Stubby-Installer-Asuswrt-Merlin

[L&LD]

Install from entware using the command opkg install drill

Thank you. Baby steps for me!

 

[Swistheater]

There is a some info in the forums regarding DNS rebind attacks...and why the need to protect agains them. It is not an easy concept to understand unless you read more about it. Consider searching the forums for specific cases and also the web for general info but you could start by looking at the links below and you could even test your network by going to: http://rebind.network/rebind/index.html

or

https://en.wikipedia.org/wiki/DNS_rebinding
https://crypto.stanford.edu/dns/dns-rebinding.pdf
https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability/
https://apps.dtic.mil/dtic/tr/fulltext/u2/a508892.pdf
https://www.usenix.org/system/files/conference/woot13/woot13-dai.pdf
https://www.adambarth.com/papers/2009/jackson-barth-bortz-shao-boneh-tweb.pdf

not that I don't take rebind attacks seriously, but I have to say that the "test site was dead off". I feel that was for entertainment purposes.

 

[EmeraldDeer]

My recommendation is to continue using dnsmasq proxy-dnssec and to not enable the stubby dnssec getdns extension.

 

[Marin]

Stubby.yml is the config file for Stubby. It is the right place to add the DNSSEC entry. Be sure to restart stubby after.

Sent from my SM-T380 using Tapatalk

@bbunge,

Thank you, I have decided to give this a shot. On my:

nano /opt/etc/stubby/stubby.yml

I added to this section:

tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

and then I did restarted Stubby:

/opt/etc/init.d/S61stubby restart

The Cloudflare 1.1.1.1/help test fails as mentioned:

This shows DNSSEC validation as ON:

29F0:/tmp/home/root# stubby -l
[02:57:59.247175] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[02:57:59.247773] STUBBY: DNSSEC Validation is ON
[02:57:59.247801] STUBBY: Transport list is:
[02:57:59.247816] STUBBY:   - TLS
[02:57:59.247832] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[02:57:59.247848] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[02:57:59.247863] STUBBY: Starting DAEMON....

and this: https://dnssec.vs.uni-due.de shows that DNSSEC validation is OK

Then I ran this as well:

29F0:/tmp/home/root# stubby -i | grep -i dnssec
[03:06:16.655350] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
Result: Config file syntax is valid.
    "dnssec": GETDNS_EXTENSION_FALSE,
    "dnssec_allowed_skew": 0,
    "dnssec_return_all_statuses": GETDNS_EXTENSION_FALSE,
    "dnssec_return_full_validation_chain": GETDNS_EXTENSION_FALSE,
    "dnssec_return_only_secure": GETDNS_EXTENSION_FALSE,
    "dnssec_return_status": GETDNS_EXTENSION_TRUE,
    "dnssec_return_validation_chain": GETDNS_EXTENSION_FALSE,
    "trust_anchors_verify_email": <bindata of "dnssec@iana.org">

all other validation tests here (https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin) seem Ok. Aside from Cloudflare Help that breaks Stubby, are there any other tests to run to show that is working as it should?

 

[Marin]

To validate, you can install the entware package drill and type the command followed by a "-D" and the domain name. If the site supports DNSSEC, you will see an "ad" flag in the response.

drill -D x3mtek.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 7760
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
<snip>

Vaidation in Stubby:

stubby -l
[02:47:14.825381] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[02:47:14.826535] STUBBY: DNSSEC Validation is ON
[02:47:14.826582] STUBBY: Transport list is:
[02:47:14.826594] STUBBY:   - TLS
[02:47:14.826606] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[02:47:14.826618] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[02:47:14.826628] STUBBY: Starting DAEMON....

https://www.cloudflare.com/ssl/encrypted-sni/ will tell you if you are using encrypted DNS. But it does not specify if you are using DoH or DoT protocols. Will also confirm if DNSSEC is enabled.

I also use the ISC Dig app on my phone that help reveal the “ad” flags


Sent from my iPhone using Tapatalk

 

[skeal]

Myself I follow @bbunge advice on using the getdns dnssec extension instruction in the .yml. Works good and is predictable. Thanks @bbunge for your continued testing.

