Stubby-Installer-Asuswrt-Merlin

[XIII]

When using Quad9, some pages don't resolve and I get a server not found. Sometimes it takes one or several refreshes for the page to finally load. No issues with Cloudflare.

Until recently Quad9 worked fine for me with unbound and DNSSEC enabled, but recently they had a change in their configuration which resulted in the behaviour you describe here.

No issues with Cloudflare so far.

 

[consorts]

i didn't make time to read the blow by blow of discussion here, but did see that stubby updated the install routine, so i reran it, rebooted router, and am happy to report that green checkmark secure dns show on all browsers i run the cloudflare test page. i don't know if it's real or placebo, but it used to show the amber warning mark, so something seems to have changed - hopefully for the better, thanks guys

 

[bluzfanmr1]

The script does make a back-up of the existing stubby.yml file by appending the timestamp to it if an existing stubby.yml file exists. You can then copy the contents to the stubby.yml file or delete the recently downloaded stubby.yml file and renaming stubby.yml.timestamp to stubby.yml.

My bad, I see it now, thanks.

 

[bluzfanmr1]

I had some time to test this morning and have concluded that @bbunge testing results are the same as mine (test results in Spoiler below). When using Quad9, some pages don't resolve and I get a server not found. Sometimes it takes one or several refreshes for the page to finally load. No issues with Cloudflare. One good thing is the Cloudflare test page works with the proxy-dnssec configuration.

Please provide your feedback. Would also be nice if you have time to test the setting with Cloudflare and Quad9 to validate my test results.

I installed stubby a couple of weeks ago and have been using Quad9 (its notably faster in my location) with the proxy-dnssec option. It has worked most of the time but I too have had some issues where I get server not found pages. It had me stumped but I'll bet it is related to what you shared above. It usually takes a few refreshes, or restarting dnsmasq to get it to work again. I've also had a couple of times where all resolving on the router stopped and I had to restart stubby and/or dnsmasq for things to work again. I think I'll switch to Cloudflare to see if that works better.

 

[skeal]

I had some time to test this morning and have concluded that @bbunge testing results are the same as mine (test results in Spoiler below). When using Quad9, some pages don't resolve and I get a server not found. Sometimes it takes one or several refreshes for the page to finally load. No issues with Cloudflare. One good thing is the Cloudflare test page works with the proxy-dnssec configuration.

Please provide your feedback. Would also be nice if you have time to test the setting with Cloudflare and Quad9 to validate my test results.[/QUOTE]

I installed stubby a couple of weeks ago and have been using Quad9 (its notably faster in my location) with the proxy-dnssec option. It has worked most of the time but I too have had some issues where I get server not found pages. It had me stumped but I'll bet it is related to what you shared above. It usually takes a few refreshes, or restarting dnsmasq to get it to work again. I've also had a couple of times where all resolving on the router stopped and I had to restart stubby and/or dnsmasq for things to work again. I think I'll switch to Cloudflare to see if that works better.[/QUOTE]
Cloudflare has worked awesome for me. Hope it works for you!

 

[Adamm]

I've pushed an update.

Allow user to toggle proxy-dnssec
Add /opt/bin symlink
Tidy up repetitive code
Reword menu options if Stubby previously installed

Users will need to first update installer. Then run the new "Update Stubby Configuration" option.

(and before someone asks, no you do not need to uninstall first, the script will do the heavy lifting for you)

 

[skeal]

I've pushed an update.

Allow user to toggle proxy-dnssec
Add /opt/bin symlink
Tidy up repetitive code

Users will need to first update installer. Then re-run the install function to apply the new changes.

Nice one works like you said!! Thanks @Adamm !!

 

[visortgw]

Quick question... I don't have IPv6 enabled on my router, yet the stubby installer enables the Cloudflare primary IPv6 DNS server by default in the stubby.yml file. Is there any reason to keep this enabled?

 

[cmkelley]

Noted for future enhancement. Thanks for doing the preliminary analysis. Also, you just signed up to be the tester for ipv6!

Works for me. And re-reading, I think the implied tone of my post was not what I intended. I honestly did mean it as a suggestion for supporting IPv6, not "you need to do this" which I think is how it came across.

But yes, I'm up for testing IPv6 stuff.

