What's new

Stubby-Installer-Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Can anyone shed some light on why Stubby is being called to start just moments before the router powers down in a reboot?
Likely due to the way amtm set up your entware.
 
Can anyone shed some light on why Stubby is being called to start just moments before the router powers down in a reboot?
No matter how you call it
Usage: ./S61stubby (start|stop|restart|check|kill|reconfigure)
It runs
logger -t S61stubby "Starting Stubby DNS over TLS $0"
So I am thinking Stubby was actually being stopped but the logger message said otherwise
 
No matter how you call it
Usage: ./S61stubby (start|stop|restart|check|kill|reconfigure)
It runs
logger -t S61stubby "Starting Stubby DNS over TLS $0"
So I am thinking Stubby was actually being stopped but the logger message said otherwise
I wonder whether "Starting" can be replaced by "$1"
 
OK, so I do not have amtm installed and see stubby trying to restart when the router is shutting down...
Code:
Jan 29 12:21:29 custom_script: Running /jffs/scripts/services-stop
Jan 29 17:21:31 transmission-daemon[3341]: Closing session
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: mod epilog takes 0 jiffies
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: Exit chrdev /dev/idpfw with major 191
Jan 29 12:21:31 S61stubby: Starting Stubby DNS over TLS /opt/etc/init.d/S61stubby
Does not seem to do any harm.
 
OK, so I do not have amtm installed and see stubby trying to restart when the router is shutting down...
Code:
Jan 29 12:21:29 custom_script: Running /jffs/scripts/services-stop
Jan 29 17:21:31 transmission-daemon[3341]: Closing session
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: mod epilog takes 0 jiffies
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: Exit chrdev /dev/idpfw with major 191
Jan 29 12:21:31 S61stubby: Starting Stubby DNS over TLS /opt/etc/init.d/S61stubby
Does not seem to do any harm.
I find the disk check log (in AMTM) doesn't show a clean unmount. When using default values in the scripts we use.
 
OK, so I do not have amtm installed and see stubby trying to restart when the router is shutting down...
Code:
Jan 29 12:21:29 custom_script: Running /jffs/scripts/services-stop
Jan 29 17:21:31 transmission-daemon[3341]: Closing session
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: mod epilog takes 0 jiffies
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: Exit chrdev /dev/idpfw with major 191
Jan 29 12:21:31 S61stubby: Starting Stubby DNS over TLS /opt/etc/init.d/S61stubby
Does not seem to do any harm.
Did you read my previous post?
 
@Xentrk

Small side note:
A wrong forwarding has crept into your description on GitHub. Under "2. DNSSEC Test" the second link hxxp://dnssec.vs.uni-due.de/ refers to hxxps://rootcanary.org/test.html.

:)
 
Thank you, I get this error:
Code:
Collected errors:
 * wfopen: getdns_1.5.1-tls1.3_aarch64-3.10.ipk: No such file or directory.
 * pkg_init_from_file: Failed to extract control file from getdns_1.5.1-tls1.3_aarch64-3.10.ipk.
Perhaps you simply did not have the ipk file in the current directory when you ran opkg install.
I did not receive any errors except for the sample stubby.yml which I do not need.
Code:
# opkg update && opkg upgrade
Downloading http://bin.entware.net/aarch64-k3.10/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware
Upgrading getdns on root from 1.5.0-tls1.3 to 1.5.1-1...
Downloading http://bin.entware.net/aarch64-k3.10/getdns_1.5.1-1_aarch64-3.10.ipk
Removing obsolete file /opt/lib/libgetdns.so.10.1.0.
Upgrading stubby on root from 0.2.4-tls1.3 to 0.2.5-1...
Downloading http://bin.entware.net/aarch64-k3.10/stubby_0.2.5-1_aarch64-3.10.ipk
Configuring getdns.
Configuring stubby.
Collected errors:
 * resolve_conffiles: Existing conffile /opt/etc/stubby/stubby.yml is different from the conffile in the new package. The new conffile will be placed at /opt/etc/stubby/stubby.yml-opkg.

# opkg install getdns_1.5.1-tls1.3_aarch64-3.10.ipk
Upgrading getdns on root from 1.5.1-1 to 1.5.1-tls1.3...
Configuring getdns.

# ./S61stubby restart
 Shutting down stubby...              done.
 Starting stubby...              done.
 
Last edited:
I have e-mail confirmation from CleanBrowsing support that they are in fact on TLS 1.2 for now
Code:
tls_min_version: GETDNS_TLS1_2
 
getdns 1.5.1 + openssl 1.1.1a

https://drive.google.com/file/d/1a7WQmx1wPYfWUKAuHWIPX9cyPa-crLDI/view

stubby is identical with entware one.
Code:
opkg update && opkg upgrade
opkg install getdns_1.5.1-tls1.3_aarch64-3.10.ipk

Noted. I will add it to the other two updates on my to do list.

I've pushed v1.0.3 which updates the installer to use the new getdns_1.5.1 binary + stubby 0.2.5 from entware. I also fixed the incorrect output in S61stubby.

I've left the other changes that are a WIP from @Xentrk to push when he is ready.
 
That is a good point. I chose the statically linked stubby.
I am successfully using CleanBrowsing DNS over TLS via TLS 1.2.

How did you choose the statically linked version? I didn’t see an option for that when I installed using the stubby script included in amtm. On another (non-ASUS-Merlin) network I manage, I am using stubby and it is built against the OpenSSL 1.1.1 branch, and so I can edit a line in the stubby yml config to ensure that only TLS 1.3 is used, which theoretically offers speed and security benefits.

EDIT:
I see that in the latest github commit the script automatically gets the statically linked version. This should mean that one will be able to ensure TLS 1.3 by uncommenting the tls_min_version line in the stubby.yml config file and ensuring it says
Code:
tls_min_version: GETDNS_TLS1_3

I can confirm that on another network of mine this setup works when using Cloudflare.
 
Last edited:
How did you choose the statically linked version? I didn’t see an option for that when I installed using the stubby script included in amtm. On another (non-ASUS-Merlin) network I manage, I am using stubby and it is built against the OpenSSL 1.1.1 branch, and so I can edit a line in the stubby yml config to ensure that only TLS 1.3 is used, which theoretically offers speed and security benefits.

install_stubby.sh will automatically use the static binaries if you are using a HND device (AC86U/AX88U) and tweak the config accordingly.
 
install_stubby.sh will automatically use the static binaries if you are using a HND device (AC86U/AX88U) and tweak the config accordingly.

Ah I see. Forgive my ignorance, but what does HND stand for? I am managing an AC87U. Will that automatically get the statically linked version?

EDIT:

I see from the github commit that HND must mean running the aarch64 architecture. So my 87U doesn’t get the statically linked version. Is there a reason that stubby is limiting OpenSSL 1.1.1 to arm64 devices? Pixelserv-tls does not have this limitation and my 87U is running that against OpenSSL 1.1.1 fine and I can get tls 1.3 connections to pixelserv-tls
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top