Stubby-Installer-Asuswrt-Merlin

[bbunge]

::1 will not work as that will be pushed to clients who will then send DNS queries over IPv6 to their local machine which will fail. It would likely fail softly and revert back to IPv4 DNS servers which point to the router.

I believe that just leaving IPv6 DNS Server 1, 2 and 3 blank will cause the router to automatically populate its own IPv6 address when it pushes DNS servers as long as "Advertise router's IP in addition to user-specified DNS" is specified on the LAN -> DHCP Server page.

No, the ::1 in IPv6 DNS1 or 2 or 3 does not get pushed to the client. It is the IPV6 loopback akin to IPV4 127.0.0.1

I just loaded up my router IPV6 6RD and left the IPv6 DNSx blank. Surprised that my Win 10 machine reports the DNS servers to be the same as LAN IPv6 Address and LAN IP Adresss. So I added the CF addresses for their IPV6 resolvers into stubby.yml and the IPV6 tested 10/10.

Works fine for me! Those with native ipv6 may have to prevent the ISP's DNS servers from loading.

 

[Adamm]

My rationale for this is in case the USB becomes unmounted, stubby running in memory will still be able to find the certs and the DNS should work

In the event the USB is unmounted, all entware services are stopped. If you are implying in the event that you manually take out the USB (which should never be done), that's user error not a problem with stubby.

Have also turned off round_robin_upstreams

https://github.com/getdnsapi/stubby...5008b005610a564dca19fb/stubby.yml.example#L65

# Set to 1 to instruct stubby to distribute queries across all available name
# servers - this will use multiple simultaneous connections which can give
# better performance in most (but not all) cases.
# Set to 0 to treat the upstreams below as an ordered list and use a single
# upstream until it becomes unavailable, then use the next one.
round_robin_upstreams: 1

This setting is in-line with the default/recommended settings from the stubby devs.

 

[EmeraldDeer]

Stubby Logging/Startup/Shutdown

Felt the need for Stubby logging

• Cleanbrowsing has availability issues. It turns out Quad9 does as well. Cloudflare is substantially better than the other two in this regard. Minor issues might not have any user impact especially if round robin is enabled with multiple servers but if it continues you will get intermittent lookup failures with SERVFAIL errors in dnsmasq.log.
• To maximize efficiency you need to find a good value for idle_timeout. It is the time with no queries before the network connection is dropped. There is a cost to rebuilding the network connection for the next query. By trial and error, you increase idle_timeout until you see Conn_shuts incrementing in the stubby log. I have found that a tenth of a second lower than the server side settting works well. For Cleanbrowsing and Quad9, this is 1900 milliseconds. For Cloudflare this is 9900 milliseconds.

Wrote a startup script which enables logging.

• A startup script can be written which preserves standard error in /opt/var/log/stubby.log. I also would like to save standard output as well.
• Also I spent time figuring out which settings in the official stubby.yml are unnecessary. I want to use my stripped down stubby.yml, so I copy it in at startup.
• Can this script run when the router is rebooted?

Entware "S" scripts are not just for start!

• The operating systems I have been accustomed to have startup scripts in /etc/init.d. Symbolic links from directories representing run levels point back to scripts in /etc/init.d. If the link begins with a capital S, an argument of start is passed. If the link begins with a capital K, a stop is passed.
• It turns out that Entware has just S scripts in /opt/etc/init.d. On the way up, start is passed. On the way down, stop is passed to this same S script.
• My script was starting stubby as the router was going down for a reboot. Ouch.
• To avoid reinventing the wheel and to reuse tested code, Entware S scripts call another script rc.func which handles start, stop and other arguments.

Unable to use rc.func.

• Wanted to mimic S61stubby and rc.func as much as possible yet maintain logging to stubby.log.
• Removed the code in rc.func which sends standard out and error to the null device
• However, no matter what I tried, output would only be sent to nohup.out in the current working directory. Ugh.

