Stubby-Installer-Asuswrt-Merlin

[bbunge]

Can anyone shed some light on why Stubby is being called to start just moments before the router powers down in a reboot?

Likely due to the way amtm set up your entware.

 

[EmeraldDeer]

Can anyone shed some light on why Stubby is being called to start just moments before the router powers down in a reboot?

No matter how you call it
Usage: ./S61stubby (start|stop|restart|check|kill|reconfigure)
It runs
logger -t S61stubby "Starting Stubby DNS over TLS $0"
So I am thinking Stubby was actually being stopped but the logger message said otherwise

 

[EmeraldDeer]

No matter how you call it
Usage: ./S61stubby (start|stop|restart|check|kill|reconfigure)
It runs
logger -t S61stubby "Starting Stubby DNS over TLS $0"
So I am thinking Stubby was actually being stopped but the logger message said otherwise

I wonder whether "Starting" can be replaced by "$1"

 

[thelonelycoder]

Likely due to the way amtm set up your entware.

No.

 

[thelonelycoder]

Can anyone shed some light on why Stubby is being called to start just moments before the router powers down in a reboot?

It's the customized S61stubby here: https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/blob/master/S61stubby
@Xentrk or @Adamm need to change line 11 from:

logger -t S61stubby "Starting Stubby DNS over TLS $0"

to this, using the positional parameter instead of fixed string:

logger -t S61stubby "$1 Stubby DNS over TLS $0"

 

[bbunge]

No.

OK, so I do not have amtm installed and see stubby trying to restart when the router is shutting down...

Jan 29 12:21:29 custom_script: Running /jffs/scripts/services-stop
Jan 29 17:21:31 transmission-daemon[3341]: Closing session
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: mod epilog takes 0 jiffies
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: Exit chrdev /dev/idpfw with major 191
Jan 29 12:21:31 S61stubby: Starting Stubby DNS over TLS /opt/etc/init.d/S61stubby

Does not seem to do any harm.

 

[skeal]

OK, so I do not have amtm installed and see stubby trying to restart when the router is shutting down...

Jan 29 12:21:29 custom_script: Running /jffs/scripts/services-stop
Jan 29 17:21:31 transmission-daemon[3341]: Closing session
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: mod epilog takes 0 jiffies
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: Exit chrdev /dev/idpfw with major 191
Jan 29 12:21:31 S61stubby: Starting Stubby DNS over TLS /opt/etc/init.d/S61stubby

Does not seem to do any harm.

I find the disk check log (in AMTM) doesn't show a clean unmount. When using default values in the scripts we use.

 

[thelonelycoder]

OK, so I do not have amtm installed and see stubby trying to restart when the router is shutting down...

Jan 29 12:21:29 custom_script: Running /jffs/scripts/services-stop
Jan 29 17:21:31 transmission-daemon[3341]: Closing session
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: mod epilog takes 0 jiffies
Jan 29 12:21:31 kernel: IDPfw: Exit IDPfw
Jan 29 12:21:31 kernel: Exit chrdev /dev/idpfw with major 191
Jan 29 12:21:31 S61stubby: Starting Stubby DNS over TLS /opt/etc/init.d/S61stubby

Does not seem to do any harm.

Did you read my previous post?

 

[skeal]

It's the customized S61stubby here: https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/blob/master/S61stubby
@Xentrk or @Adamm need to change line 11 from:

logger -t S61stubby "Starting Stubby DNS over TLS $0"

to this, using the positional parameter instead of fixed string:

logger -t S61stubby "$1 Stubby DNS over TLS $0"

Your fix works like a charm sir!

 

[eclp]

@Xentrk

Small side note:
A wrong forwarding has crept into your description on GitHub. Under "2. DNSSEC Test" the second link hxxp://dnssec.vs.uni-due.de/ refers to hxxps://rootcanary.org/test.html.

 

[Odkrys]

Just for people to know, stubby and getdns is updated in Entware
getdns - 1.5.1-1
stubby - 0.2.5-1

Anyone can try help compile it with statically-linked OpenSSL 1.1.1a?

getdns 1.5.1 + openssl 1.1.1a

https://drive.google.com/file/d/1a7WQmx1wPYfWUKAuHWIPX9cyPa-crLDI/view

stubby is identical with entware one.

opkg update && opkg upgrade
opkg install getdns_1.5.1-tls1.3_aarch64-3.10.ipk

 

[Butterfly Bones]

getdns 1.5.1 + openssl 1.1.1a

https://drive.google.com/file/d/1a7WQmx1wPYfWUKAuHWIPX9cyPa-crLDI/view

stubby is identical with entware one.

opkg update && opkg upgrade
opkg install getdns_1.5.1-tls1.3_aarch64-3.10.ipk

Thank you, I get this error:

Collected errors:
 * wfopen: getdns_1.5.1-tls1.3_aarch64-3.10.ipk: No such file or directory.
 * pkg_init_from_file: Failed to extract control file from getdns_1.5.1-tls1.3_aarch64-3.10.ipk.

