Stubby-Installer-Asuswrt-Merlin

[preacher65]

I am using iOS and android Dig apps. When I enabled proxy-dnssec I was able to get the AD flag on the apps.

Do you mind me asking which apps? I can't get the AD flag on my Android device but can on iOS, but would appreciate a recommendation for both.

 

[bbunge]

Do you mind me asking which apps? I can't get the AD flag on my Android device but can on iOS, but would appreciate a recommendation for both.

iOS - ISC Dig
Android - DNSDig

 

[ajp2k14]

From the man page of Dnsmasq:
--proxy-dnssec
Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.

 

[preacher65]

iOS - ISC Dig
Android - DNSDig

Thanks - that's what I'm using as well. I'd hoped it might be a problem with the Android app I was using but that was wishful thinking. I can't get the AD flag to show on Android, will do some more testing.

 

[dave14305]

Thanks - that's what I'm using as well. I'd hoped it might be a problem with the Android app I was using but that was wishful thinking. I can't get the AD flag to show on Android, will do some more testing.

Are you using Android 9 with built-in DNS privacy, bypassing your router?

 

[DonnyJohnny]

So in fact they compliment each other?

Think bbunge’s give the answer. Assuming we trust those big players like cloudflare, Google etc, having both dot and dnssec will be pretty safe from dns hijacking. Unless your clients (pc, web browser, router) is compromised, then that’s different story.

QUOTE="bbunge, post: 460367, member: 30783"]I am using iOS and android Dig apps. When I enabled proxy-dnssec I was able to get the AD flag on the apps. Yes, there are a lot of opinions on DoT/DoH and DNSSEC. There is a link in a prior post that has a good article on the topic

Edit link https://blog.apnic.net/2018/08/17/sunrise-dns-over-tls-sunset-dnssec/

Sent from my SM-T380 using Tapatalk[/QUOTE]

 

[preacher65]

Are you using Android 9 with built-in DNS privacy, bypassing your router?

Thanks - I am using Android 9, and hadn't checked (doh!) but no, DNS privacy is not enabled. Checking 1.1.1.1/help on the phone says I'm connecting to CF using DOT. Moreover following the Diversion log shows queries triggered by the phone, including the A record I'm querying to test DNSSEC. So it would appear to be using dnsmasq on the router to resolve DNS queries and Stubby would appear to be working, it's just not returning the AD flag when I use the DNSdig app, setting the router's IP as the resolver.

Using either Powershell "resolve-dnsname -dnssecok" or Bind Tools for Windows, or the ICS Dig app on iOS, seem to indicate those clients are receiving the AD flag. Just not Android (or at least not the DNSdig app).

I'm currently charging up a different Android device to see if it's something to do with Pie. However I've always been suspicious that Android does something a bit funky with DNS, I know my DNS can leak to my mobile carrier over IPv6 with some VPN client configs I've tried.

Update: Nope, same on Oreo. Also tried 2 other Android apps. I can live without it but it's an annoyance to not know why it's not working.

 

[preacher65]

Update: Nope, same on Oreo. Also tried 2 other Android apps. I can live without it but it's an annoyance to not know why it's not working.

Sorry for replying to my own post, but... installed Termux on my phone and installed the dnsutils package, then tried dig from a terminal window and got the AD flag. Not quite sure what's going on with those DNS apps, there doesn't seem to be any way in the gui for the equivalent of dig's "+dnssec" parameter, but perhaps I'm just using them incorrectly. DNSdig shows a greyed out AD flag so I assumed it would check dnssec automatically. (On iOS the app is from ISC so I guess it's to be expected it checks dnssec by default.)

This is why we should only ever trust the command line.

 

[Adamm]

I've pushed an update for IPv6 users. This update implements the suggestions by @cmkelley in this post.

Note; These changes I am unable to personally test due to IPv6 being unsupported by my ISP, so feedback is appreciated!

 

[cmkelley]

I've pushed an update for IPv6 users. This update implements the suggestions by @cmkelley in this post.

Note; These changes I am unable to personally test due to IPv6 being unsupported by my ISP, so feedback is appreciated!

Thanks for this. I didn't realize there was a flag for ipv6_service. Makes sense to only put the IPv6 stuff in if that's enabled.

Also, is there a way to have it re-run the install script after it updates the install script?

 

[Adamm]

Also, is there a way to have it re-run the install script after it updates the install script?

Its on the todo list, best to make sure everything works manually before automating it. Things have been progressing rapidly so this will happen sooner then later.

 

[cmkelley]

I've pushed an update for IPv6 users. This update implements the suggestions by @cmkelley in this post.

Note; These changes I am unable to personally test due to IPv6 being unsupported by my ISP, so feedback is appreciated!

Eeeep. I'm dangerous .... In the update_wan_and_resolv_settings section, once you've tested for ipv6 being enabled, looks like you should add:

nvram set ipv6_dnsenable="0"
nvram set ipv61_dnsenable="0"

I wasn't thinking about the case where people had enabled connect to (ipv6) server automatically. Ooopsie.

