Stubby-Installer-Asuswrt-Merlin

[skeal]

I'm only using unbound...

I thought unbound and stubby were (kind of) alternatives for each other. What does using them both add to the mix?

I am pretty sure unbound is a replacement for dnsmasq.

 

[muffintastic]

I've noticed this doesn't "stick" when the router is rebooted.. I've ran it on my AC3200 without issue but the only way to get my WAN IP is by removing Stubby then re-installing it. Is it just me or am I missing a script to keep it alive during a reboot?

 

[cmkelley]

I've noticed this doesn't "stick" when the router is rebooted.. I've ran it on my AC3200 without issue but the only way to get my WAN IP is by removing Stubby then re-installing it. Is it just me or am I missing a script to keep it alive during a reboot?

Have you read at least the past 5 or 6 pages of comments? There are generally 2 possibilities:
1) The router clock not getting set before Stubby runs, the very latest on Github has been patched to fix.
2) You have a DNS entry on your IPv6 page. Delete any IPv6 DNS entries and copy the local IPv6 address of your router into the 1st slot.

 

[XIII]

I am pretty sure unbound is a replacement for dnsmasq.

Oh, I thought both unbound and stubby were resolvers (that support DNS over TLS).

What does stubby actually do then?

 

[muffintastic]

Have you read at least the past 5 or 6 pages of comments? There are generally 2 possibilities:
1) The router clock not getting set before Stubby runs, the very latest on Github has been patched to fix.
2) You have a DNS entry on your IPv6 page. Delete any IPv6 DNS entries and copy the local IPv6 address of your router into the 1st slot.

I've gone by the instructions off Github, added that script so stubby always starts first, made my IPV6 dns local IPV6, installed the latest IPKs. Not at home to test a reboot.

 

[faria]

Good news , i just installed the latest commit and i'm happy to report that all is working now as it should.
no more entware "custom"startup delay needed .
thanks guys.

 

[bluzfanmr1]

New commit working for me as well.

 

[Xentrk]

I'm only using unbound...

I thought unbound and stubby were (kind of) alternatives for each other. What does using them both add to the mix?

Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet authentication upstreams, or re-use TCP/TLS connections).

See https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients for a guide.

I'd like to experiment with the combination in the near future.

For an additional reference you can see the guide on OpenWRT forum. Be aware there are differences in the firmware that you have to consider.

 

[Xentrk]

When I run the install function it always overwrites my stubby.yml file. This has happened multiple times. I have an RT-AC66U_B1 running 384.8_2. To run the update I use sh install_stubby.sh from /jffs/scripts. Am I doing something wrong?

The script does make a back-up of the existing stubby.yml file by appending the timestamp to it if an existing stubby.yml file exists. You can then copy the contents to the stubby.yml file or delete the recently downloaded stubby.yml file and renaming stubby.yml.timestamp to stubby.yml.

 

[Xentrk]

I think now is a good time to discuss DNSSEC and Stubby.

The installer script disables DNSSEC in the firmware. This is because the Cloudflare test site does not support DNSSEC. As a result, if one uses the site to validate that DoT is working, the site will report that DoT is not working. That is the primary reason why I chose to disable DNSSEC on the firmware. My thinking was that people would have no confidence that Stubby DoT was working and this thread would be filled with posts thinking that Stubby was broken.

I used several resources to determine how to configure Stubby on Asuswrt-Merlin. The DNS-over-TLS with dnsmasq and stubby on the OpenWRT forum was a primary resource. There is discussion on the thread about DNSSEC and others also reported issues with the Cloudflare test page when using DNSSEC.

One option they recommend is to use the proxy-dnssec option inside of dnsmasq.

--proxy-dnssec Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.

I did not experiment with the option during the testing of the installer script though in order to focus on other issues. The original test team has done some testing with it recently. @bbunge has performed extensive testing with both Cloudflare and Quad9 using the proxy-dnssec. His conclusion is

Conclusion: Not all resolvers play well with DNSSEC. Cloudflare does. Quad9 doesn't.

I had some time to test this morning and have concluded that @bbunge testing results are the same as mine (test results in Spoiler below). When using Quad9, some pages don't resolve and I get a server not found. Sometimes it takes one or several refreshes for the page to finally load. No issues with Cloudflare. One good thing is the Cloudflare test page works with the proxy-dnssec configuration.

