What's new

Stubby-Installer-Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

It seems when I use 192.168.1.1, thus Stubby, as my DNS resolver. It seems that sometimes a page can't be found/domain name not found, then if I refresh the page a couple of times... it suddenly can find it again.


This doesn't happen when I set the WAN DNS to 1.1.1.1 directly, so it's not Cloudflare.

Anyone experiencing the same thing?
 
It seems when I use 192.168.1.1, thus Stubby, as my DNS resolver. It seems that sometimes a page can't be found/domain name not found, then if I refresh the page a couple of times... it suddenly can find it again.


This doesn't happen when I set the WAN DNS to 1.1.1.1 directly, so it's not Cloudflare.

Anyone experiencing the same thing?
Yes. But not when using Cloudflare. With DNSSEC enabled and resolvers set to Quad9 or Cleanbrowsing Secure after a day or so of successful operation I suddenly can't resolve addresses. Yesterday I was using DNSSEC in dnsmasq and logged an error "Insecure DS reply recieved...."

Sent from my SM-T380 using Tapatalk
 
It should work on ax88u too.
Code:
opkg list_installed | grep getdns

Working Now. If i have missed anything or it looks wrong just let me know thank you all for the help

Looks like this was the problem

I'll update the fork, thanks. Typically entware would update shortly after I wrote the script!

Code:
administrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# opkg list_installed | grep ge
tdns
getdns - 1.4.2-1a
administrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# getdns_query -s @127.0.0.1 gi
thub.com
{
  "answer_type": GETDNS_NAMETYPE_DNS,
  "canonical_name": <bindata for github.com.>,
  "replies_full":
  [
     <bindata of 0x18288180000100080000000106676974...>
  ],
  "replies_tree":
  [
    {
      "additional":
      [
        {
          "do": 0,
          "extended_rcode": 0,
          "rdata":
          {
            "rdata_raw": <bindata of 0x>
          },
          "type": GETDNS_RRTYPE_OPT,
          "udp_payload_size": 1452,
          "version": 0,
          "z": 0
        }
      ],
      "answer":
      [
        {
          "class": GETDNS_RRCLASS_IN,
          "name": <bindata for github.com.>,
          "rdata":
          {
            "nsdname": <bindata for ns2.p16.dynect.net.>,
            "rdata_raw": <bindata for ns2.p16.dynect.net.>
          },
          "ttl": 900,
          "type": GETDNS_RRTYPE_NS
        },
        {
          "class": GETDNS_RRCLASS_IN,
          "name": <bindata for github.com.>,
          "rdata":
          {
            "nsdname": <bindata for ns3.p16.dynect.net.>,
            "rdata_raw": <bindata for ns3.p16.dynect.net.>
          },
          "ttl": 900,
          "type": GETDNS_RRTYPE_NS
        },
        {
          "class": GETDNS_RRCLASS_IN,
          "name": <bindata for github.com.>,
          "rdata":
          {
            "nsdname": <bindata for ns4.p16.dynect.net.>,
            "rdata_raw": <bindata for ns4.p16.dynect.net.>
          },
          "ttl": 900,
          "type": GETDNS_RRTYPE_NS
        },
        {
          "class": GETDNS_RRCLASS_IN,
          "name": <bindata for github.com.>,
          "rdata":
          {
            "nsdname": <bindata for ns-421.awsdns-52.com.>,
            "rdata_raw": <bindata for ns-421.awsdns-52.com.>
          },
          "ttl": 900,
          "type": GETDNS_RRTYPE_NS
        },
        {
          "class": GETDNS_RRCLASS_IN,
          "name": <bindata for github.com.>,
          "rdata":
          {
            "nsdname": <bindata for ns-520.awsdns-01.net.>,
            "rdata_raw": <bindata for ns-520.awsdns-01.net.>
          },
          "ttl": 900,
          "type": GETDNS_RRTYPE_NS
        },
        {
          "class": GETDNS_RRCLASS_IN,
          "name": <bindata for github.com.>,
          "rdata":
          {
            "nsdname": <bindata for ns-1283.awsdns-32.org.>,
            "rdata_raw": <bindata for ns-1283.awsdns-32.org.>
          },
          "ttl": 900,
          "type": GETDNS_RRTYPE_NS
        },
        {
          "class": GETDNS_RRCLASS_IN,
          "name": <bindata for github.com.>,
          "rdata":
          {
            "nsdname": <bindata for ns-1707.awsdns-21.co.uk.>,
            "rdata_raw": <bindata for ns-1707.awsdns-21.co.uk.>
          },
          "ttl": 900,
          "type": GETDNS_RRTYPE_NS
        },
        {
          "class": GETDNS_RRCLASS_IN,
          "name": <bindata for github.com.>,
          "rdata":
          {
            "nsdname": <bindata for ns1.p16.dynect.net.>,
            "rdata_raw": <bindata for ns1.p16.dynect.net.>
          },
          "ttl": 900,
          "type": GETDNS_RRTYPE_NS
        }
      ],
      "answer_type": GETDNS_NAMETYPE_DNS,
      "authority": [],
      "canonical_name": <bindata for github.com.>,
      "header":
      {
        "aa": 0,
        "ad": 0,
        "ancount": 8,
        "arcount": 1,
        "cd": 0,
        "id": 6184,
        "nscount": 0,
        "opcode": GETDNS_OPCODE_QUERY,
        "qdcount": 1,
        "qr": 1,
        "ra": 1,
        "rcode": GETDNS_RCODE_NOERROR,
        "rd": 1,
        "tc": 0,
        "z": 0
      },
      "question":
      {
        "qclass": GETDNS_RRCLASS_IN,
        "qname": <bindata for github.com.>,
        "qtype": GETDNS_RRTYPE_NS
      }
    }
  ],
  "status": GETDNS_RESPSTATUS_GOOD
}

