Stubby-Installer-Asuswrt-Merlin

[skeal]

Should the following: dnssec_return_status: GETDNS_EXTENSION_TRUE

be added to the /opt/etc/stubby/stubby.yml by the installer if you select yes to proxy-dnssec during the stubby install/update?

https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby#ConfiguringStubby-DNSSEC

Maybe just make "#dnssec_return_status: GETDNS_EXTENSION_TRUE" part of our standard stubby.yml and have the installer comment it in or out based off the DNSSEC response.

If you include that line with the present script it will work like having the webui feature enabled. It will break the Cloudflare test site.

 

[vesalius]

I agree with this cautious approach.

If you include that line with the present script it will work like having the webui feature enabled. It will break the Cloudflare test site.

So DNSSEC is working without that line?

 

[dave14305]

With only proxy-dnssec in dnsmasq.conf and no dnssec directives in stubby.yml, you are essentially trusting that Cloudflare (or whichever resolver you use) is sending you a validated response without your router (i.e. stubby or dnsmasq) validating the signature. Probably less secure, but with the encrypted DoT in place, it might be acceptable risk.

 

[skeal]

With only proxy-dnssec in dnsmasq.conf and no dnssec directives in stubby.yml, you are essentially trusting that Cloudflare (or whichever resolver you use) is sending you a validated response without your router (i.e. stubby or dnsmasq) validating the signature. Probably less secure, but with the encrypted DoT in place, it might be acceptable risk.

Couldn't have answered it any better than this.

 

[dave14305]

Couldn't have answered it any better than this.

Everything I need to know about Stubby, I learned from @john9527 and his fork.
https://www.snbforums.com/threads/f...lts-releases-v37ea.18914/page-432#post-446390

 

[owine]

I held off on the IPv6 fix for now until I can get some conformation from multiple sources there are no adverse effects. Without IPv6 support from my ISP I thought its best not to make blind changes (even if they seem completely fine).

FWIW, my nvram entries for the IPv6-related DNS server entries are blank and the router on its own pushes its own IPv6 address to clients for DNS resolution. I do not use the installer script, but have stubby configured by hand in a very similar manner.

I also have the DNS entries on the DHCP server page blanked out and the router pushes its IP as the DNS server. Screenshots of my configuration on those items are below.

 

[bbunge]

2nd failure on reboot. May be other than stubby installer as USB drives did not mount on startup.
Stay tuned may have to refresh Merlin...

Sent from my SM-T380 using Tapatalk

Operator error. There was an asuswrt file left on my 1 TB drive that likely messed up entware. Back up and running DoT to CF. Installed with today's script.

Sent from my SM-T380 using Tapatalk

 

[skeal]

Operator error. There was an asuswrt file left on my 1 TB drive that likely messed up entware. Back up and running DoT to CF. Installed with today's script.

Sent from my SM-T380 using Tapatalk

Welcome back brother!

 

[Xentrk]

Works for me. And re-reading, I think the implied tone of my post was not what I intended. I honestly did mean it as a suggestion for supporting IPv6, not "you need to do this" which I think is how it came across.

But yes, I'm up for testing IPv6 stuff.

No problem. I did not take it that way. I would just need someone who has the ipv6 requirement to test the change since I don’t use it.

Similar to @Adamm and @Jack Yaz helping on the HND router updates. I don’t have one to test on but they do.

It’s all good brother.

 

[bbunge]

IPV6 Test
RT-AC66U_B1 running Merlin 384.8_2 with Stubby installed and DoT working OK. Added IPV6 using 6RD as this is what my ISP offers at this time.
Did not add IPV6 DNS servers.
Stubby.yml was set to use CleanBrowsing IPV4 resolvers. Tested IPV6 with: https://test-ipv6.com/ Test results were 9/10 as CleanBrowsing IPV4 DNS servers do not resolve IPV6 addresses. Added CleanBrowsing IPV6 resolvers to stubby.yml, reran IPVt test and scored 10/10.
Switched to Cloudflare resolvers IPV4 and IPV6. Restarted stubby. Tested 10/10 and Cloudflare/Help tested connected to IPV4 and IPV6 with DoT=yes.
Switched to Quad9 IPV4 and IPV6 resolvers and tested successfully.

Reset the router to factory, manually reconfigured with IPV6 via 6RD, added freshly formated EXT3 thumb drive. Installed Entware then Stubby/GetDNS with proxy-dnssec option and reran all the tests cited above successfully.

Did not have DNSSEC enabled for any of the tests. I would expect Cloudflare to work reliably with DNSSEC. Have had issues using DNSSEC on Quad9, CleanBrowsing and other resolvers.

