XIII
Very Senior Member
I'm not using the installer, I was hoping to learn from the people using it.This installer was never made to work with unbound. Yet.
I'm not using the installer, I was hoping to learn from the people using it.This installer was never made to work with unbound. Yet.
Yes. But not when using Cloudflare. With DNSSEC enabled and resolvers set to Quad9 or Cleanbrowsing Secure after a day or so of successful operation I suddenly can't resolve addresses. Yesterday I was using DNSSEC in dnsmasq and logged an error "Insecure DS reply recieved...."It seems when I use 192.168.1.1, thus Stubby, as my DNS resolver. It seems that sometimes a page can't be found/domain name not found, then if I refresh the page a couple of times... it suddenly can find it again.
This doesn't happen when I set the WAN DNS to 1.1.1.1 directly, so it's not Cloudflare.
Anyone experiencing the same thing?
It should work on ax88u too.
Code:opkg list_installed | grep getdns
I'll update the fork, thanks. Typically entware would update shortly after I wrote the script!
administrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# opkg list_installed | grep ge
tdns
getdns - 1.4.2-1a
administrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# getdns_query -s @127.0.0.1 gi
thub.com
{
"answer_type": GETDNS_NAMETYPE_DNS,
"canonical_name": <bindata for github.com.>,
"replies_full":
[
<bindata of 0x18288180000100080000000106676974...>
],
"replies_tree":
[
{
"additional":
[
{
"do": 0,
"extended_rcode": 0,
"rdata":
{
"rdata_raw": <bindata of 0x>
},
"type": GETDNS_RRTYPE_OPT,
"udp_payload_size": 1452,
"version": 0,
"z": 0
}
],
"answer":
[
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns2.p16.dynect.net.>,
"rdata_raw": <bindata for ns2.p16.dynect.net.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns3.p16.dynect.net.>,
"rdata_raw": <bindata for ns3.p16.dynect.net.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns4.p16.dynect.net.>,
"rdata_raw": <bindata for ns4.p16.dynect.net.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns-421.awsdns-52.com.>,
"rdata_raw": <bindata for ns-421.awsdns-52.com.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns-520.awsdns-01.net.>,
"rdata_raw": <bindata for ns-520.awsdns-01.net.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns-1283.awsdns-32.org.>,
"rdata_raw": <bindata for ns-1283.awsdns-32.org.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns-1707.awsdns-21.co.uk.>,
"rdata_raw": <bindata for ns-1707.awsdns-21.co.uk.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for github.com.>,
"rdata":
{
"nsdname": <bindata for ns1.p16.dynect.net.>,
"rdata_raw": <bindata for ns1.p16.dynect.net.>
},
"ttl": 900,
"type": GETDNS_RRTYPE_NS
}
],
"answer_type": GETDNS_NAMETYPE_DNS,
"authority": [],
"canonical_name": <bindata for github.com.>,
"header":
{
"aa": 0,
"ad": 0,
"ancount": 8,
"arcount": 1,
"cd": 0,
"id": 6184,
"nscount": 0,
"opcode": GETDNS_OPCODE_QUERY,
"qdcount": 1,
"qr": 1,
"ra": 1,
"rcode": GETDNS_RCODE_NOERROR,
"rd": 1,
"tc": 0,
"z": 0
},
"question":
{
"qclass": GETDNS_RRCLASS_IN,
"qname": <bindata for github.com.>,
"qtype": GETDNS_RRTYPE_NS
}
}
],
"status": GETDNS_RESPSTATUS_GOOD
}
Debug Information
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) Yes
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center BUD
dministrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# stubby -l
[16:41:02.123357] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[16:41:02.123929] STUBBY: DNSSEC Validation is OFF
[16:41:02.123959] STUBBY: Transport list is:
[16:41:02.123973] STUBBY: - TLS
[16:41:02.123989] STUBBY: Privacy Usage Profile is Strict (Authentication requir ed)
[16:41:02.124004] STUBBY: (NOTE a Strict Profile only applies when TLS is the ON LY transport!!)
