skeal
Part of the Furniture
If you include that line with the present script it will work like having the webui feature enabled. It will break the Cloudflare test site.
Stubby-Installer-Asuswrt-Merlin
- Thread starter Xentrk
- Start date
I agree with this cautious approach.
So DNSSEC is working without that line?
With only proxy-dnssec in dnsmasq.conf and no dnssec directives in stubby.yml, you are essentially trusting that Cloudflare (or whichever resolver you use) is sending you a validated response without your router (i.e. stubby or dnsmasq) validating the signature. Probably less secure, but with the encrypted DoT in place, it might be acceptable risk.
skeal
Part of the Furniture
Couldn't have answered it any better than this.
Everything I need to know about Stubby, I learned from @john9527 and his fork.
https://www.snbforums.com/threads/f...lts-releases-v37ea.18914/page-432#post-446390
owine
Regular Contributor
FWIW, my nvram entries for the IPv6-related DNS server entries are blank and the router on its own pushes its own IPv6 address to clients for DNS resolution. I do not use the installer script, but have stubby configured by hand in a very similar manner.
I also have the DNS entries on the DHCP server page blanked out and the router pushes its IP as the DNS server. Screenshots of my configuration on those items are below.
bbunge
Part of the Furniture
Operator error. There was an asuswrt file left on my 1 TB drive that likely messed up entware. Back up and running DoT to CF. Installed with today's script.
Sent from my SM-T380 using Tapatalk
skeal
Part of the Furniture
Welcome back brother!
Xentrk
Part of the Furniture
No problem. I did not take it that way. I would just need someone who has the ipv6 requirement to test the change since I don’t use it.Works for me. And re-reading, I think the implied tone of my post was not what I intended. I honestly did mean it as a suggestion for supporting IPv6, not "you need to do this" which I think is how it came across.
But yes, I'm up for testing IPv6 stuff.
Similar to @Adamm and @Jack Yaz helping on the HND router updates. I don’t have one to test on but they do.
It’s all good brother.
bbunge
Part of the Furniture
IPV6 Test
RT-AC66U_B1 running Merlin 384.8_2 with Stubby installed and DoT working OK. Added IPV6 using 6RD as this is what my ISP offers at this time.
Did not add IPV6 DNS servers.
Stubby.yml was set to use CleanBrowsing IPV4 resolvers. Tested IPV6 with: https://test-ipv6.com/ Test results were 9/10 as CleanBrowsing IPV4 DNS servers do not resolve IPV6 addresses. Added CleanBrowsing IPV6 resolvers to stubby.yml, reran IPVt test and scored 10/10.
Switched to Cloudflare resolvers IPV4 and IPV6. Restarted stubby. Tested 10/10 and Cloudflare/Help tested connected to IPV4 and IPV6 with DoT=yes.
Switched to Quad9 IPV4 and IPV6 resolvers and tested successfully.
Reset the router to factory, manually reconfigured with IPV6 via 6RD, added freshly formated EXT3 thumb drive. Installed Entware then Stubby/GetDNS with proxy-dnssec option and reran all the tests cited above successfully.
Did not have DNSSEC enabled for any of the tests. I would expect Cloudflare to work reliably with DNSSEC. Have had issues using DNSSEC on Quad9, CleanBrowsing and other resolvers.
Should add that while I was doing the first set of tests I was downloading a large .iso file on one PC and had another PC running several torrent downloads. Switching the resolvers in the stubby.yml and restarting stubby after the changes did not cause any dropped connections.
Edit: for all the changed stubby.yml I had roundrobbin set to 1.
RT-AC66U_B1 running Merlin 384.8_2 with Stubby installed and DoT working OK. Added IPV6 using 6RD as this is what my ISP offers at this time.
Did not add IPV6 DNS servers.
Stubby.yml was set to use CleanBrowsing IPV4 resolvers. Tested IPV6 with: https://test-ipv6.com/ Test results were 9/10 as CleanBrowsing IPV4 DNS servers do not resolve IPV6 addresses. Added CleanBrowsing IPV6 resolvers to stubby.yml, reran IPVt test and scored 10/10.
Switched to Cloudflare resolvers IPV4 and IPV6. Restarted stubby. Tested 10/10 and Cloudflare/Help tested connected to IPV4 and IPV6 with DoT=yes.
Switched to Quad9 IPV4 and IPV6 resolvers and tested successfully.
Reset the router to factory, manually reconfigured with IPV6 via 6RD, added freshly formated EXT3 thumb drive. Installed Entware then Stubby/GetDNS with proxy-dnssec option and reran all the tests cited above successfully.
Did not have DNSSEC enabled for any of the tests. I would expect Cloudflare to work reliably with DNSSEC. Have had issues using DNSSEC on Quad9, CleanBrowsing and other resolvers.