 

[Xentrk]

@bbunge,

Thank you, I have decided to give this a shot. On my:

nano /opt/etc/stubby/stubby.yml

I added to this section:

tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

and then I did restarted Stubby:

/opt/etc/init.d/S61stubby restart

The Cloudflare 1.1.1.1/help test fails as mentioned:

View attachment 16561


This shows DNSSEC validation as ON:

29F0:/tmp/home/root# stubby -l
[02:57:59.247175] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[02:57:59.247773] STUBBY: DNSSEC Validation is ON
[02:57:59.247801] STUBBY: Transport list is:
[02:57:59.247816] STUBBY:   - TLS
[02:57:59.247832] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[02:57:59.247848] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[02:57:59.247863] STUBBY: Starting DAEMON....

and this: https://dnssec.vs.uni-due.de shows that DNSSEC validation is OK

Then I ran this as well:

29F0:/tmp/home/root# stubby -i | grep -i dnssec
[03:06:16.655350] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
Result: Config file syntax is valid.
    "dnssec": GETDNS_EXTENSION_FALSE,
    "dnssec_allowed_skew": 0,
    "dnssec_return_all_statuses": GETDNS_EXTENSION_FALSE,
    "dnssec_return_full_validation_chain": GETDNS_EXTENSION_FALSE,
    "dnssec_return_only_secure": GETDNS_EXTENSION_FALSE,
    "dnssec_return_status": GETDNS_EXTENSION_TRUE,
    "dnssec_return_validation_chain": GETDNS_EXTENSION_FALSE,
    "trust_anchors_verify_email": <bindata of "dnssec@iana.org">

all other validation tests here (https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin) seem Ok. Aside from Cloudflare Help that breaks Stubby, are there any other tests to run to show that is working as it should?

Something is not right.

stubby -i | grep -i dnssec
[03:06:16.655350] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
Result: Config file syntax is valid.

Looks like an error in stubby.yml - Result: Config file syntax is valid. The test site should have passed the test as being connected to 1.1.1.1.

Try using the stubby.yml below

Spoiler: stubby.yml

tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
- 127.0.0.1@5453
- 0::1@5453

upstream_recursive_servers:
# Quad 9 Secure Primary
# - address_data: 9.9.9.9
# tls_auth_name: "dns.quad9.net"
# Quad 9 Secure Primary
# - address_data: 2620:fe::fe
# tls_auth_name: "dns.quad9.net"
# Cloudflare Primary IPv4
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv4
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
# Cloudflare Primary IPv6
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv6
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"

 

[Xentrk]

The stubby installer enables both the IPv4 and IPv6 address for Cloudflare DNS in /opt/etc/stubby/stubby.yml. If you don't use IPv6, then extra noise is created by stubby when trying to handshake with the IPv6 resolver address as shown below.

 stubby -l
[01:04:12.802077] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[01:04:12.803507] STUBBY: DNSSEC Validation is ON
[01:04:12.803558] STUBBY: Transport list is:
[01:04:12.803572] STUBBY:   - TLS
[01:04:12.803586] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[01:04:12.803598] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[01:04:12.803609] STUBBY: Starting DAEMON....
[01:04:14.434282] STUBBY: --- SETUP(TLS): : Verify locations loaded
[01:04:14.434785] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[01:04:14.502958] STUBBY: 1.1.1.1                                  : Verify passed : TLS
[01:04:14.516541] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
[01:04:14.516665] STUBBY: 2606:4700:4700::1111                     : Conn closed: TLS - Resps=     0, Timeouts  =     0, Curr_auth =   None, Keepalive(ms)=     0
[01:04:14.516691] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Resps=     0, Timeouts  =     0, Best_auth =   None
[01:04:14.516705] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Conns=     0, Conn_fails=     1, Conn_shuts=      0, Backoffs     =     0
[01:04:14.516743] STUBBY: 2606:4700:4700::1001                     : Conn closed: TLS - Resps=     0, Timeouts  =     0, Curr_auth =   None, Keepalive(ms)=     0
[01:04:14.516763] STUBBY: 2606:4700:4700::1001                     : Upstream   : TLS - Resps=     0, Timeouts  =     0, Best_auth =   None
[01:04:14.516776] STUBBY: 2606:4700:4700::1001                     : Upstream   : TLS - Conns=     0, Conn_fails=     1, Conn_shuts=      0, Backoffs     =     0

If you use IPv4, I recommend you comment out the Cloudflare IPv6 lines by adding a # sign in the front of the line or delete the lines entirely. Similarly, if you use IPv6, then comment out or delete the IPv4 lines. Remember to restart stubby after making the change. /opt/etc/init.d/S61stubby restart

# Cloudflare Primary IPv4
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv4
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Primary IPv6
#  - address_data: 2606:4700:4700::1111
#    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv6
#  - address_data: 2606:4700:4700::1001
#    tls_auth_name: "cloudflare-dns.com"

May need to add a function to the installer script to detect what IP protocol the router is using and comment out or not include the IP protocol that is not being used.

 

[Marin]

Something is not right.

stubby -i | grep -i dnssec
[03:06:16.655350] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
Result: Config file syntax is valid.

Looks like an error in stubby.yml - Result: Config file syntax is valid. The test site should have passed the test as being connected to 1.1.1.1.

