What's new

Stubby-Installer-Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Should the following: dnssec_return_status: GETDNS_EXTENSION_TRUE

be added to the /opt/etc/stubby/stubby.yml by the installer if you select yes to proxy-dnssec during the stubby install/update?

https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby#ConfiguringStubby-DNSSEC

Maybe just make "#dnssec_return_status: GETDNS_EXTENSION_TRUE" part of our standard stubby.yml and have the installer comment it in or out based off the DNSSEC response.
If you include that line with the present script it will work like having the webui feature enabled. It will break the Cloudflare test site.
 
With only proxy-dnssec in dnsmasq.conf and no dnssec directives in stubby.yml, you are essentially trusting that Cloudflare (or whichever resolver you use) is sending you a validated response without your router (i.e. stubby or dnsmasq) validating the signature. Probably less secure, but with the encrypted DoT in place, it might be acceptable risk.
 
With only proxy-dnssec in dnsmasq.conf and no dnssec directives in stubby.yml, you are essentially trusting that Cloudflare (or whichever resolver you use) is sending you a validated response without your router (i.e. stubby or dnsmasq) validating the signature. Probably less secure, but with the encrypted DoT in place, it might be acceptable risk.
Couldn't have answered it any better than this.
 
I held off on the IPv6 fix for now until I can get some conformation from multiple sources there are no adverse effects. Without IPv6 support from my ISP I thought its best not to make blind changes (even if they seem completely fine).
FWIW, my nvram entries for the IPv6-related DNS server entries are blank and the router on its own pushes its own IPv6 address to clients for DNS resolution. I do not use the installer script, but have stubby configured by hand in a very similar manner.

I also have the DNS entries on the DHCP server page blanked out and the router pushes its IP as the DNS server. Screenshots of my configuration on those items are below.

Screen Shot 2019-01-15 at 2.32.43 PM.png
Screen Shot 2019-01-15 at 2.32.51 PM.png
 
2nd failure on reboot. May be other than stubby installer as USB drives did not mount on startup.
Stay tuned may have to refresh Merlin...

Sent from my SM-T380 using Tapatalk
Operator error. There was an asuswrt file left on my 1 TB drive that likely messed up entware. Back up and running DoT to CF. Installed with today's script.

Sent from my SM-T380 using Tapatalk
 
Operator error. There was an asuswrt file left on my 1 TB drive that likely messed up entware. Back up and running DoT to CF. Installed with today's script.

Sent from my SM-T380 using Tapatalk
Welcome back brother!:D
 
Works for me. And re-reading, I think the implied tone of my post was not what I intended. I honestly did mean it as a suggestion for supporting IPv6, not "you need to do this" which I think is how it came across.

But yes, I'm up for testing IPv6 stuff. :)
No problem. I did not take it that way. I would just need someone who has the ipv6 requirement to test the change since I don’t use it.

Similar to @Adamm and @Jack Yaz helping on the HND router updates. I don’t have one to test on but they do.

It’s all good brother.
 
IPV6 Test
RT-AC66U_B1 running Merlin 384.8_2 with Stubby installed and DoT working OK. Added IPV6 using 6RD as this is what my ISP offers at this time.
Did not add IPV6 DNS servers.
Stubby.yml was set to use CleanBrowsing IPV4 resolvers. Tested IPV6 with: https://test-ipv6.com/ Test results were 9/10 as CleanBrowsing IPV4 DNS servers do not resolve IPV6 addresses. Added CleanBrowsing IPV6 resolvers to stubby.yml, reran IPVt test and scored 10/10.
Switched to Cloudflare resolvers IPV4 and IPV6. Restarted stubby. Tested 10/10 and Cloudflare/Help tested connected to IPV4 and IPV6 with DoT=yes.
Switched to Quad9 IPV4 and IPV6 resolvers and tested successfully.

Reset the router to factory, manually reconfigured with IPV6 via 6RD, added freshly formated EXT3 thumb drive. Installed Entware then Stubby/GetDNS with proxy-dnssec option and reran all the tests cited above successfully.

Did not have DNSSEC enabled for any of the tests. I would expect Cloudflare to work reliably with DNSSEC. Have had issues using DNSSEC on Quad9, CleanBrowsing and other resolvers.