 

[Adamm]

Eeeep. I'm dangerous .... In the update_wan_and_resolv_settings section, once you've tested for ipv6 being enabled, looks like you should add:

nvram set ipv6_dnsenable="0"
nvram set ipv61_dnsenable="0"

I wasn't thinking about the case where people had enabled connect to (ipv6) server automatically. Ooopsie.

Someone else taking the blame, lucky me

I've committed the missing values (that I totally didn't overlook myself )

 

[visortgw]

Someone else taking the blame, lucky me

I've committed the missing values (that I totally didn't overlook myself )

I just updated the installer, and it hangs when I attempt to Update Stubby Configuration (option 1).

 

[cmkelley]

Does it get through any of it? What's the last message? (it works for me)

 

[Adamm]

I just updated the installer, and it hangs when I attempt to Update Stubby Configuration (option 1).

Works on my end;

skynet@RT-AX88U-DC28:/tmp/home/root# install_stubby

_______________________________________________________________________
|                                                                     |
|  Welcome to the Stubby-Installer-Asuswrt-Merlin installation script |
|  Version 1.0.1 by Xentrk                                            |
|         ____        _         _                                     |
|        |__  |      | |       | |                                    |
|  __  __  _| |_ _ _ | |_  ___ | | __    ____ ____  _ _ _             |
|  \ \/ / |_  | ` ` \  __|/ _ \| |/ /   /  _//    \| ` ` \            |
|   /  /  __| | | | |  |_ | __/|   <   (  (_ | [] || | | |            |
|  /_/\_\|___ |_|_|_|\___|\___||_|\_\[] \___\\____/|_|_|_|            |
|_____________________________________________________________________|
|                                                                     |
| Requirements: jffs partition and USB drive with entware installed   |
|                                                                     |
| The use of Stubby on Asuswrt-Merlin is experimental.                |
| The install script will:                                            |
|   1. install the stubby entware package                             |
|   2. override how the firmware manages DNS                          |
|   3. disable the firmware DNSSEC setting                            |
|   4. default to Cloudflare DNS 1.1.1.1. You can change to other     |
|      supported DNS over TLS providers by modifying                  |
|      /opt/var/stubby/stubby.yml                                     |
|                                                                     |
| You can also use this script to uninstall Stubby to back out the    |
| changes made during the installation. See the project repository at |
| https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin           |
| for helpful tips.                                                   |
|_____________________________________________________________________|

1 = Update Stubby Configuration
2 = Remove Existing Stubby Installation

e = Exit Script

Option ==> 1

Entware package list successfully updated
getdns-hnd-latest.ipk downloaded successfully
stubby-hnd-latest.ipk downloaded successfully
Installing getdns (1.5.0-tls1.3) to root...
Configuring getdns.
Patched getdns successfully installed
Installing stubby (0.2.4-tls1.3) to root...
Configuring stubby.
Collected errors:
 * resolve_conffiles: Existing conffile /opt/etc/stubby/stubby.yml is different from the conffile in the new package. The new conffile will be placed at /opt/etc/stubby/stubby.yml-opkg.
Patched stubby successfully installed
Existing haveged package found
Package haveged (1.9.4-1) installed in root is up to date.
Haveged successfully updated
Required dnsmasq parm no-resolv found in /tmp/etc/dnsmasq.conf
Required dnsmasq parm server=127.0.0.1#5453 found in /tmp/etc/dnsmasq.conf
Required dnsmasq parm server=0::1#5453 found in /tmp/etc/dnsmasq.conf
Required dnsmasq parm server=/pool.ntp.org/1.1.1.1 found in /tmp/etc/dnsmasq.conf
Existing stubby.yml found
stubby.yml backed up to stubby.yml.2019-01-21_05-27-14
stubby.yml downloaded successfully
S61stubby downloaded successfully


Would you like to cache DNSSEC Authenticated Data? (proxy-dnssec)
NOTE: This may cause issues with alternative DNS providers such as Quad9
[1]  --> Yes
[2]  --> No

[1-2]: 1

proxy-dnssec found in /jffs/configs/dnsmasq.conf.add
1 active OpenVPN Client found
Required entry already exists in /jffs/scripts/openvpn-event
Skipping update of /jffs/scripts/openvpn-event
 Shutting down stubby...              done.
 Starting stubby...              done.
Installation of Stubby completed

   https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin

                      Have a Grateful Day!

           ____        _         _
          |__  |      | |       | |
    __  __  _| |_ _ _ | |_  ___ | | __    ____ ____  _ _ _
    \ \/ / |_  | ` ` \  __|/ _ \| |/ /   /  _//    \| ` ` \
     /  /  __| | | | |  |_ | __/|   <   (  (_ | [] || | | |
    /_/\_\|___ |_|_|_|\___|\___||_|\_\[] \___\\____/|_|_|_|

Can you give me the output of the following (assuming you can reproduce it).

sh -x /jffs/scripts/install_stubby.sh

(try to navigate the menu with the debug print so we can get to the point where it hangs)

 

[visortgw]

Does it get through any of it? What's the last message? (it works for me)

No messages. Just a blank line...