[16:41:02.124018] STUBBY: Starting DAEMON....
[16:41:20.710298] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[16:41:20.775141] STUBBY: 1.1.1.1 : Verify passed : TLS
[16:41:20.799516] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[16:41:20.869289] STUBBY: 1.0.0.1 : Verify passed : TLS
[16:41:36.183899] STUBBY: 1.0.0.1 : Conn closed: TLS - Resps= 6, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 10000
[16:41:36.183956] STUBBY: 1.0.0.1 : Upstream : TLS - Resps= 6, Timeouts = 0, Best_auth =Success
[16:41:36.183965] STUBBY: 1.0.0.1 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 1, Backoffs = 0
[16:41:39.498309] STUBBY: 1.1.1.1 : Conn closed: TLS - Resps= 7, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 10000
[16:41:39.498364] STUBBY: 1.1.1.1 : Upstream : TLS - Resps= 7, Timeouts = 0, Best_auth =Success
[16:41:39.498373] STUBBY: 1.1.1.1 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 1, Backoffs = 0
[16:41:40.638299] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[16:41:50.751349] STUBBY: 1.0.0.1 : Conn closed: TLS - Resps= 1, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 10000
[16:41:50.751406] STUBBY: 1.0.0.1 : Upstream : TLS - Resps= 7, Timeouts = 0, Best_auth =Success
[16:41:50.751415] STUBBY: 1.0.0.1 : Upstream : TLS - Conns= 2, Conn_fails= 0, Conn_shuts= 2, Backoffs = 0
[16:42:00.870654] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[16:42:00.901129] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
Fork has been updatedCode:opkg install /var/tmp/patchedgetdns.ipk && printf "getdns successfully patched\n" || printf "An error occurred patching getdns\n" || exit 1
Code:stubby successfully installed Not downgrading package getdns on root from 1.4.2-2 to 1.4.2-1a. getdns successfully patched
Your script need a fix.
opkg install /var/tmp/patchedgetdns.ipk --force-downgrade
Entware version has newer release number 1.4.2-2 on the other hand patched version is 1.4.2-1a.
Am i OK to put these on github for use with the fork?For HND routers (RT-AC86U, GT-AC5300, RT-AX88U)
I have built stubby 0.2.4 and getdns 1.5.0 with openssl 1.1.1a statically.
stubby_0.2.4-tls1.3
https://drive.google.com/file/d/1kZu3y5HeoMw6YfLxt6aQCEedHvhewwtU/view
getdns_1.5.0-tls1.3
https://drive.google.com/file/d/1DEwc0uJ3plYC6AS2reFK1wczVmnsL79B/view
sure.Am i OK to put these on github for use with the fork?
Cool!I have built stubby 0.2.4 and getdns 1.5.0 with openssl 1.1.1a statically
Cool!
I would like to do something similar for unbound (with openssl 1.1.1a statically), for AC86U and AC68U.
Where can I find how to do this? Do you have any pointers?
CONFIGURE_VARS += \
LIBS="-Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic -lpthread -lc -lgcc_eh"
It seems when I use 192.168.1.1, thus Stubby, as my DNS resolver. It seems that sometimes a page can't be found/domain name not found, then if I refresh the page a couple of times... it suddenly can find it again.
This doesn't happen when I set the WAN DNS to 1.1.1.1 directly, so it's not Cloudflare.
Same here: I have for Quad9 and Cloudfare setup the Primary/Secondary servers - totally 4 - in round robin mode - normally it works fine, but I also experienced the not found problem (with reload it works).Yes. But not when using Cloudflare. With DNSSEC enabled and resolvers set to Quad9 or Cleanbrowsing Secure after a day or so of successful operation I suddenly can't resolve addresses. Yesterday I was using DNSSEC in dnsmasq and logged an error "Insecure DS reply recieved...."
chief@RT-AC87U:/tmp/home/root# stubby -l
[17:33:31.047284] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[17:33:31.067819] STUBBY: DNSSEC Validation is OFF
[17:33:31.067905] STUBBY: Transport list is:
[17:33:31.067924] STUBBY: - TLS
[17:33:31.067945] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[17:33:31.067959] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[17:33:31.067972] STUBBY: Starting DAEMON....