 

[vesalius]

Works for me. And re-reading, I think the implied tone of my post was not what I intended. I honestly did mean it as a suggestion for supporting IPv6, not "you need to do this" which I think is how it came across.

But yes, I'm up for testing IPv6 stuff.

I volunteer on IPv6 as well.

 

[Adamm]

Works for me. And re-reading, I think the implied tone of my post was not what I intended. I honestly did mean it as a suggestion for supporting IPv6, not "you need to do this" which I think is how it came across.

But yes, I'm up for testing IPv6 stuff.

I volunteer on IPv6 as well.

I held off on the IPv6 fix for now until I can get some conformation from multiple sources there are no adverse effects. Without IPv6 support from my ISP I thought its best not to make blind changes (even if they seem completely fine).

 

[bbunge]

Latest change to the installer script caused failure on router reboot. I have just gone back to Merlin from testing John's fork. Yes I did a factory reset initialize, formatted the USB thumb drive to EXT3 and configured the router manually (it works very well until I loaded stubby/getdns)
Maybe it is best to have an install script for older routers and another for the x64 based processors?
Looking for the original install script to get back working again!!!

 

[skeal]

Latest change to the installer script caused failure on router reboot. I have just gone back to Merlin from testing John's fork. Yes I did a factory reset initialize, formatted the USB thumb drive to EXT3 and configured the router manually (it works very well until I loaded stubby/getdns)
Maybe it is best to have an install script for older routers and another for the x64 based processors?
Looking for the original install script to get back working again!!!

I have a AC3100 and I have not had the same experience as you sorry. Everything works after reboot here!

 

[skeal]

I also just ran it on a remote session over OVPN to my parent's house. Installed fine and rebooted fine. It's a AC68U.

 

[Adamm]

Latest change to the installer script caused failure on router reboot. I have just gone back to Merlin from testing John's fork. Yes I did a factory reset initialize, formatted the USB thumb drive to EXT3 and configured the router manually (it works very well until I loaded stubby/getdns)
Maybe it is best to have an install script for older routers and another for the x64 based processors?
Looking for the original install script to get back working again!!!

Is there anything unique about your setup? Stubby functionality wise the only thing that changed was adding proxy-dnssec to the config file. (It goes without saying I can't reproduce this)

 

[bbunge]

Is there anything unique about your setup? Stubby functionality wise the only thing that changed was adding proxy-dnssec to the config file. (It goes without saying I can't reproduce this)

Nope, pretty basic install. No add blocker or other stuff. I did not understand the worfing about caching DNSSEC so omitted it. proxy-dnssec does not cache data but lets it go through. Yes, enabling DNSSEC stores certs but that is hardly caching. As i said in a message to the testers I feel itbest to not enable DNSSEC. adding proxy-dnssec to dnsmasq.conf.add should be automatic and hurts nothing if it is not used (something like John's Server only DNSSEC option.

Just reinstalled stubby and it looks like I did not get an older script from gethub. Not too happy as I feel there has been stuff added that is not needed. Am about to dump this Asus router and go to Linksys/OpenWRT!!!

 

[bbunge]

2nd failure on reboot. May be other than stubby installer as USB drives did not mount on startup.
Stay tuned may have to refresh Merlin...

Sent from my SM-T380 using Tapatalk

 

[Adamm]

I did not understand the worfing about caching DNSSEC so omitted it.

Then literally nothing would have changed on your setup when running the update function. I am quite confident your issue lies elsewhere.

--proxy-dnssec
Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.

 

[vesalius]

Then literally nothing would have changed on your setup when running the update function. I am quite confident your issue lies elsewhere.

--proxy-dnssec
Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.

Should the following: dnssec_return_status: GETDNS_EXTENSION_TRUE

be added to the /opt/etc/stubby/stubby.yml by the installer if you select yes to proxy-dnssec during the stubby install/update?

https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby#ConfiguringStubby-DNSSEC

Maybe just make "#dnssec_return_status: GETDNS_EXTENSION_TRUE" part of our standard stubby.yml and have the installer comment it in or out based off the DNSSEC response.

 

[cmkelley]

I held off on the IPv6 fix for now until I can get some conformation from multiple sources there are no adverse effects. Without IPv6 support from my ISP I thought its best not to make blind changes (even if they seem completely fine).

I agree with this cautious approach.