Try using the stubby.yml below

Spoiler: stubby.yml

tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
- 127.0.0.1@5453
- 0::1@5453

upstream_recursive_servers:
# Quad 9 Secure Primary
# - address_data: 9.9.9.9
# tls_auth_name: "dns.quad9.net"
# Quad 9 Secure Primary
# - address_data: 2620:fe::fe
# tls_auth_name: "dns.quad9.net"
# Cloudflare Primary IPv4
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv4
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
# Cloudflare Primary IPv6
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv6
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"

Tried this and after restarting Stubby it failed. Had to delete Stubby and reinstalled again.

 

[Marin]

This is from regular install. My DNSSEC validation remains OFF

@RT-AX88U-29F0:/tmp/home/root# stubby -l
[01:24:27.580431] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[01:24:27.581042] STUBBY: DNSSEC Validation is OFF
[01:24:27.581071] STUBBY: Transport list is:
[01:24:27.581085] STUBBY:   - TLS
[01:24:27.581100] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[01:24:27.581115] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[01:24:27.581129] STUBBY: Starting DAEMON....
[01:24:34.045393] STUBBY: --- SETUP(TLS): : Verify locations loaded
[01:24:34.045814] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[01:24:34.098634] STUBBY: 1.1.1.1                                  : Verify passed : TLS
[01:24:34.184136] STUBBY: 1.0.0.1

 

[Marin]

Ok, went back and added in stubby.yml

dnssec_return_status: GETDNS_EXTENSION_TRUE

and now getting this (whew!!):

RT-AX88U-29F0:/tmp/home/root# stubby -l
[01:32:32.790437] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[01:32:32.791485] STUBBY: DNSSEC Validation is ON
[01:32:32.791643] STUBBY: Transport list is:
[01:32:32.791764] STUBBY:   - TLS
[01:32:32.791791] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[01:32:32.791807] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[01:32:32.791822] STUBBY: Starting DAEMON....
[01:32:33.924875] STUBBY: --- SETUP(TLS): : Verify locations loaded
[01:32:33.925261] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[01:32:33.925544] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
[01:32:33.925709] STUBBY: 2606:4700:4700::1111                     : Conn clo

 

[Marin]

....and then :

 

[L&LD]

The stubby installer enables both the IPv4 and IPv6 address for Cloudflare DNS in /opt/etc/stubby/stubby.yml. If you don't use IPv6, then extra noise is created by stubby when trying to handshake with the IPv6 resolver address as shown below.

 stubby -l
[01:04:12.802077] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[01:04:12.803507] STUBBY: DNSSEC Validation is ON
[01:04:12.803558] STUBBY: Transport list is:
[01:04:12.803572] STUBBY:   - TLS
[01:04:12.803586] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[01:04:12.803598] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[01:04:12.803609] STUBBY: Starting DAEMON....
[01:04:14.434282] STUBBY: --- SETUP(TLS): : Verify locations loaded
[01:04:14.434785] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[01:04:14.502958] STUBBY: 1.1.1.1                                  : Verify passed : TLS
[01:04:14.516541] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
[01:04:14.516665] STUBBY: 2606:4700:4700::1111                     : Conn closed: TLS - Resps=     0, Timeouts  =     0, Curr_auth =   None, Keepalive(ms)=     0
[01:04:14.516691] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Resps=     0, Timeouts  =     0, Best_auth =   None
[01:04:14.516705] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Conns=     0, Conn_fails=     1, Conn_shuts=      0, Backoffs     =     0
[01:04:14.516743] STUBBY: 2606:4700:4700::1001                     : Conn closed: TLS - Resps=     0, Timeouts  =     0, Curr_auth =   None, Keepalive(ms)=     0
[01:04:14.516763] STUBBY: 2606:4700:4700::1001                     : Upstream   : TLS - Resps=     0, Timeouts  =     0, Best_auth =   None
[01:04:14.516776] STUBBY: 2606:4700:4700::1001                     : Upstream   : TLS - Conns=     0, Conn_fails=     1, Conn_shuts=      0, Backoffs     =     0

If you use IPv4, I recommend you comment out the Cloudflare IPv6 lines by adding a # sign in the front of the line or delete the lines entirely. Similarly, if you use IPv6, then comment out or delete the IPv4 lines. Remember to restart stubby after making the change. /opt/etc/init.d/S61stubby restart

# Cloudflare Primary IPv4
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv4
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Primary IPv6
#  - address_data: 2606:4700:4700::1111
#    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv6
#  - address_data: 2606:4700:4700::1001
#    tls_auth_name: "cloudflare-dns.com"

May need to add a function to the installer script to detect what IP protocol the router is using and comment out or not include the IP protocol that is not being used.

Or just a question or two with the possible choices instead?

It would also be ideal if this can be changed later on if anything changes on the ISP too, without re-installing Stubby.