Should add that while I was doing the first set of tests I was downloading a large .iso file on one PC and had another PC running several torrent downloads. Switching the resolvers in the stubby.yml and restarting stubby after the changes did not cause any dropped connections.

Edit: for all the changed stubby.yml I had roundrobbin set to 1.

 

[vesalius]

IPV6 Test

My results, RTAC86U- 384.8_2. Latest Stubby/GetDNS with proxy-dnssec option and working DoT TLS 1.3. Using Cloudflare IPv4 1.1.1.1/1.0.0.1 Passed all test. Did not add "dnssec_return_status: GETDNS_EXTENSION_TRUE" to the stubby.yml so dnssec is permissive and not strictly validated by my router. Also have "round_robin_upstreams: 1" instead of the default 0

Under the router IPv6 settings page. Enabled IPv6 with a Native connection through Spectrum. Set "Connect to DNS Server automatically" to Disable then added the router LAN IPv6 Address to the "IPv6 DNS Server 1" line. Added Cloudflare IPv6 primary, but not secondary. Will test will secondary only and both later.

Tested IPV6 with:
1. https://test-ipv6.com/ - passed 10/10
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)

DNSSEC:
1. http://dnssec.vs.uni-due.de/ - Yes, your DNS resolver validates DNSSEC signatures.
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)
3. https://rootcanary.org/test.html Similar pass/fail with or without IPv6 enabled

 

[bbunge]

IPV6 Test

My results, RTAC86U- 384.8_2. Latest Stubby/GetDNS with proxy-dnssec option and working DoT TLS 1.3. Using Cloudflare IPv4 1.1.1.1/1.0.0.1 Passed all test. Did not add "dnssec_return_status: GETDNS_EXTENSION_TRUE" to the stubby.yml so dnssec is permissive and not strictly validated by my router. Also have "round_robin_upstreams: 1" instead of the default 0

Under the router IPv6 settings page. Enabled IPv6 with a Native connection through Spectrum. Set "Connect to DNS Server automatically" to Disable then added the router LAN IPv6 Address to the "IPv6 DNS Server 1" line. Added Cloudflare IPv6 primary, but not secondary. Will test will secondary only and both later.

Tested IPV6 with:
1. https://test-ipv6.com/ - passed 10/10
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)

DNSSEC:
1. http://dnssec.vs.uni-due.de/ - Yes, your DNS resolver validates DNSSEC signatures.
2. http://en.conn.internet.nl/connection/ passed IPv6 100% with Domain signatures validated (DNSSEC)
3. https://rootcanary.org/test.html Similar pass/fail with or without IPv6 enabled

Did you try with the IPV6 DNS blank?

Sent from my SM-T380 using Tapatalk

 

[vesalius]

Did you try with the IPV6 DNS blank?

Sent from my SM-T380 using Tapatalk

Did not, at work now though.

 

[eclp]

Another perhaps helpful DNSSEC test: http://0skar.cz/dns/en/

 

[skeal]

Another perhaps helpful DNSSEC test: http://0skar.cz/dns/en/

Nice one, any dnssec doubters out there should run this test.

 

[eclp]

I would love to try stubby again, but the last time I tried it my whole internet was dead. Besides, I couldn't even get to the router GUI anymore, only SSH, after uninstalling, my internet connection was working again.
Maybe someone of the initiates would be kind enough to collect all the things you need to know. A little guide would be nice ...

 

[skeal]

I would love to try stubby again, but the last time I tried it my whole internet was dead. Besides, I couldn't even get to the router GUI anymore, only SSH, after uninstalling, my internet connection was working again.
Maybe someone of the initiates would be kind enough to collect all the things you need to know. A little guide would be nice ...

Right here bud!https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin

 

[bbunge]

Another perhaps helpful DNSSEC test: http://0skar.cz/dns/en/

Interesting...
With resolvers in stubby set to Quad 9, NSEC3 zone tests, 3b and 5, failed.
Switched to Cloudflare resolvers and all tests passed. Test completed quicker than Quad9
Turned on DNSSEC with Cloudflare and all tests passed again although test 1 and 6 were slow to finish.
Seems to prove my lack of success with Quad9 with DNSSEC enabled...

Once again, this does not prove the DNSSEC is working in the router but that the resolvers, DNS servers, you have configured can do DNSSEC.

 

[vesalius]

I would love to try stubby again, but the last time I tried it my whole internet was dead. Besides, I couldn't even get to the router GUI anymore, only SSH, after uninstalling, my internet connection was working again.
Maybe someone of the initiates would be kind enough to collect all the things you need to know. A little guide would be nice ...

Which asus router did you install on?

 

[eclp]

@vesalius … RT-AX88U