Stubby-Installer-Asuswrt-Merlin

[Marin]

I can confirm as well that Stubby installation on a brand new Sandisk usb thumb drive and my AC86U went through without a hitch. Didn’t have to make any tweaks to it to get it to work.

@thelonelycoder: Would you consider adding Stubby to AMTM at some point? [emoji120]Thank you!!


Sent from my iPhone using Tapatalk

 

[dmillerzx]

Also having issues with this starting up reliably at boot at least according to https://1.1.1.1/help, interestingly with DNSSEC disabled in the GUI and a cmd line commit to vram I'm still passing https://dnssec.vs.uni-due.de/... weird, I've seen DoT continue working after one reboot, but right now I can't seem to get it going again unless I rerun the installer. Maybe there is a race condition during boot preventing it from coming online.

RT-AC68U user. (merlin 384.8_2)

 

[dave14305]

Troubleshooting steps I would follow after a reboot:

1. Is stubby actually running? ps w | grep stubby
2. Is stubby's configuration valid? stubby -C /opt/etc/stubby/stubby.yml -i
3. Run stubby debugging: stubby -C /opt/etc/stubby/stubby.yml -l
4. Is DNSmasq pointing to stubby? cat /etc/dnsmasq.conf
5. Are the resolv files pointing to anything other than your router LAN IP? cat /tmp/resolv.*
6. Does resolution on the router work? nslookup www.snbforums.com
7. Ensure no LAN DHCP DNS or DNSFilter settings (except for Router mode) are active.
8. Are stubby and dnsmasq listening on the expected ports? netstat -anltup | grep -E "dnsmasq|stubby"

 

[joegreat]

...weird, I've seen DoT continue working after one reboot, but right now I can't seem to get it going again unless I rerun the installer. Maybe there is a race condition during boot preventing it from coming online.

Same issue on my AC87U: In my case it's a timing problem during startup!

Entware is started too early (before "WAN_Connection: WAN was restored." is completed) and therefore the time is not set yet.
Delaying the Entware startup by 20 seconds with a simple "sleep 20" solves the problem and stubby is started successfully after(!) the router time is set (see log file excerpt below).

May 5 07:05:07 WAN_Connection: ISP's DHCP did not function properly.
May 5 07:05:20 wan: [wan0_hwaddr] == [14D:A9:xx:xx:xx]
May 5 07:05:28 wan: finish adding multi routes
May 5 07:05:30 wan: finish adding multi routes
May 5 07:05:33 WAN_Connection: WAN was restored.
May 5 07:05:46 ntp: start NTP update
May 5 07:05:46 kernel: br0: received packet on vlan1 with own address as source address
May 5 07:05:46 qtn: bootcfg.tgz exists
Jan 13 09:18:32 rc_service: ntp 1078:notify_rc restart_diskmon
Jan 13 09:18:32 disk_monitor: Finish
Jan 13 09:18:32 disk_monitor: be idle
Jan 13 09:18:36 haveged: haveged starting up
Jan 13 09:18:36 admin: Started haveged from .
Jan 13 09:18:36 S61stubby: Starting Stubby DNS over TLS /opt/etc/init.d/S61stubby
Jan 13 09:18:36 admin: Started stubby from .
Jan 13 09:18:36 Timemachine: daemon is stopped
Jan 13 09:18:36 kernel: gro enabled with interval 2
Jan 13 09:18:37 haveged: haveged: ver: 1.9.4; arch: generic; vend: ; build: (gcc 7.3.0 CV); collect: 128K
Jan 13 09:18:37 haveged: haveged: cpu: (); data: 32K (P); inst: 32K (P); idx: 18/40; sz: 31104/71972
Jan 13 09:18:37 haveged: haveged: fills: 0, generated: 0
Jan 13 09:18:38 rc_service: service 1326:notify_rc restart_ntp
Jan 13 09:18:38 admin: Started ntpd from .
Jan 13 09:18:38 ntpd[1333]: ntpd 4.2.8p9-win@1.3728 Sat Mar 18 09:20:25 UTC 2017 (2): Starting
Jan 13 09:18:38 ntpd[1333]: Command line: ntpd -c /jffs/etc/ntp.conf
Jan 13 09:18:38 ntpd[1345]: proto: precision = 1.371 usec (-19)
Jan 13 09:18:38 ntpd[1345]: Listen normally on 0 lo 127.0.0.1:123
Jan 13 09:18:38 ntpd[1345]: Listen normally on 1 br0 192.168.0.1:123
Jan 13 09:18:38 ntpd[1345]: Listening on routing socket on fd #18 for interface updates
Jan 13 09:18:48 kernel: tun: Universal TUN/TAP device driver, 1.6
Jan 13 09:18:48 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jan 13 09:18:49 ovpn-client1[1565]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 21 2018
Jan 13 09:18:49 ovpn-client1[1565]: library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.08
Jan 13 09:18:49 ovpn-client1[1566]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 13 09:18:49 ovpn-client1[1566]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 13 09:18:49 ovpn-client1[1566]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 09:18:49 ovpn-client1[1566]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 09:18:49 ovpn-client1[1566]: TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.161.148:443
Jan 13 09:18:49 ovpn-client1[1566]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jan 13 09:18:49 ovpn-client1[1566]: UDP link local: (not bound)
Jan 13 09:18:49 ovpn-client1[1566]: UDP link remote: [AF_INET]213.152.161.148:443

 

[cmkelley]

7. Ensure no LAN DHCP DNS or DNSFilter settings (except for Router mode) are active.

Okay, can't reboot now due to SUI (Spouse Using Internet), but that one peaked my interest:

I think the first needs to be "YES" otherwise how will the DHCP clients know to go to the router for DNS, but I wonder if "Enable DNS Rebind protection" should be No for Stubby?

