Stubby-Installer-Asuswrt-Merlin

[skeal]

@Adamm are these supposed to be in the log and what do they indicate?

Feb  9 08:43:34 (install_stubby.sh): 429 Ending Script Execution
Feb  9 08:43:34 (install_stubby.sh): 2564 Ending Script Execution

I found these on a fresh reboot.

 

[skeal]

Maybe I spoke to soon. This is what shows in port forward log. After a reboot:

ALL    UDP    53    192.168.14.1    53    PREROUTING
ALL    UDP    53    192.168.14.1    53    PREROUTING
ALL    TCP    53    192.168.14.1    53    PREROUTING
ALL    TCP    53    192.168.14.1    53    PREROUTING

 

[Mutzli]

I've pushed v1.0.6

This update gives you a new option during the install process to automatically handle forcing clients DNS requests through Stubby.

It installed 1.07, what else changed?

 

[skeal]

It would seem that the iptable D commands do not get rid of all of the forwards before adding the new iptable commands.

 

[skeal]

Also I'm wondering what the nat-start script does @Adamm

 

[skeal]

Strange I made sure with dos2unix and chmod was done. I still get double entries however. As shown below:

Virtual Servers
Source    Proto    Port range    Redirect to    Local Port    Chain
ALL    UDP    53    192.168.14.1    53    PREROUTING
ALL    TCP    53    192.168.14.1    53    PREROUTING
ALL    UDP    53    192.168.14.1    53    PREROUTING
ALL    TCP    53    192.168.14.1    53    PREROUTING

 

[skeal]

I also tried calling sh /jffs/scripts/Redirect_DNS.sh in the nat-start script. I get the same duplicates.

 

[Adamm]

@Adamm are these supposed to be in the log and what do they indicate?

Feb  9 08:43:34 (install_stubby.sh): 429 Ending Script Execution
Feb  9 08:43:34 (install_stubby.sh): 2564 Ending Script Execution

I found these on a fresh reboot.

That would be the IPTables rules being added.

It installed 1.07, what else changed?

Fixed up a block of code that was being repeated unnecessarily. All the changes are listed in detail on the github

I also tried calling sh /jffs/scripts/Redirect_DNS.sh in the nat-start script. I get the same duplicates.

That script is redundant and causing the duplicate entries. The functionality is now built into the installer.

 

[skeal]

That would be the IPTables rules being added.



Fixed up a block of code that was being repeated unnecessarily. All the changes are listed in detail on the github



That script is redundant and causing the duplicate entries. The functionality is now built into the installer.

Then I would change the instructions linked to the post bud.

 

[skeal]

@Adamm I deleted the script called Redirect_DNS.sh and it's call from firewall-start or nat-start. The only thing changing forwarding chains are the alterations you made to the nat-start script. I have now rebooted 3 times same result.

 

[skeal]

@Adamm Does this have anything to do with the appearance of the script running twice, in the logs?

Feb  9 10:36:58 (install_stubby.sh): 434 Ending Script Execution
Feb  9 10:36:58 (install_stubby.sh): 2292 Ending Script Execution

 

[Butterfly Bones]

Herein lies the major pitfall of syslogd. Everything goes into the system log, so if something is flooding it, even legitimately, it becomes very difficult to notice anything that's out of the ordinary. Installing and setting up syslog-ng is a pain, but now the only thing I'm actively using sed to find and delete are the dcd crashes. I'd push those off into a crashes file if I could understand the syslog-ng documentation. 100's of pages of babble and useless "examples". I'm inclined to believe that's by design so you'll purchase the "pro" version and pay for support. I'm fairly certain multi-line-prefix and multi-line-suffix are they key, but damned if I can find an understandable explanation.

