Stubby-Installer-Asuswrt-Merlin

[skeal]

Just stumbled upon this. https://nakedsecurity.sophos.com/2019/02/26/as-dns-hijacking-worsens-icann-demands-dnssec-security/

 

[bbunge]

Try adding the following line to /jffs/scripts/dnsmasq.postconf.add:

server=/pool.ntp.org/1.1.1.1
​

This will allow NTP server DNS resolution before Stubby is fully functional.

That entry should be in /jffs/configs/dnsmasq.conf.add if stubby was installed.

 

[Xentrk]

Had not restarted my router since redoing Stubby on a fresh USB EXT2 format thumb drive two days ago. Had switched to Quad9 resolvers and restarted Stubby with a script so I can capture the log. Here is the contents of my restart-stubby script:

#!/bin/sh

/opt/etc/init.d/S61stubby stop

cat /opt/var/log/stubby.log >> /opt/var/log/stubby.save

nohup /opt/sbin/stubby -C /opt/etc/stubby/stubby.yml -g -v 3 >/opt/var/log/stubby.log 2>&1 &

I unmounted the USB drives and rebooted the router with no issues. I also call the restart-stubby script from post-mount to capture anything in the stubby.log.
For the devs: I tried to edit the ARGS= in S61stubby to enable the log but it did not work. Will try later to look into how John's fork enables the log.

If I recall, @john9527 had to modify the stubby source code to include additional logging. Since we are using the entware off the shelf solution, we are stuck with the lack of logging features built into the current version.

 

[shark]

@Xentrk can you take a look at this?

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-56#post-468789

thx

 

[Adamm]

Hello,

Can you guys make stubby update the ipv6 dns address on the ipv6 main page, every time that the internet connects?

I mean here /\ because as you can see its different! And it changes every time that i restart the router or connect o the internet... The reason why i am getting a different ipv6 prefix from my isp every time that i connect my internet is unknown to me! This started to happen, a few days ago when my isp migrate me from one of their gateways\routers to another one, since i complained that i was having to much packet loss.

Idk if i should say anything to my isp, i mean about the ipv6 prefix changing every time i connect? Should i?

@Xentrk

@Xentrk can you take a look at this?

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-56#post-468789

thx

No need to post every 12 hours, please remember this isn't our full time jobs, its a hobby. I personally look at every post in great detail and investigate accordingly, no reply usually means I'm either working on it or doing more research to give you an accurate response.

Now while I don't personally have IPv6 support to test with (my ISP is adding finally support over the next 2-3 weeks), my first guess would be to disable "Release prefix on exit".

If I recall, @john9527 had to modify the stubby source code to include additional logging. Since we are using the entware off the shelf solution, we are stuck with the lack of logging features built into the current version.

+1, due to the nature of init.d scripts logging isn't available without "hacky" workarounds.

 

[Xentrk]

S61stubby calls rc.func which is hard coded to throw it away. Perhaps a proper daemon would open a file on its own without relying upon standard error. But that is where it stands.

$PREARGS $PROC $ARGS > /dev/null 2>&1 &

I had originally attempted to use services.start to restart stubby but this did not work. Services-start is way too early. The only approach I can rely upon is to name my script /opt/etc/init.d/S62mystubby

#!/bin/sh
#
cd /tmp
/opt/etc/init.d/S61stubby stop
umask 133
mydatestring=`date +%Y%m%d_%H%M_%S`
mydir="/opt/var/log"
myfile="stubby"
myext="log"
myoldfile="${mydir}/${myfile}_${mydatestring}.${myext}"
mynewfile="${mydir}/${myfile}.${myext}"
mv ${mynewfile} ${myoldfile}
cp /opt/etc/stubby/stubby.yml.minimal /opt/etc/stubby/stubby.yml
export TZ=$(cat /etc/TZ)
nohup /opt/sbin/stubby -C /opt/etc/stubby/stubby.yml -g -l >/opt/var/log/stubby.log 2>&1 &
/usr/bin/logger -t S62mystubby -p local6.info "$1 Stubby DNS over TLS $0"
#

Also, I had been attempting to copy my custom stubby.yml from a secondary partition. But I cannot count on it being mounted, so I moved my custom stubby.yml to the entware partition.