Ended up combining and editing S61stubby and rc.func into one S62mystubby

• Accomplished what I set out to do but with a large Frankenstein script S62mystubby

 

[EmeraldDeer]

/opt/etc/init.d/S62mystubby

# cat /opt/etc/init.d/S62mystubby
#!/bin/sh

umask 133
ACTION=$1
CALLER=$(basename $0)

# Wait for NTP before starting
ntptimer=0
while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
        ntptimer=$((ntptimer+1))
        sleep 1
done
if [ "$ntptimer" -ge "300" ]; then logger -st ${CALLER} "[*] NTP Failed To Start After 5 Minutes - Please Fix Immediately!"; echo; exit 1; fi

logger -t ${CALLER} "$1 Stubby DNS over TLS from $0"

# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH

export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=stubby
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

ansi_red="\033[1;31m";
ansi_white="\033[1;37m";
ansi_green="\033[1;32m";
ansi_yellow="\033[1;33m";
ansi_blue="\033[1;34m";
ansi_bell="\007";
ansi_blink="\033[5m";
ansi_std="\033[m";
ansi_rev="\033[7m";
ansi_ul="\033[4m";

start() {
    [ "$CRITICAL" != "yes" -a "$CALLER" = "cron" ] && return 7
        [ "$ENABLED" != "yes" ] && return 8
    echo -e -n "$ansi_white Starting $DESC... $ansi_std"
    if [ -n "`pidof $PROC`" ]; then
        echo -e "            $ansi_yellow already running. $ansi_std"
        return 0
    fi
    cp /opt/etc/stubby/stubby.yml.minimal /opt/etc/stubby/stubby.yml
    nohup /opt/sbin/stubby -C /opt/etc/stubby/stubby.yml -g -l > /opt/var/log/stubby.log 2>&1 &
    COUNTER=0
    LIMIT=10
    while [ -z "`pidof $PROC`" -a "$COUNTER" -le "$LIMIT" ]; do
        sleep 1;
        COUNTER=`expr $COUNTER + 1`
    done
    if [ -z "`pidof $PROC`" ]; then
        echo -e "            $ansi_red failed. $ansi_std"
        logger "Failed to start $DESC from $CALLER."
        return 255
    else
        echo -e "            $ansi_green done. $ansi_std"
        logger "Started $DESC from $CALLER."
        return 0
    fi
}

stop() {
    case "$ACTION" in
        stop | restart | start )
            echo -e -n "$ansi_white Shutting down $PROC... $ansi_std"
            killall $PROC 2>/dev/null
            COUNTER=0
            LIMIT=10
            while [ -n "`pidof $PROC`" -a "$COUNTER" -le "$LIMIT" ]; do
                sleep 1;
                COUNTER=`expr $COUNTER + 1`
            done
            ;;
        kill)
            echo -e -n "$ansi_white Killing $PROC... $ansi_std"
            killall -9 $PROC 2>/dev/null
            ;;
    esac

    if [ -n "`pidof $PROC`" ]; then
        echo -e "            $ansi_red failed. $ansi_std"
        return 255
    else
        echo -e "            $ansi_green done. $ansi_std"
        return 0
    fi
}

check() {
    echo -e -n "$ansi_white Checking $DESC... "
    if [ -n "`pidof $PROC`" ]; then
        echo -e "            $ansi_green alive. $ansi_std";
        return 0
    else
        echo -e "            $ansi_red dead. $ansi_std";
        return 1
    fi
}

reconfigure() {
    SIGNAL=SIGHUP
    echo -e "$ansi_white Sending $SIGNAL to $PROC... $ansi_std"
    killall -$SIGNAL $PROC 2>/dev/null
}


for PROC in $PROCS; do
    case $ACTION in
        start)
            check > /dev/null && stop
            start
            ;;
        stop | kill )
            check && stop
            ;;
        restart)
            check > /dev/null && stop
            start
            ;;
        check)
            check
            ;;
        reconfigure)
            reconfigure
            ;;
        *)
            echo -e "$ansi_white Usage: $0 (start|stop|restart|check|kill|reconfigure)$ansi_std"
            exit 1
            ;;
    esac
done

#logger "Leaving ${0##*/}."

 

[PeterV]

I use some simple start script.
In my S61stubby I refer to /opt/etc/init.d/rc.func.my instead /opt/etc/init.d/rc.func
It mostly identical to /opt/etc/init.d/rc.func, but I made replacement for the

    $PREARGS $PROC $ARGS > /dev/null 2>&1 &

with

    if [ "`echo $PREARGS $PROC $ARGS | grep -c '>'`" = "0" ]; then
        $PREARGS $PROC $ARGS > /dev/null 2>&1 &
    else
        eval $PREARGS $PROC $ARGS &
    fi.

 

[shark]

So, i talked to my isp and they fixed my ipv6:

Now my only problem is that the prefix for ipv6 will keep changing according to them, every time that my router pppoe connects the prefix will change! So i am going to need to do something about this, because its annoying having to re-run the installer for stubby or set the dns manually on the ipv6 page, every time my router connects the pppoe.