Should add that while I was doing the first set of tests I was downloading a large .iso file on one PC and had another PC running several torrent downloads. Switching the resolvers in the stubby.yml and restarting stubby after the changes did not cause any dropped connections.

Edit: for all the changed stubby.yml I had roundrobbin set to 1.
 
Last edited:
IPV6 Test

My results, RTAC86U- 384.8_2. Latest Stubby/GetDNS with proxy-dnssec option and working DoT TLS 1.3. Using Cloudflare IPv4 1.1.1.1/1.0.0.1 Passed all test. Did not add "dnssec_return_status: GETDNS_EXTENSION_TRUE" to the stubby.yml so dnssec is permissive and not strictly validated by my router. Also have "round_robin_upstreams: 1" instead of the default 0

Under the router IPv6 settings page. Enabled IPv6 with a Native connection through Spectrum. Set "Connect to DNS Server automatically" to Disable then added the router LAN IPv6 Address to the "IPv6 DNS Server 1" line. Added Cloudflare IPv6 primary, but not secondary. Will test will secondary only and both later.

Tested IPV6 with:
1. https://test-ipv6.com/ - passed 10/10
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)

DNSSEC:
1. http://dnssec.vs.uni-due.de/ - Yes, your DNS resolver validates DNSSEC signatures.
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)
3. https://rootcanary.org/test.html Similar pass/fail with or without IPv6 enabled
 
IPV6 Test

My results, RTAC86U- 384.8_2. Latest Stubby/GetDNS with proxy-dnssec option and working DoT TLS 1.3. Using Cloudflare IPv4 1.1.1.1/1.0.0.1 Passed all test. Did not add "dnssec_return_status: GETDNS_EXTENSION_TRUE" to the stubby.yml so dnssec is permissive and not strictly validated by my router. Also have "round_robin_upstreams: 1" instead of the default 0

Under the router IPv6 settings page. Enabled IPv6 with a Native connection through Spectrum. Set "Connect to DNS Server automatically" to Disable then added the router LAN IPv6 Address to the "IPv6 DNS Server 1" line. Added Cloudflare IPv6 primary, but not secondary. Will test will secondary only and both later.

Tested IPV6 with:
1. https://test-ipv6.com/ - passed 10/10
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)

DNSSEC:
1. http://dnssec.vs.uni-due.de/ - Yes, your DNS resolver validates DNSSEC signatures.
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)
3. https://rootcanary.org/test.html Similar pass/fail with or without IPv6 enabled
Did you try with the IPV6 DNS blank?

Sent from my SM-T380 using Tapatalk
 
I would love to try stubby again, but the last time I tried it my whole internet was dead. Besides, I couldn't even get to the router GUI anymore, only SSH, after uninstalling, my internet connection was working again.
Maybe someone of the initiates would be kind enough to collect all the things you need to know. A little guide would be nice ...

:)
 
I would love to try stubby again, but the last time I tried it my whole internet was dead. Besides, I couldn't even get to the router GUI anymore, only SSH, after uninstalling, my internet connection was working again.
Maybe someone of the initiates would be kind enough to collect all the things you need to know. A little guide would be nice ...

:)
Right here bud!https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin
 
Another perhaps helpful DNSSEC test: http://0skar.cz/dns/en/

:)
Interesting...
With resolvers in stubby set to Quad 9, NSEC3 zone tests, 3b and 5, failed.
Switched to Cloudflare resolvers and all tests passed. Test completed quicker than Quad9
Turned on DNSSEC with Cloudflare and all tests passed again although test 1 and 6 were slow to finish.
Seems to prove my lack of success with Quad9 with DNSSEC enabled...

Once again, this does not prove the DNSSEC is working in the router but that the resolvers, DNS servers, you have configured can do DNSSEC.
 
I would love to try stubby again, but the last time I tried it my whole internet was dead. Besides, I couldn't even get to the router GUI anymore, only SSH, after uninstalling, my internet connection was working again.
Maybe someone of the initiates would be kind enough to collect all the things you need to know. A little guide would be nice ...

:)
Which asus router did you install on?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top