You can clone the code from the Chk_Entware function to cycle 30 times thru a loop to see if the secondary partition is mounted. Just change the /opt reference to the secondary partition reference. You may have to create a symbolic link.

Spoiler: Chk_Entware()

<snip>
# Wait up to (default) 30 seconds to see if Entware utilities available.....
TRIES="0"

while [ "$TRIES" -lt "$MAX_TRIES" ]; do
if [ -f "/opt/bin/opkg" ]; then
if [ -n "$ENTWARE_UTILITY" ]; then # Specific Entware utility installed?
if [ -n "$(opkg list-installed "$ENTWARE_UTILITY")" ]; then
READY="0" # Specific Entware utility found
else
# Not all Entware utilities exists as a stand-alone package e.g. 'find' is in package 'findutils'
if [ -d /opt ] && [ -n "$(find /opt/ -name "$ENTWARE_UTILITY")" ]; then
READY="0" # Specific Entware utility found
fi
fi
else
READY="0" # Entware utilities ready
fi
break
fi
sleep 1
logger -st "($(basename "$0"))" "$$ Entware $ENTWARE_UTILITY not available - wait time $((MAX_TRIES - TRIES-1)) secs left"
TRIES=$((TRIES + 1))
done
return "$READY"
<snip>

 

[Xentrk]

No need to post every 12 hours, please remember this isn't our full time jobs, its a hobby. I personally look at every post in great detail and investigate accordingly, no reply usually means I'm either working on it or doing more research to give you an accurate response.

Now while I don't personally have IPv6 support to test with (my ISP is adding finally support over the next 2-3 weeks), my first guess would be to disable "Release prefix on exit".

Good point. I was also looking at it at the same time you were. I try my best to logon at least once per day to check the thread, and more, if my schedule allows. Right now, I am taking online classes learning new programming and other skills preparing for my next consulting job. I like checking in on snbforums as it also gives me a reprieve when my brain starts getting overloaded with the new skills I am learning.

I have a dynamic IPv4 address assigned by my ISP. It can change several times over the course of a weekend last time I monitored the behavior. The only field that gets updated on the router from the ISP is the WAN IP. I was surprised to see @shark had an issue with the fields he references. Hope your suggestion will fix his problem.

 

[shark]

Good point. I was also looking at it at the same time you were. I try my best to logon at least once per day to check the thread, and more, if my schedule allows. Right now, I am taking online classes learning new programming and other skills preparing for my next consulting job. I like checking in on snbforums as it also gives me a reprieve when my brain starts getting overloaded with the new skills I am learning.

I have a dynamic IPv4 address assigned by my ISP. It can change several times over the course of a weekend last time I monitored the behavior. The only field that gets updated on the router from the ISP is the WAN IP. I was surprised to see @shark had an issue with the fields he references. Hope your suggestion will fix his problem.

No need to post every 12 hours, please remember this isn't our full time jobs, its a hobby. I personally look at every post in great detail and investigate accordingly, no reply usually means I'm either working on it or doing more research to give you an accurate response.

Now while I don't personally have IPv6 support to test with (my ISP is adding finally support over the next 2-3 weeks), my first guess would be to disable "Release prefix on exit"

Sry, I've made the second post, because i tagged xentrk after an edit, so i did not know if he would get the notification and see this and also forgot to tag you! I know that this is a hobby for you guys and its good to know that you take a look at every post, i made the second post because of that to be honest, because i thought that you guys might not see it, since there are a lot of posts being posted here all the time.

About your suggestion, I've just made a test here and it did not worked... the prefix still gets changed when the internet connects! But, now i get 10/10 on this ipv6 test - https://www.test-ipv6.com/ , before it would fail.

The problem is that when the ipv6 prefix changes, the ipv6 ip address of my router also changes, making the configuration that stubby did on the ipv6 page for the dns invalid.
To fix it, i need to re-run the stubby installer or make the change manually.

