my 5300 seems to have survived, however I was unable to get back online. This necessitated a complete reset, it was quicker and easier than troubleshooting with a wife and kids breathing down my neck. All kinds of issues, no problem with the selective restore. I had great backup's of my prized static IP address list
I did try a few steps like adding the command for the ntp to dnsmasq...add fearing it was that issue. However, that did not yield any successful results. So here goes round 2
from scratch.Similar threads
Similar threads
Similar threads
-
-
Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices
- Started by RMerlin
- Replies: 62
-
Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14
- Started by B0GDAN
- Replies: 1
-
Several Questions Re:Asuswrt-Merlin Feature Implementation
- Started by fenixreign
- Replies: 2
-
-
Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices
- Started by RMerlin
- Replies: 70
-
-
-
-
Latest threads
-
Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root- Started by PR3MIUM
- Replies: 0
-
-
-
-
Upgrading from wifi 5 to wifi 6 and looking for suggestions
- Started by Listedguru2
- Replies: 6
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!