[17:33:32.111851] STUBBY: 9.9.9.9 : Conn opened: TLS - Strict Profile
[17:33:32.184572] STUBBY: 9.9.9.9 : Verify passed : TLS
[17:33:34.198286] STUBBY: 9.9.9.9 : Conn closed: TLS - Resps= 1, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 2000
[17:33:34.198353] STUBBY: 9.9.9.9 : Upstream : TLS - Resps= 1, Timeouts = 0, Best_auth =Success
[17:33:34.198372] STUBBY: 9.9.9.9 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 0, Backoffs = 0
[17:33:42.251488] STUBBY: 149.112.112.112 : Conn opened: TLS - Strict Profile
[17:33:42.322313] STUBBY: 149.112.112.112 : Verify passed : TLS
[17:33:44.338481] STUBBY: 149.112.112.112 : Conn closed: TLS - Resps= 1, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 2000
[17:33:44.338654] STUBBY: 149.112.112.112 : Upstream : TLS - Resps= 1, Timeouts = 0, Best_auth =Success
[17:33:44.338672] STUBBY: 149.112.112.112 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 0, Backoffs = 0
[17:33:52.452192] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[17:33:52.644908] STUBBY: 1.1.1.1 : Verify passed : TLS
[17:33:54.657114] STUBBY: 1.1.1.1 : Conn closed: TLS - Resps= 1, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 2000
[17:33:54.657169] STUBBY: 1.1.1.1 : Upstream : TLS - Resps= 1, Timeouts = 0, Best_auth =Success
[17:33:54.657187] STUBBY: 1.1.1.1 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 0, Backoffs = 0
[17:33:56.969193] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
There are new options available in stubby 0.2.4.Am i OK to put these on github for use with the fork?
tls_ciphersuites (for TLS >= 1.3)
tls_cipher_list (for TLS < 1.3)
tls_min_version
tls_max_version
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
You can add the RT-AC5300 to your list, I am passing all the tests for "validating-that-stubby-is-working" on the project page.All Asus models supported by Asuswrt-Merlin, with the exception of the AC86U, should be supported by this script. To date, I have received confirmation that it works on the following models:
- RT-AC66U_B1
- RT-AC68U
- RT-AC87U
- RT-AC88U
- RT-AC3100
- RT-AC3200
Fork updatedsure.
Err, no. That's what the likes of Diversion and Skynet are for. Stubby only changes the transport method in which queries are made to DNS servers.Hi,
Please, one question I have: is possible to block adds using Stubby?
Thanks!
Thanks Jack. I was just re-installing and noticed the install command on github points to https://raw.githubusercontent.com/Xentrk, I think it's probably always been like that, as I seem to remember manually changing it to https://raw.githubusercontent.com/jackyaz previously, or maybe it was correct before but changed back at some point. There's probably a post here in the thread with the correct command, but I had your github page bookmarked and copied & pasted the command line without noticing or remembering it needed changing. And then of course it installed the normal getdns and I had no internet until I reset my WAN DNS and started again.Fork updated
echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853
echo | openssl s_client -verify on -CAfile /rom/etc/ssl/certs/ca-certificates.crt -connect 1.1.1.1:853
Ah, that's an oversight on my part. I'll get that fixedThanks Jack. I was just re-installing and noticed the install command on github points to https://raw.githubusercontent.com/Xentrk, I think it's probably always been like that, as I seem to remember manually changing it to https://raw.githubusercontent.com/jackyaz previously, or maybe it was correct before but changed back at some point. There's probably a post here in the thread with the correct command, but I had your github page bookmarked and copied & pasted the command line without noticing or remembering it needed changing. And then of course it installed the normal getdns and I had no internet until I reset my WAN DNS.
Thought I'd mention it in case it's easy to change. Big thanks to @Odkrys for the patched versions and yourself for the forked installer.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!