 

[owine]

Sry, I've made the second post, because i tagged xentrk after an edit, so i did not know if he would get the notification and see this and also forgot to tag you! I know that this is a hobby for you guys and its good to know that you take a look at every post, i made the second post because of that to be honest, because i thought that you guys might not see it, since there are a lot of posts being posted here all the time.

About your suggestion, I've just made a test here and it did not worked... the prefix still gets changed when the internet connects! But, now i get 10/10 on this ipv6 test - https://www.test-ipv6.com/ , before it would fail.

The problem is that when the ipv6 prefix changes, the ipv6 ip address of my router also changes, making the configuration that stubby did on the ipv6 page for the dns invalid.
To fix it, i need to re-run the stubby installer or make the change manually.

If you blank out all of the IPv6 DNS fields does it automatically advertise the router address for DNS?

 

[Xentrk]

Sry, I've made the second post, because i tagged xentrk after an edit, so i did not know if he would get the notification and see this and also forgot to tag you! I know that this is a hobby for you guys and its good to know that you take a look at every post, i made the second post because of that to be honest, because i thought that you guys might not see it, since there are a lot of posts being posted here all the time.

No problem. I know what it's like to loose internet connection and not really know why. Only to have the issue compounded when the wife starts complaining when things don't work.

 

[shark]

If you blank out all of the IPv6 DNS fields does it automatically advertise the router address for DNS?

Yes, it does! Lan clients dns still points to the router ipv6 ip address.

 

[Xentrk]

Yes, it does! Lan clients dns still points to the router ipv6 ip address.

The LAN DNS should point to your routers IP address. You should then have an entry "server=0::1#5453" in /jffs/configs/dnsmasq.conf.add. Stubby then listens on port 5453 for request:

listen_addresses:
  - 127.0.0.1@5453
- 0::1@5453

Let me rephrase to see if I understand the issue. When you get a new IPv6 WAN address from ISP, it is not compatible with the LAN IPv6 address and LAN IPv6 DNS Server 1 address which causes you to lose internet connection to LAN clients?

 

[shark]

The LAN DNS should point to your routers IP address. You should then have an entry "server=0::1#5453" in /jffs/configs/dnsmasq.conf.add. Stubby then listens on port 5453 for request:

listen_addresses:
  - 127.0.0.1@5453
- 0::1@5453

Yes, i have this line on /jffs/configs/dnsmasq.conf.add

Let me rephrase to see if I understand the issue. When you get a new IPv6 WAN address from ISP, it is not compatible with the LAN IPv6 address and LAN IPv6 DNS Server 1 address

Its not indeed, because the router ipv6 address changed because the prefix also changed!

which causes you to lose internet connection to LAN clients?

Sort of, and only the ipv6 part! I say sort of, because ever since they changed me from one gateway\router to the new one and ever since the ipv6 prefix started changing every time the router connects to the internet, the ipv6 behavior seems odd!

I say that its odd, because ever since those changes happened, i get mixed results on known test sites like:

http://ipv6-test.com/

https://test-ipv6.com/

Even if i do the exact same steps, in other words, disable the wan, enable the wan and wait until everything is connected(ipv4 and ipv6), re-run the stubby installer for it to fix the ipv6 dns address on the ipv6 page, then i renew the connection on my desktop by disabling and enabling the Ethernet adapter! After that i go strait to those sites and yet i get mixed results every time, idk if its related to the prefix that i get at the time or not.

Before the router\gateway change, the ipv6 prefix would not change at all! And i would always get 10/10 scores 20/20 scores from those sites, in other words, them saying that everything is working like it should! But now, every time i test it on those sites, it seems that i get a different result each time to be honest, most of the time those sites say that there is something wrong and yet i can ping a ipv6 address like cloud flare dns and can also resolve a ipv6 address, like ipv6.google.com

Idk if it is something just wrong with those sites and i should not get bothered by it, since i can ping and resolve ipv6 addresses, at least some.

Examples here:

Ok, the url that did not work was mtu1280.vm2.test-ipv6.com and if i try to ping it from my desktop it will not work, but if i use a third party site like https://www.hashemian.com/ping/ that allows me to ping a ipv6 address, it works!