 

[EmeraldDeer]

Thank you, I get this error:

Collected errors:
 * wfopen: getdns_1.5.1-tls1.3_aarch64-3.10.ipk: No such file or directory.
 * pkg_init_from_file: Failed to extract control file from getdns_1.5.1-tls1.3_aarch64-3.10.ipk.

Perhaps you simply did not have the ipk file in the current directory when you ran opkg install.
I did not receive any errors except for the sample stubby.yml which I do not need.

# opkg update && opkg upgrade
Downloading http://bin.entware.net/aarch64-k3.10/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware
Upgrading getdns on root from 1.5.0-tls1.3 to 1.5.1-1...
Downloading http://bin.entware.net/aarch64-k3.10/getdns_1.5.1-1_aarch64-3.10.ipk
Removing obsolete file /opt/lib/libgetdns.so.10.1.0.
Upgrading stubby on root from 0.2.4-tls1.3 to 0.2.5-1...
Downloading http://bin.entware.net/aarch64-k3.10/stubby_0.2.5-1_aarch64-3.10.ipk
Configuring getdns.
Configuring stubby.
Collected errors:
 * resolve_conffiles: Existing conffile /opt/etc/stubby/stubby.yml is different from the conffile in the new package. The new conffile will be placed at /opt/etc/stubby/stubby.yml-opkg.

# opkg install getdns_1.5.1-tls1.3_aarch64-3.10.ipk
Upgrading getdns on root from 1.5.1-1 to 1.5.1-tls1.3...
Configuring getdns.

# ./S61stubby restart
 Shutting down stubby...              done.
 Starting stubby...              done.

 

[EmeraldDeer]

I have e-mail confirmation from CleanBrowsing support that they are in fact on TLS 1.2 for now

tls_min_version: GETDNS_TLS1_2

 

[DonnyJohnny]

getdns 1.5.1 + openssl 1.1.1a

https://drive.google.com/file/d/1a7WQmx1wPYfWUKAuHWIPX9cyPa-crLDI/view

stubby is identical with entware one.

opkg update && opkg upgrade
opkg install getdns_1.5.1-tls1.3_aarch64-3.10.ipk

Is this compatible for ac68 (arm7)?

 

[Xentrk]

It's the customized S61stubby here: https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/blob/master/S61stubby
@Xentrk or @Adamm need to change line 11 from:

logger -t S61stubby "Starting Stubby DNS over TLS $0"

to this, using the positional parameter instead of fixed string:

logger -t S61stubby "$1 Stubby DNS over TLS $0"

Noted. I will add it to the other two updates on my to do list.

 

[Adamm]

getdns 1.5.1 + openssl 1.1.1a

https://drive.google.com/file/d/1a7WQmx1wPYfWUKAuHWIPX9cyPa-crLDI/view

stubby is identical with entware one.

opkg update && opkg upgrade
opkg install getdns_1.5.1-tls1.3_aarch64-3.10.ipk

Noted. I will add it to the other two updates on my to do list.

I've pushed v1.0.3 which updates the installer to use the new getdns_1.5.1 binary + stubby 0.2.5 from entware. I also fixed the incorrect output in S61stubby.

I've left the other changes that are a WIP from @Xentrk to push when he is ready.

 

[JimbobJay]

That is a good point. I chose the statically linked stubby.
I am successfully using CleanBrowsing DNS over TLS via TLS 1.2.

How did you choose the statically linked version? I didn’t see an option for that when I installed using the stubby script included in amtm. On another (non-ASUS-Merlin) network I manage, I am using stubby and it is built against the OpenSSL 1.1.1 branch, and so I can edit a line in the stubby yml config to ensure that only TLS 1.3 is used, which theoretically offers speed and security benefits.

EDIT:
I see that in the latest github commit the script automatically gets the statically linked version. This should mean that one will be able to ensure TLS 1.3 by uncommenting the tls_min_version line in the stubby.yml config file and ensuring it says

tls_min_version: GETDNS_TLS1_3

I can confirm that on another network of mine this setup works when using Cloudflare.

 

[Adamm]

How did you choose the statically linked version? I didn’t see an option for that when I installed using the stubby script included in amtm. On another (non-ASUS-Merlin) network I manage, I am using stubby and it is built against the OpenSSL 1.1.1 branch, and so I can edit a line in the stubby yml config to ensure that only TLS 1.3 is used, which theoretically offers speed and security benefits.

install_stubby.sh will automatically use the static binaries if you are using a HND device (AC86U/AX88U) and tweak the config accordingly.

 

[JimbobJay]

install_stubby.sh will automatically use the static binaries if you are using a HND device (AC86U/AX88U) and tweak the config accordingly.

Ah I see. Forgive my ignorance, but what does HND stand for? I am managing an AC87U. Will that automatically get the statically linked version?

EDIT:

I see from the github commit that HND must mean running the aarch64 architecture. So my 87U doesn’t get the statically linked version. Is there a reason that stubby is limiting OpenSSL 1.1.1 to arm64 devices? Pixelserv-tls does not have this limitation and my 87U is running that against OpenSSL 1.1.1 fine and I can get tls 1.3 connections to pixelserv-tls