DNS-based Filtering is Off.

 

[faria]

Okay, can't reboot now due to SUI (Spouse Using Internet), but that one peaked my interest:
View attachment 15864

I think the first needs to be "YES" otherwise how will the DHCP clients know to go to the router for DNS, but I wonder if "Enable DNS Rebind protection" should be No for Stubby?

DNS-based Filtering is Off.

I have the first option set to "YES" enabled here, And same issue as you.
DNS Rebind protection is set to yes.

 

[dmillerzx]

Same issue on my AC87U: In my case it's a timing problem during startup!

Entware is started too early (before "WAN_Connection: WAN was restored." is completed) and therefore the time is not set yet.
Delaying the Entware startup by 20 seconds with a simple "sleep 20" solves the problem and stubby is started successfully after(!) the router time is set (see log file excerpt below).

Thank you I've added the delay to S61stubby, and will see if that does the trix.

 

[dave14305]

but I wonder if "Enable DNS Rebind protection" should be No for Stubby?

It's safe. I had Rebind protection on when I was testing Stubby on John's fork.

 

[dave14305]

What do you guys have set on Tools -> Other Settings for "Wan: Use DNS probes to determine if WAN is up (default: Yes)"? Just thinking out loud if there's a potential chicken and egg issue with DNS probes and time setting and all that? If you are set to Yes, try No.

 

[dave14305]

Or any useful messages in /opt/var/log/stubby.log

 

[cmkelley]

What do you guys have set on Tools -> Other Settings for "Wan: Use DNS probes to determine if WAN is up (default: Yes)"? Just thinking out loud if there's a potential chicken and egg issue with DNS probes and time setting and all that? If you are set to Yes, try No.

On the 86U that's in Adminstration -> System, and I've tried both DNS Query and Ping (set to 1.1.1.1 so it doesn't go through DNS), to no avail. I only have Ping on now. Next time I can reboot the router I'll turn off Ping as well.

 

[faria]

I took Joegreat advice and added a delay to entware , now everything is working as it should after 2 reboots.
This reminds me of dnscrypt timing issues in certain router models , Dnscrypt was starting before wan was up , in turn ntp could not synchronize with a time server and so on.

edit:
@dave14305 mine is set to no.

 

[cmkelley]

Or any useful messages in /opt/var/log/stubby.log

Hrmmm. I have no stubby log anywhere on the filesystem.

However htop confirms it is being executed with "-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log" per the S61stubby file.

 

[thelonelycoder]

@thelonelycoder: Would you consider adding Stubby to AMTM at some point?

Thank you!!

That's planned and been asked for a felt 100 times.
I'm waiting for @Xentrk to give the go ahead. Then I need some time to code the amtm side.

 

[dmillerzx]

Troubleshooting steps I would follow after a reboot:

1. Is stubby actually running? ps w | grep stubby
2. Is stubby's configuration valid? stubby -C /opt/etc/stubby/stubby.yml -i
3. Run stubby debugging: stubby -C /opt/etc/stubby/stubby.yml -l
4. Is DNSmasq pointing to stubby? cat /etc/dnsmasq.conf
5. Are the resolv files pointing to anything other than your router LAN IP? cat /tmp/resolv.*
6. Does resolution on the router work? nslookup www.snbforums.com
7. Ensure no LAN DHCP DNS or DNSFilter settings (except for Router mode) are active.
8. Are stubby and dnsmasq listening on the expected ports? netstat -anltup | grep -E "dnsmasq|stubby"

Question regarding #5 for resolv. files, my router's IP address are here but so are the IPV6 address for Cloudflare. Could that be part of the problem?

 

[dave14305]

Hrmmm. I have no stubby log anywhere on the filesystem.

However htop confirms it is being executed with "-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log" per the S61stubby file.

That’s ok. Stubby logging sucks at the moment.

 

[skeal]

Question regarding #5 for resolv. files, my router's IP address are here but so are the IPV6 address for Cloudflare. Could that be part of the problem?

Yes, you only want to see your routers ip here.

 

[dave14305]

Question regarding #5 for resolv. files, my router's IP address are here but so are the IPV6 address for Cloudflare. Could that be part of the problem?

Could be. The installer script overwrites the files with the router IP, but relies on the wan dns nvram settings to recreate them at boot. Probably doesn’t take into account IPv6 setups.

 

[shark]

I took Joegreat advice and added a delay to entware , now everything is working as it should after 2 reboots.
This reminds me of dnscrypt timing issues in certain router models , Dnscrypt was starting before wan was up , in turn ntp could not synchronize with a time server and so on.

edit:
@dave14305 mine is set to no.

where did you add the delay exactly?

 

[cmkelley]

Yes, you only want to see your routers ip here.

So, on the IPv6 page, the address shown in "LAN IPv6 Address" should be copied down into "IPv6 DNS Server 1" and the other two left blank?

EDIT: and "Connect to DNS Server automatically" is set to Disable.