You know there is a syslog-ng thread here, right?
https://www.snbforums.com/threads/configuring-syslog-ng-with-merlin-firmware.35095/
I tired for hours and days to get in running on my AC86U and finally found that the symlink was stopping copying the syslog output back into the GUI. That seems to be recently solved, thanks to elorimer and Adamm, changing Skynet script to work with the destructive sed command. Also I not there is a suggested syslog-ng method in your thread to deal with the dcd crashes. I'm going to revisit that, since I still have the configs I was working with a few months ago. And yes, wrapping ones head around syslog-ng IS a real mind f***! Ok, /offtopic

 

[skeal]

@Adamm I removed and re-installed Stubby. Still I have the two entries in my syslog saying that install_stubby has run. I'm pretty confident now that some how the script you are calling in nat-start runs twice.

 

[Butterfly Bones]

@Adamm I removed and re-installed Stubby. Still I have the two entries in my syslog saying that install_stubby has run. I'm pretty confident now that some how the script you are calling in nat-start runs twice.

Just FWIW, I went in and deleted the Redirct_DNS.sh and nat-start scripts that I added (and changed twice) last night first, then did the Stubby.sh update via amtm, then ran Stubby to reconfigure. Checking port forwarding I see:

ALL UDP 53 192.168.1.1 53 PREROUTING
ALL TCP 53 192.168.1.1 53 PREROUTING

My syslog showed only these two lines:

Feb  9 08:50:09 (install_stubby.sh): 15664 Starting Script Execution
Feb  9 08:50:10 (install_stubby.sh): 15664 Ending Script Execution

 

[skeal]

Just FWIW, I went in and deleted the Redirct_DNS.sh and nat-start scripts that I added (and changed twice) last night first, then did the Stubby.sh update via amtm, then ran Stubby to reconfigure. Checking port forwarding I see:

ALL UDP 53 192.168.1.1 53 PREROUTING
ALL TCP 53 192.168.1.1 53 PREROUTING

My syslog showed only these two lines:

Feb  9 08:50:09 (install_stubby.sh): 15664 Starting Script Execution
Feb  9 08:50:10 (install_stubby.sh): 15664 Ending Script Execution

Cool! Do you have a nat-start script still or did you delete it with the Redirect_DNS.sh?

 

[Joe Doe]

Encrypted SNI doesn't seem to work with any browser available to me (Chrome 71.x, Safari 12, Edge) , while secure DNS, DNSSEC and TLS 1.3 work fine. According different sources (https://en.wikipedia.org/wiki/Server_Name_Indication#Support) should be support by my browser. What's the issue?

 

[Butterfly Bones]

Cool! Do you have a nat-start script still or did you delete it with the Redirect_DNS.sh?

I deleted both first, then with the update and reconfigure a new nat-start was created:

/tmp/home/root# cat /jffs/scripts/nat-start 
#!/bin/sh
sh /jffs/scripts/install_stubby.sh iptables # Stubby Installer

 

[Butterfly Bones]

Encrypted SNI doesn't seem to work with any browser available to me (Chrome 71.x, Safari 12, Edge) , while secure DNS, DNSSEC and TLS 1.3 work fine. According different sources (https://en.wikipedia.org/wiki/Server_Name_Indication#Support) should be support by my browser. What's the issue?

Not in Chrome yet according to these posts on GitHub.
https://github.com/chromium/badssl.com/issues/356
Chromium.org / bugs
https://bugs.chromium.org/p/chromium/issues/detail?id=908132

 

[skeal]

Code:
/tmp/home/root# cat /jffs/scripts/nat-start
#!/bin/sh
sh /jffs/scripts/install_stubby.sh iptables # Stubby Installer

I have the same yet I see this in my syslogs at the end of the reboot after Skynet is done starting:

Feb  9 12:02:10 (install_stubby.sh): 438 Ending Script Execution
Feb  9 12:02:10 (install_stubby.sh): 2541 Ending Script Execution

And the port forwarding log shows the instruction shows two more entries, so 4 in total. Looks like this:

Source    Proto    Port range    Redirect to    Local Port    Chain
ALL    UDP    53    192.168.14.1    53    PREROUTING
ALL    TCP    53    192.168.14.1    53    PREROUTING
ALL    UDP    53    192.168.14.1    53    PREROUTING
ALL    TCP    53    192.168.14.1    53    PREROUTING

 

[skeal]

FWIW I think the "D" part of the redirect is not working or I would have only one entry.