And sometimes it get even worse:

Does anyone know any reliable method to test and see if everything is all right with the ipv6? I really want to know if there is a problem with my ipv6 address and if i can finds its source...

 

[Xentrk]

@shark, the explanation helps clarify the issue. I think you have issues with the ISP implementation of IPv6. I know there are growing pains with IPv6 that others have shared on the forum.

What is probably needed is a script called from /jffs/scripts/wan-start, that will run when the WAN is bounced or changes IPv6 address.

Spoiler: wan-start

wan-start
Called after the WAN interface came up. Good place to put scripts that depend on the WAN interface (e.g. to update an IPv6 tunnel or a dynamic DNS service). The Internet connection is unlikely to be active when this script is run. Add a sleep line to delay running until the connection is complete, or loop until your command succeeds.

The script would check the value of the WAN IP IPv6 prefix and compare it with the prefix in the LAN IPv6 address and LAN IPv6 DNS Server 1 address fields. It there is a conflict, it would update the values appropriately.

But there appears to be an underlying issue with the way your ISP has implemented IPv6 that may need to be resolved first.

 

[L&LD]

shark, try unplugging the modem and router for at least an hour. Let the modem fully boot up (at least 5 to 10 minutes) and then turn on the router and let it fully boot up too (at least 5 to 10 minutes for the cores to stay at idle).

This may resynchronize your network equipment with theirs. A long shot, but maybe worth doing?

 

[shark]

shark, try unplugging the modem and router for at least an hour. Let the modem fully boot up (at least 5 to 10 minutes) and then turn on the router and let it fully boot up too (at least 5 to 10 minutes for the cores to stay at idle).

This may resynchronize your network equipment with theirs. A long shot, but maybe worth doing?

Thx, ill try it!

 

[bbunge]

@shark, the explanation helps clarify the issue. I think you have issues with the ISP implementation of IPv6. I know there are growing pains with IPv6 that others have shared on the forum.

What is probably needed is a script called from /jffs/scripts/wan-start, that will run when the WAN is bounced or changes IPv6 address.

Spoiler: wan-start

wan-start
Called after the WAN interface came up. Good place to put scripts that depend on the WAN interface (e.g. to update an IPv6 tunnel or a dynamic DNS service). The Internet connection is unlikely to be active when this script is run. Add a sleep line to delay running until the connection is complete, or loop until your command succeeds.

The script would check the value of the WAN IP IPv6 prefix and compare it with the prefix in the LAN IPv6 address and LAN IPv6 DNS Server 1 address fields. It there is a conflict, it would update the values appropriately.

But there appears to be an underlying issue with the way your ISP has implemented IPv6 that may need to be resolved first.

At the expense of sounding like I do not know what I'm talking about I thought I would wade in on this...

While I do not usually use IPV6 as my ISP only has 6RD for now, when I did try it with Stubby I noticed that the IPV6 resolvers set in stubby.yml seemed to not work. However, some IPV4 resolvers (like Cloudflare) will resolve IPV6 addresses which gives the false impression that all is well.

I agree with Xentrk that a means to get the router IPV6 address into the IPV6 DNS Server 1 field is needed and to disable the Connect to DNS Server automatically in the IPV6 setup.

On another note with all the red flags flying about the need to use DNSSEC I have enabled it in stubby.yml and am testing with Cloudflare and Quad9. So far the Cloudflare setup worked with no errors. Now am on to Quad9... Will see how that goes. One thing I did was to create a directory under /jffs for the root certs and pointed the appdata_dir: in stubby.yml to it. My rationale for this is in case the USB becomes unmounted, stubby running in memory will still be able to find the certs and the DNS should work. Have also turned off round_robin_upstreams. Stay tuned...

 

[EmeraldDeer]

At the expense of sounding like I do not know what I'm talking about I thought I would wade in on this...

While I do not usually use IPV6 as my ISP only has 6RD for now, when I did try it with Stubby I noticed that the IPV6 resolvers set in stubby.yml seemed to not work. However, some IPV4 resolvers (like Cloudflare) will resolve IPV6 addresses which gives the false impression that all is well.