Should add that while I was doing the first set of tests I was downloading a large .iso file on one PC and had another PC running several torrent downloads. Switching the resolvers in the stubby.yml and restarting stubby after the changes did not cause any dropped connections.
Edit: for all the changed stubby.yml I had roundrobbin set to 1.
Last edited:
IPV6 Test
My results, RTAC86U- 384.8_2. Latest Stubby/GetDNS with proxy-dnssec option and working DoT TLS 1.3. Using Cloudflare IPv4 1.1.1.1/1.0.0.1 Passed all test. Did not add "dnssec_return_status: GETDNS_EXTENSION_TRUE" to the stubby.yml so dnssec is permissive and not strictly validated by my router. Also have "round_robin_upstreams: 1" instead of the default 0
Under the router IPv6 settings page. Enabled IPv6 with a Native connection through Spectrum. Set "Connect to DNS Server automatically" to Disable then added the router LAN IPv6 Address to the "IPv6 DNS Server 1" line. Added Cloudflare IPv6 primary, but not secondary. Will test will secondary only and both later.
Tested IPV6 with:
1. https://test-ipv6.com/ - passed 10/10
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)
DNSSEC:
1. http://dnssec.vs.uni-due.de/ - Yes, your DNS resolver validates DNSSEC signatures.
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)
3. https://rootcanary.org/test.html Similar pass/fail with or without IPv6 enabled
My results, RTAC86U- 384.8_2. Latest Stubby/GetDNS with proxy-dnssec option and working DoT TLS 1.3. Using Cloudflare IPv4 1.1.1.1/1.0.0.1 Passed all test. Did not add "dnssec_return_status: GETDNS_EXTENSION_TRUE" to the stubby.yml so dnssec is permissive and not strictly validated by my router. Also have "round_robin_upstreams: 1" instead of the default 0
Under the router IPv6 settings page. Enabled IPv6 with a Native connection through Spectrum. Set "Connect to DNS Server automatically" to Disable then added the router LAN IPv6 Address to the "IPv6 DNS Server 1" line. Added Cloudflare IPv6 primary, but not secondary. Will test will secondary only and both later.
Tested IPV6 with:
1. https://test-ipv6.com/ - passed 10/10
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)
DNSSEC:
1. http://dnssec.vs.uni-due.de/ - Yes, your DNS resolver validates DNSSEC signatures.
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)
3. https://rootcanary.org/test.html Similar pass/fail with or without IPv6 enabled
bbunge
Part of the Furniture
Did not, at work now though.
eclp
Senior Member
skeal
Part of the Furniture
Nice one, any dnssec doubters out there should run this test.
eclp
Senior Member
I would love to try stubby again, but the last time I tried it my whole internet was dead. Besides, I couldn't even get to the router GUI anymore, only SSH, after uninstalling, my internet connection was working again.
Maybe someone of the initiates would be kind enough to collect all the things you need to know. A little guide would be nice ...
Maybe someone of the initiates would be kind enough to collect all the things you need to know. A little guide would be nice ...
skeal
Part of the Furniture
Right here bud!https://github.com/Xentrk/Stubby-Installer-Asuswrt-MerlinI would love to try stubby again, but the last time I tried it my whole internet was dead. Besides, I couldn't even get to the router GUI anymore, only SSH, after uninstalling, my internet connection was working again.
Maybe someone of the initiates would be kind enough to collect all the things you need to know. A little guide would be nice ...
bbunge
Part of the Furniture
Interesting...
With resolvers in stubby set to Quad 9, NSEC3 zone tests, 3b and 5, failed.
Switched to Cloudflare resolvers and all tests passed. Test completed quicker than Quad9
Turned on DNSSEC with Cloudflare and all tests passed again although test 1 and 6 were slow to finish.
Seems to prove my lack of success with Quad9 with DNSSEC enabled...
Once again, this does not prove the DNSSEC is working in the router but that the resolvers, DNS servers, you have configured can do DNSSEC.
Which asus router did you install on?I would love to try stubby again, but the last time I tried it my whole internet was dead. Besides, I couldn't even get to the router GUI anymore, only SSH, after uninstalling, my internet connection was working again.
Maybe someone of the initiates would be kind enough to collect all the things you need to know. A little guide would be nice ...
Similar threads
Similar threads
Similar threads
-
-
Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices
- Started by RMerlin
- Replies: 62
-
Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14
- Started by B0GDAN
- Replies: 1
-
Several Questions Re:Asuswrt-Merlin Feature Implementation
- Started by fenixreign
- Replies: 2
-
-
Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices
- Started by RMerlin
- Replies: 70
-
-
-
-