Code:
Debug Information
Connected to 1.1.1.1    Yes
Using DNS over HTTPS (DoH)    No
Using DNS over TLS (DoT)    Yes
AS Name    Cloudflare
AS Number    13335
Cloudflare Data Center    BUD

Code:
dministrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# stubby -l
[16:41:02.123357] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[16:41:02.123929] STUBBY: DNSSEC Validation is OFF
[16:41:02.123959] STUBBY: Transport list is:
[16:41:02.123973] STUBBY:   - TLS
[16:41:02.123989] STUBBY: Privacy Usage Profile is Strict (Authentication requir                                                                             ed)
[16:41:02.124004] STUBBY: (NOTE a Strict Profile only applies when TLS is the ON                                                                             LY transport!!)
[16:41:02.124018] STUBBY: Starting DAEMON....
[16:41:20.710298] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[16:41:20.775141] STUBBY: 1.1.1.1                                  : Verify passed : TLS
[16:41:20.799516] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
[16:41:20.869289] STUBBY: 1.0.0.1                                  : Verify passed : TLS
[16:41:36.183899] STUBBY: 1.0.0.1                                  : Conn closed: TLS - Resps=     6, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)= 10000
[16:41:36.183956] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Resps=     6, Timeouts  =     0, Best_auth =Success
[16:41:36.183965] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      1, Backoffs     =     0
[16:41:39.498309] STUBBY: 1.1.1.1                                  : Conn closed: TLS - Resps=     7, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)= 10000
[16:41:39.498364] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Resps=     7, Timeouts  =     0, Best_auth =Success
[16:41:39.498373] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      1, Backoffs     =     0
[16:41:40.638299] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
[16:41:50.751349] STUBBY: 1.0.0.1                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)= 10000
[16:41:50.751406] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Resps=     7, Timeouts  =     0, Best_auth =Success
[16:41:50.751415] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Conns=     2, Conn_fails=     0, Conn_shuts=      2, Backoffs     =     0
[16:42:00.870654] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[16:42:00.901129] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
 
Code:
opkg install /var/tmp/patchedgetdns.ipk && printf "getdns successfully patched\n" || printf "An error occurred patching getdns\n" || exit 1
Code:
stubby successfully installed
Not downgrading package getdns on root from 1.4.2-2 to 1.4.2-1a.
getdns successfully patched

Your script need a fix.
opkg install /var/tmp/patchedgetdns.ipk --force-downgrade

Entware version has newer release number 1.4.2-2 on the other hand patched version is 1.4.2-1a.
Fork has been updated
 
I have built stubby 0.2.4 and getdns 1.5.0 with openssl 1.1.1a statically
Cool!

I would like to do something similar for unbound (with openssl 1.1.1a statically), for AC86U and AC68U.

Where can I find how to do this? Do you have any pointers?
 
It seems when I use 192.168.1.1, thus Stubby, as my DNS resolver. It seems that sometimes a page can't be found/domain name not found, then if I refresh the page a couple of times... it suddenly can find it again.

This doesn't happen when I set the WAN DNS to 1.1.1.1 directly, so it's not Cloudflare.
Yes. But not when using Cloudflare. With DNSSEC enabled and resolvers set to Quad9 or Cleanbrowsing Secure after a day or so of successful operation I suddenly can't resolve addresses. Yesterday I was using DNSSEC in dnsmasq and logged an error "Insecure DS reply recieved...."
Same here: I have for Quad9 and Cloudfare setup the Primary/Secondary servers - totally 4 - in round robin mode - normally it works fine, but I also experienced the not found problem (with reload it works).

My interpretation was the heavy load on my router with Deluge (Torrent-Client) - but it could be a different issue... :rolleyes:

Update: While checking the setup via Cloudflare "Browsing Experience Security Check" I saw mixed results for the Secure DNS status. Removing Quad9 from the configuration showed good results - even when refreshing the test multiple times - so Quad9 seems to be the culprit of my issue...