 

[EmeraldDeer]

So leaving IPv6 DNS Server 1, IPv6 DNS Server 2 and IPv6 DNS Server 3 blank is not the solution?

 

[shark]

So leaving IPv6 DNS Server 1, IPv6 DNS Server 2 and IPv6 DNS Server 3 blank is not the solution?

Seems to work, ill now just have to remember removing it every time stubby updates hehe

 

[shark]

Would it not be better then, set this:

To enable?

 

[EmeraldDeer]

Would it not be better then, set this:

To enable?

Not if you want to use stubby

 

[shark]

Not if you want to use stubby

ok, thanks

Anyway to check then, if stubby is really working for ipv6 with it blank?

 

[EmeraldDeer]

Stubby logging as discussed above, or checking forwarded entries in dnsmasq.log

Mar  4 21:46:39 dnsmasq[3127]: forwarded www.snbforums.com to ::1
Mar  4 21:46:39 dnsmasq[3127]: reply www.snbforums.com is 2606:4700:20::6819:ea0f
Mar  4 21:46:39 dnsmasq[3127]: reply www.snbforums.com is 2606:4700:20::6819:eb0f
Mar  4 21:46:39 dnsmasq[3127]: reply www.snbforums.com is 2606:4700:20::6819:ea0f
Mar  4 21:46:39 dnsmasq[3127]: reply www.snbforums.com is 2606:4700:20::6819:eb0f

 

[shark]

Stubby logging as discussed above, or checking forwarded entries in dnsmasq.log

Mar  4 21:46:39 dnsmasq[3127]: forwarded www.snbforums.com to ::1
Mar  4 21:46:39 dnsmasq[3127]: reply www.snbforums.com is 2606:4700:20::6819:ea0f
Mar  4 21:46:39 dnsmasq[3127]: reply www.snbforums.com is 2606:4700:20::6819:eb0f
Mar  4 21:46:39 dnsmasq[3127]: reply www.snbforums.com is 2606:4700:20::6819:ea0f
Mar  4 21:46:39 dnsmasq[3127]: reply www.snbforums.com is 2606:4700:20::6819:eb0f

ok, thanks

 

[DonnyJohnny]

ok, thanks

Anyway to check then, if stubby is really working for ipv6 with it blank?

By leaving it blank, mean it will take ipv6 backloop address (localhost similar to ipv4 0:0:0:0, in ipv6 case, ::1)

 

[Swistheater]

weird questions has any one tested using multiple resolvers ?hypothetically I don't think one should, but is it possible?

 

[Butterfly Bones]

weird questions has any one tested using multiple resolvers ?hypothetically I don't think one should, but is it possible?

I use cloudflare which uses to many different resolvers worldwide. I test a number of ip leak test sites linked in Xentrk github and see different DNS IPs on every test. I just have 1.1.1.1 and 1.0.0.1 in my stubby yml.

 

[Swistheater]

okay so I've tried it using multiple resolvers in the setup. from what I notice I get a lot less errors.

 

[bbunge]

okay so I've tried it using multiple resolvers in the setup. from what I notice I get a lot less errors.

Using more than one resolver is a good idea. Most ISPs provide a main and alternate DNS server via DHCP. Most routers and PC's have space for two DNS entries. You can put more than two resolvers in stubby.yml. With roundrobbin set to 1 stubby will use each resolver in turn which may be more efficient. I feel it is a good idea to remove ipv6 resolvers if you do not use ipv6 as stubby will error those out if ipv6 is not used.

Sent from my SM-T380 using Tapatalk

 

[Swistheater]

Using more than one resolver is a good idea. Most ISPs provide a main and alternate DNS server via DHCP. Most routers and PC's have space for two DNS entries. You can put more than two resolvers in stubby.yml. With roundrobbin set to 1 stubby will use each resolver in turn which may be more efficient. I feel it is a good idea to remove ipv6 resolvers if you do not use ipv6 as stubby will error those out if ipv6 is not used.

Sent from my SM-T380 using Tapatalk

so what are the full potential of the roundrobbin feature what does it do? , also my system fully supports ipv6 dual stack, but that might be a good suggestion for those who have no support for it.

 

[Swistheater]

So does this setting get changed when installing stubby?

and do these settings also look correct?

The reason why I ask is because whenever the router reboots I am noticing a delay in establishing connection to the internet after router reboots?