To satisfy the requests for the feature, I think we can add the option to include proxy-dnssec to the installer. @Adamm has volunteered to help out (please send the man a donation). Which is really nice as I have another obligation for another day or two and am still recovering from a bad cold.

Thinking out loud on how best to implement:

1. Include the option automatically. Display a message at the end of the installation about the caveat or issue with proxy-dnssec when using Quad9.
   
2. We can give the person a choice to install it and explain that it may not play nice with Quad9
   
3. Include an option to remove the line from /jffs/configs/dnsmasq.conf.add if they have issues with proxy-dnssec

If you want to test the setting, edit /jffs/configs/dnsmasq.conf.add and add proxy-dnssec to the file. After saving, bounce dnsmasq using the command service restart_dnsmasq.

Spoiler: proxy-dnssec test results

proxy-dnssec line to dnsmasq.conf.add test results using Cloudflare 1.1.1.1

Note: Cloudflare test page passes the DoT test using proxy-dnssec!

1. https://rootcanary.org/test.html
DNSSEC validation succeeded for more DS Algorithms than Quad9
2. http://dnssec.vs.uni-due.de/
DNSSEC Resolver Test Passes.
3. http://en.conn.internet.nl/connection/
Passes. Domain signatures validated (DNSSEC)
4. https://www.grc.com/dns/dns.htm
No issues
5. https://www.dns-oarc.net/oarc/services/dnsentropy
Site not reachable at first few attempts. Clicking on the "Test my DNS" button opens up a new page with the "Server Not Found".
The results did display after refreshing the page two times.
6. https://www.dnsleaktest.com/
Passes
7. https://ipleak.net/
Passes
8. https://www.perfect-privacy.com/dns-leaktest/
Passes
9. https://browserleaks.com/webrtc
Passes
10.https://ip8.com/webrtc-test
Passes
11.https://ipx.ac/run
Site not reachable at first attempt. A refresh required.
Passes
12.https://www.perfect-privacy.com/check-ip/
Passes
13.https://www.doileak.com/
Passes
14.https://www.whatismypublicip.com/
Passes


proxy-dnssec line to dnsmasq.conf.add test results using Quad9

1. https://rootcanary.org/test.html
DNSSEC validation succeeded for GOST RSA-MD5, RSA-SHA512, ED25519
2. http://dnssec.vs.uni-due.de/
DNSSEC Resolver Test Passes. Site not reachableon first attempt.
3. http://en.conn.internet.nl/connection/
Domain signatures validated (DNSSEC)
4. https://www.grc.com/dns/dns.htm
No issues
5. https://www.dns-oarc.net/oarc/services/dnsentropy
Site not reachable at first few attempts. Clicking on the "Test my DNS" button opens up a new page with the "Server Not Found"
6. https://www.dnsleaktest.com/
Passes
7. https://ipleak.net/
Passes
8. https://www.perfect-privacy.com/dns-leaktest/
Site not reachable at first attempt. A refresh required.
Passes
9. https://browserleaks.com/webrtc
Passes
10.https://ip8.com/webrtc-test
Passes
11.https://ipx.ac/run
Site not reachable at first attempt. A refresh required.
Passes
12.https://www.perfect-privacy.com/check-ip/
Passes
13.https://www.doileak.com/
Passes
14.https://www.whatismypublicip.com/
Took three refreshes for the page to load

Please provide your feedback. Would also be nice if you have time to test the setting with Cloudflare and Quad9 to validate my test results.

 

[cmkelley]

I'm not smart enough to offer you a git push or whatever (yet! Git is next on my list to learn!), but I think for people who use IPv6, what you need to add to the stubby install script is something like the below in the appropriate places in "update_wan_and_resolv_settings" function:

RTR_IP="$(nvram get ipv6_rtr_addr)"

echo "server=$RTR_IP" > /tmp/resolv.dnsmasq  

nvram set ipv6_dns1=$RTR_IP
nvram set ipv6_dns2=""
nvram set ipv6_dns3=""

and in the "remove_existing_installation" function:

IPV6_DNS1="2606:4700:4700::1111"
nvram set ipv6_dns1="$IPV6_DNS1"

But, I'm hardly an expert.