1 = Update Stubby Configuration
2 = Remove Existing Stubby Installation

e = Exit Script

Option ==> 1

 

[Adamm]

No messages. Just a blank line...

1 = Update Stubby Configuration
2 = Remove Existing Stubby Installation

e = Exit Script

Option ==> 1

Can you give me the output of the following (assuming you can reproduce it).

sh -x /jffs/scripts/install_stubby.sh

(try to navigate the menu with the debug print so we can get to the point where it hangs)

 

[visortgw]

Works on my end;

skynet@RT-AX88U-DC28:/tmp/home/root# install_stubby

_______________________________________________________________________
|                                                                     |
|  Welcome to the Stubby-Installer-Asuswrt-Merlin installation script |
|  Version 1.0.1 by Xentrk                                            |
|         ____        _         _                                     |
|        |__  |      | |       | |                                    |
|  __  __  _| |_ _ _ | |_  ___ | | __    ____ ____  _ _ _             |
|  \ \/ / |_  | ` ` \  __|/ _ \| |/ /   /  _//    \| ` ` \            |
|   /  /  __| | | | |  |_ | __/|   <   (  (_ | [] || | | |            |
|  /_/\_\|___ |_|_|_|\___|\___||_|\_\[] \___\\____/|_|_|_|            |
|_____________________________________________________________________|
|                                                                     |
| Requirements: jffs partition and USB drive with entware installed   |
|                                                                     |
| The use of Stubby on Asuswrt-Merlin is experimental.                |
| The install script will:                                            |
|   1. install the stubby entware package                             |
|   2. override how the firmware manages DNS                          |
|   3. disable the firmware DNSSEC setting                            |
|   4. default to Cloudflare DNS 1.1.1.1. You can change to other     |
|      supported DNS over TLS providers by modifying                  |
|      /opt/var/stubby/stubby.yml                                     |
|                                                                     |
| You can also use this script to uninstall Stubby to back out the    |
| changes made during the installation. See the project repository at |
| https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin           |
| for helpful tips.                                                   |
|_____________________________________________________________________|

1 = Update Stubby Configuration
2 = Remove Existing Stubby Installation

e = Exit Script

Option ==> 1

Entware package list successfully updated
getdns-hnd-latest.ipk downloaded successfully
stubby-hnd-latest.ipk downloaded successfully
Installing getdns (1.5.0-tls1.3) to root...
Configuring getdns.
Patched getdns successfully installed
Installing stubby (0.2.4-tls1.3) to root...
Configuring stubby.
Collected errors:
 * resolve_conffiles: Existing conffile /opt/etc/stubby/stubby.yml is different from the conffile in the new package. The new conffile will be placed at /opt/etc/stubby/stubby.yml-opkg.
Patched stubby successfully installed
Existing haveged package found
Package haveged (1.9.4-1) installed in root is up to date.
Haveged successfully updated
Required dnsmasq parm no-resolv found in /tmp/etc/dnsmasq.conf
Required dnsmasq parm server=127.0.0.1#5453 found in /tmp/etc/dnsmasq.conf
Required dnsmasq parm server=0::1#5453 found in /tmp/etc/dnsmasq.conf
Required dnsmasq parm server=/pool.ntp.org/1.1.1.1 found in /tmp/etc/dnsmasq.conf
Existing stubby.yml found
stubby.yml backed up to stubby.yml.2019-01-21_05-27-14
stubby.yml downloaded successfully
S61stubby downloaded successfully


Would you like to cache DNSSEC Authenticated Data? (proxy-dnssec)
NOTE: This may cause issues with alternative DNS providers such as Quad9
[1]  --> Yes
[2]  --> No

[1-2]: 1

proxy-dnssec found in /jffs/configs/dnsmasq.conf.add
1 active OpenVPN Client found
Required entry already exists in /jffs/scripts/openvpn-event
Skipping update of /jffs/scripts/openvpn-event
 Shutting down stubby...              done.
 Starting stubby...              done.
Installation of Stubby completed

   https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin

                      Have a Grateful Day!

           ____        _         _
          |__  |      | |       | |
    __  __  _| |_ _ _ | |_  ___ | | __    ____ ____  _ _ _
    \ \/ / |_  | ` ` \  __|/ _ \| |/ /   /  _//    \| ` ` \
     /  /  __| | | | |  |_ | __/|   <   (  (_ | [] || | | |
    /_/\_\|___ |_|_|_|\___|\___||_|\_\[] \___\\____/|_|_|_|

Can you give me the output of the following (assuming you can reproduce it).

sh -x /jffs/scripts/install_stubby.sh

(try to navigate the menu with the debug print so we can get to the point where it hangs)

Hung on "+ opkg update", which is strange.

 

[Adamm]

Hung on "+ opkg update", which is strange.

Does "opkg update" work when manually run? If not that indicates a problem with entware in general.