Code:
chief@RT-AC87U:/tmp/home/root# stubby -l
[17:33:31.047284] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[17:33:31.067819] STUBBY: DNSSEC Validation is OFF
[17:33:31.067905] STUBBY: Transport list is:
[17:33:31.067924] STUBBY:   - TLS
[17:33:31.067945] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[17:33:31.067959] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[17:33:31.067972] STUBBY: Starting DAEMON....
[17:33:32.111851] STUBBY: 9.9.9.9                                  : Conn opened: TLS - Strict Profile
[17:33:32.184572] STUBBY: 9.9.9.9                                  : Verify passed : TLS
[17:33:34.198286] STUBBY: 9.9.9.9                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  2000
[17:33:34.198353] STUBBY: 9.9.9.9                                  : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[17:33:34.198372] STUBBY: 9.9.9.9                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[17:33:42.251488] STUBBY: 149.112.112.112                          : Conn opened: TLS - Strict Profile
[17:33:42.322313] STUBBY: 149.112.112.112                          : Verify passed : TLS
[17:33:44.338481] STUBBY: 149.112.112.112                          : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  2000
[17:33:44.338654] STUBBY: 149.112.112.112                          : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[17:33:44.338672] STUBBY: 149.112.112.112                          : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[17:33:52.452192] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[17:33:52.644908] STUBBY: 1.1.1.1                                  : Verify passed : TLS
[17:33:54.657114] STUBBY: 1.1.1.1                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  2000
[17:33:54.657169] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[17:33:54.657187] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[17:33:56.969193] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
 
Last edited:
Am i OK to put these on github for use with the fork?
There are new options available in stubby 0.2.4.
Code:
tls_ciphersuites (for TLS >= 1.3)
tls_cipher_list (for TLS < 1.3)
tls_min_version
tls_max_version
I personally added two options in stubby.yml.
Code:
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

Default cipher suites priority is
Code:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
HND routers can accelerate SHA1 SHA256 but not SHA384.
I think this is not a big factor, anyway it gives me better feeling :D
 
All Asus models supported by Asuswrt-Merlin, with the exception of the AC86U, should be supported by this script. To date, I have received confirmation that it works on the following models:
  • RT-AC66U_B1
  • RT-AC68U
  • RT-AC87U
  • RT-AC88U
  • RT-AC3100
  • RT-AC3200
You can add the RT-AC5300 to your list, I am passing all the tests for "validating-that-stubby-is-working" on the project page.

I am still reading over some of the topic, so I’ll hold a few questions that I have for a bit longer.
 
Hi,

Please, one question I have: is possible to block adds using Stubby?

Thanks!
 
Hi,

Please, one question I have: is possible to block adds using Stubby?

Thanks!
Err, no. That's what the likes of Diversion and Skynet are for. Stubby only changes the transport method in which queries are made to DNS servers.
 
I've installed this months ago as instructed in OP.
I have been reading in this thread about updates and other forks, will the OP get updated to show how to update to latest version?
Thanks for info.
 
Fork updated :)
Thanks Jack. I was just re-installing and noticed the install command on github points to https://raw.githubusercontent.com/Xentrk, I think it's probably always been like that, as I seem to remember manually changing it to https://raw.githubusercontent.com/jackyaz previously, or maybe it was correct before but changed back at some point. There's probably a post here in the thread with the correct command, but I had your github page bookmarked and copied & pasted the command line without noticing or remembering it needed changing. And then of course it installed the normal getdns and I had no internet until I reset my WAN DNS and started again.

Thought I'd mention it in case it's easy to change and you have time. Big thanks to @Odkrys for the patched versions and yourself for the forked installer.

Edit: While I'm asking :)
Code:
echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853
seems to need changing to
Code:
echo | openssl s_client -verify on -CAfile /rom/etc/ssl/certs/ca-certificates.crt -connect 1.1.1.1:853
as well.
 
Last edited:
Thanks Jack. I was just re-installing and noticed the install command on github points to https://raw.githubusercontent.com/Xentrk, I think it's probably always been like that, as I seem to remember manually changing it to https://raw.githubusercontent.com/jackyaz previously, or maybe it was correct before but changed back at some point. There's probably a post here in the thread with the correct command, but I had your github page bookmarked and copied & pasted the command line without noticing or remembering it needed changing. And then of course it installed the normal getdns and I had no internet until I reset my WAN DNS.

Thought I'd mention it in case it's easy to change. Big thanks to @Odkrys for the patched versions and yourself for the forked installer.
Ah, that's an oversight on my part. I'll get that fixed
 
Well, we had a huge power blip/surge, the worst one in the 20 years I have been in this house.

Luckily my 5300 seems to have survived, however I was unable to get back online. This necessitated a complete reset, it was quicker and easier than troubleshooting with a wife and kids breathing down my neck. All kinds of issues, no problem with the selective restore. I had great backup's of my prized static IP address list :p

I did try a few steps like adding the command for the ntp to dnsmasq...add fearing it was that issue. However, that did not yield any successful results. So here goes round 2 :) from scratch.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top