 

[Swistheater]

I am noticing a lot better performance when I changed
idle_timeout: 60000

 

[EmeraldDeer]

I am noticing a lot better performance when I changed
idle_timeout: 60000

That is surprising because Cloudflare drops you at 10000

 

[Swistheater]

shhhhh don't jinx me

 

[Swistheater]

this is a pretty cool test guys. didn't check to see if it is included on the test page but
https://cmdns.dev.dns-oarc.net/

 

[PeterV]

If someone interested in forwarding stubby logging to the syslog (to have possibility store it in the remote syslog) - I have a solutions. At least two.
Both are related on bash, so you have to install bash via

opkg install bash

1. Simpler one, but with some overhead in the log, from the startup script.
   1. At first change the first line of S61stubby in /opt/etc/init.d from
      

      #!/bin/sh

      to
      

      #!/opt/bin/bash

   2. Insert additional line
      

      exec 1> >(logger -t $PROCS) 2>&1

      before last line

      . /opt/etc/init.d/rc.func

      to have at the end of file the next
      

      ...
      exec 1> >(logger -t $PROCS) 2>&1
      . /opt/etc/init.d/rc.func

   3. Delete forwarding the logging into the /dev/null in rc.func.
      I.e. comment existing

      $PREARGS $PROC $ARGS > /dev/null 2>&1 &

      and add new one

      $PREARGS $PROC $ARGS &

      to have
      

          #$PREARGS $PROC $ARGS > /dev/null 2>&1 &
          $PREARGS $PROC $ARGS  &

   4. Restart and check the syslog.
   5. You have to see something like:
      

      2019-03-16T14:00:44+02:00 192.168.99.1 S61stubby: restart Stubby DNS over TLS /opt/etc/init.d/S61stubby
      2019-03-16T14:00:44+02:00 192.168.99.1 stubby: .[1;37m Starting stubby... .[m[12:00:44.301631] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
      2019-03-16T14:00:44+02:00 192.168.99.1 stubby:             .[1;32m done. .[m

• Other one:

1. Add new configuration variable FORCESYSLOG in the S61stubby in /opt/etc/init.d from. For example - after line with

   ENABLED=yes

   .
   

   ...
   ENABLED=yes
   FORCESYSLOG=yes
   ...

2. Replace

   $PREARGS $PROC $ARGS > /dev/null 2>&1 &

   in rc.func with next code
   

       if [ "$FORCESYSLOG" = "yes" ] && [ -x /opt/bin/bash ] ; then
           cat >/tmp/temp.start.$PROC.sh <<EOF
   #!/opt/bin/bash
   exec 1> >(logger -t $PROC) 2>&1
   echo $PREARGS $PROC $ARGS
   export TZ=$(cat /etc/TZ)
   $PREARGS $PROC $ARGS &
   EOF
           chmod o+x /tmp/temp.start.$PROC.sh
           /tmp/temp.start.$PROC.sh
           rm -f /tmp/temp.start.$PROC.sh
       else
           $PREARGS $PROC $ARGS > /dev/null 2>&1 &
       fi

• Restart and check the syslog.

• You have to see something like:
  

  2019-03-16T13:43:14+02:00 192.168.99.1 S62stubby: restart Stubby DNS over TLS /opt/etc/init.d/S62stubby
  2019-03-16T13:43:14+02:00 192.168.99.1 stubby: [11:43:14.671496] STUBBY: Read config from file /opt/etc/stubby/stubby.yml

Important note - due to rc.func can be overwritten during opkg upgrade, I have to recommend to make a copy of it, name it rc.func.my (for example), and relay on it in the last line of your S61stubby.
There is a full list of my files, they are slightly different, taking an account the functionality to start dnsmasq with usual forward to usual dns, before the stubbly will be fully accessible.
P.S. Files uploaded with ".txt" extensions, due to regulation of the forum.
P.P.P.S. rc.func.my and S61stubby located in /opt/etc/init.d/, dnsmasq.postconf.my and dnsmasq.postconf.txt - in /jffs/scripts

 

[TheUntouchable]

Does anybody have the same problem that with the 384.10_beta2 stubby is not starting anymore?
After flashing the new firmware and the reboot no dns resolving was possible anymore, also my router tells me that I am disconnected but I can see that I got an ip address. So I uninstalled stubby and after the reboot again dns was working. Installed it again over amtm and the installer told me that starting of stubby was not possible. Again dns did not work.

 

[skeal]

Does anybody have the same problem that with the 384.10_beta2 stubby is not starting anymore?
After flashing the new firmware and the reboot no dns resolving was possible anymore, also my router tells me that I am disconnected but I can see that I got an ip address. So I uninstalled stubby and after the reboot again dns was working. Installed it again over amtm and the installer told me that starting of stubby was not possible. Again dns did not work.

Can you run this command please?

stubby -C /opt/etc/stubby/stubby.yml -i