I agree with Xentrk that a means to get the router IPV6 address into the IPV6 DNS Server 1 field is needed and to disable the Connect to DNS Server automatically in the IPV6 setup.

On another note with all the red flags flying about the need to use DNSSEC I have enabled it in stubby.yml and am testing with Cloudflare and Quad9. So far the Cloudflare setup worked with no errors. Now am on to Quad9... Will see how that goes. One thing I did was to create a directory under /jffs for the root certs and pointed the appdata_dir: in stubby.yml to it. My rationale for this is in case the USB becomes unmounted, stubby running in memory will still be able to find the certs and the DNS should work. Have also turned off round_robin_upstreams. Stay tuned...

In @shark 's highly unusual situation, would it not be simple and robust to just set "IPv6 DNS Server 1" in the GUI to "::1"?

# netstat -anp | grep " ::1:53 "
tcp        0      0 ::1:53                  :::*                    LISTEN      3143/dnsmasq
udp        0      0 ::1:53                  :::*                                3143/dnsmasq

With regard to Stubby DNSSEC, I trust my provider enough to use their DNS as a forwarder, so I likewise trust them enough to use their DNSSEC by proxy. Go ahead and try it with DNSSEC test sites like http://dnssec.vs.uni-due.de/ It works fine and saves your router from the extra processing and network traffic. With Stubby DNS over TLS between the router and the DNS provider, interference with the DNSSEC Authenticated Data bit is not really a concern.

# grep proxy /etc/dnsmasq.conf
proxy-dnssec

With regard to Stubby round_robin_upstreams, I will stick with the default for now. Setting to 0 might have better performance with anycast providers while setting to 1 might perform better when a DNS server fails.
https://github.com/getdnsapi/stubby/issues/105#issuecomment-385669115
https://github.com/getdnsapi/stubby/pull/168#issuecomment-467390557

 

[owine]

In @shark 's highly unusual situation, would it not be simple and robust to just set "IPv6 DNS Server 1" in the GUI to "::1"?

# netstat -anp | grep " ::1:53 "
tcp        0      0 ::1:53                  :::*                    LISTEN      3143/dnsmasq
udp        0      0 ::1:53                  :::*                                3143/dnsmasq

With regard to Stubby DNSSEC, I trust my provider enough to use their DNS as a forwarder, so I likewise trust them enough to use their DNSSEC by proxy. Go ahead and try it with DNSSEC test sites like http://dnssec.vs.uni-due.de/ It works fine and saves your router from the extra processing and network traffic. With Stubby DNS over TLS between the router and the DNS provider, interference with the DNSSEC Authenticated Data bit is not really a concern.

# grep proxy /etc/dnsmasq.conf
proxy-dnssec

With regard to Stubby round_robin_upstreams, I will stick with the default for now. Setting to 0 might have better performance with anycast providers while setting to 1 might perform better when a DNS server fails.
https://github.com/getdnsapi/stubby/issues/105#issuecomment-385669115
https://github.com/getdnsapi/stubby/pull/168#issuecomment-467390557

::1 will not work as that will be pushed to clients who will then send DNS queries over IPv6 to their local machine which will fail. It would likely fail softly and revert back to IPv4 DNS servers which point to the router.

I believe that just leaving IPv6 DNS Server 1, 2 and 3 blank will cause the router to automatically populate its own IPv6 address when it pushes DNS servers as long as "Advertise router's IP in addition to user-specified DNS" is specified on the LAN -> DHCP Server page.

 

[EmeraldDeer]

::1 will not work as that will be pushed to clients who will then send DNS queries over IPv6 to their local machine which will fail. It would likely fail softly and revert back to IPv4 DNS servers which point to the router.

I believe that just leaving IPv6 DNS Server 1, 2 and 3 blank will cause the router to automatically populate its own IPv6 address when it pushes DNS servers as long as "Advertise router's IP in addition to user-specified DNS" is specified on the LAN -> DHCP Server page.

Oh, so if you could vaguely compare it to IPv4, it is as if the DNS server context in "IPv6> IPv6 DNS Server 1" is both WAN (the router perspective) and LAN (client devices perspective) in one setting.