 

[dave14305]

Thinking out loud on how best to implement:

If @Adamm is willing to get fancy on this, I would suggest to base this off the value of nvram dnssec_enable. If user has dnssec enabled in the GUI, replace the normal dnssec parameter with proxy-dnssec. This would mean reconfiguring dnsmasq.conf via the postconf script instead of the .add file, but you would be able to have the user control the feature from the GUI.

 

[cmkelley]

If @Adamm is willing to get fancy on this, I would suggest to base this off the value of nvram dnssec_enable. If user has dnssec enabled in the GUI, replace the normal dnssec parameter with proxy-dnssec. This would mean reconfiguring dnsmasq.conf via the postconf script instead of the .add file, but you would be able to have the user control the feature from the GUI.

So if I'm using proxy-dnssec I should have 'Enable DNSSEC Support' set to ON in the GUI?

 

[dave14305]

So if I'm using proxy-dnssec I should have 'Enable DNSSEC Support' set to ON in the GUI?

Not now. But maybe later if my idea gets support.

 

[XIII]

Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet authentication upstreams, or re-use TCP/TLS connections).

This was exactly why I wanted to build a version with OpenSSL 1.1.1 statically included:

The 1.7.1 release of Unbound supports authentication of upstream recursive resolvers using an authentication domain name (i.e. PKIX authentication) if a certificate bundle is configured

 

[preacher65]

Please provide your feedback. Would also be nice if you have time to test the setting with Cloudflare and Quad9 to validate my test results.

I've been trying proxy-dnssec in dnsmasq.conf.add since @bbunge mentioned it a short while ago, with no issues using Cloudflare. I haven't testing with Quad9 but will try to find time to do so later.
I just quickly ran the tests you listed and can't get https://www.dns-oarc.net/oarc/services/dnsentropy to load at all, but every other test looks fine. I'm off to work but will try to do more tests later, just wanted to provide some initial feedback.
(I do have an issue where I sometimes have to restart httpd to connect to the router's webui via https, but at the moment I have no reason to suspect it's related to Stubby.)

 

[Xentrk]

So if I'm using proxy-dnssec I should have 'Enable DNSSEC Support' set to ON in the GUI?

Enabling DNSSEC on the Web GUI creates an issue. The Cloudflare test site 1.1.1.1/help will report that DoT is not working. I can't recall now if the other sites have issues as it was a few months ago. There was also a DNSSEC setting in stubby that created issues on test sites as well. I spent a lot of time testing it in the past. Based on the effort and results, I decided to put it in the parking lot and test again when the new version of Stubby is released.

 

[Xentrk]

I'm not smart enough to offer you a git push or whatever (yet! Git is next on my list to learn!), but I think for people who use IPv6, what you need to add to the stubby install script is something like the below in the appropriate places in "update_wan_and_resolv_settings" function:

RTR_IP="$(nvram get ipv6_rtr_addr)"

echo "server=$RTR_IP" > /tmp/resolv.dnsmasq 

nvram set ipv6_dns1=$RTR_IP
nvram set ipv6_dns2=""
nvram set ipv6_dns3=""

and in the "remove_existing_installation" function:

IPV6_DNS1="2606:4700:4700::1111"
nvram set ipv6_dns1="$IPV6_DNS1"

But, I'm hardly an expert.

Noted for future enhancement. Thanks for doing the preliminary analysis. Also, you just signed up to be the tester for ipv6!

 

[Xentrk]

If @Adamm is willing to get fancy on this, I would suggest to base this off the value of nvram dnssec_enable. If user has dnssec enabled in the GUI, replace the normal dnssec parameter with proxy-dnssec. This would mean reconfiguring dnsmasq.conf via the postconf script instead of the .add file, but you would be able to have the user control the feature from the GUI.

Good idea.

 

[Xentrk]

Another thing on DNSSEC, I am surprised how many sites DO NOT support DNSSEC. I added the DNSSEC add on on Firefox. It will detect if a site supports DNSSEC. Kewl little add-on.

On Merlin's site, note the green DNS indicator in the URL bar:

On snbforums.com, note the red DNS indicator in the URL bar:

I need to enable DNSSEC on my blog site.