Stubby-Installer-Asuswrt-Merlin

[pattiri]

How do I get TLS 1.3 and Encrypted SNI to work?

Both TLS 1.3 and Encrypted SNI is depending on your browser not stubby.

As far as I know; both Firefox and Chrome latest versions support TLS 1.3 so I think you are using older version of these or using another browser which doesn't support TLS 1.3.

For Encrypted SNI, I have no idea on Chrome but with firefox go to about:config and make the below changes.

network.security.esni.enabled -> true
network.trr.mode -> 2

After that you should see Encrypted SNI green.

 

[Adamm]

I like to disable custom scripts and eject the usb drive form my router before I do firmware upgrades. I lost internet connectivity when I disabled custom scripts and rebooted and I realised it was because the wan dns was still set on the router’s own address, but obviously stubby was no longer running. Is there any way for stubby to unset this and change it back to default at the moment that custom scripts are disabled? Or is this impossible because as soon as that seething is changed custom scripts can obviously no longer run?

When you disable custom scripts there is nothing for us to hook into, I'd consider a situation like this user-error. I personally find no need to mess with my USB or settings when upgrading firmware.

 

[#TY]

network.security.esni.enabled -> true
network.trr.mode -> 2

I made these changes on FireFox 66.0.1 and using the following page to test:
https://www.cloudflare.com/ssl/encrypted-sni/

If I make this change:
network.trr.mode -> 2

The above page no longer loads.

If I only make this change:
network.security.esni.enabled -> true

Then nothing changes in my results unfortunately.

 

[#TY]

Also, is possible to configure Stubby to allow for both:

Using DNS over HTTPS (DoH)
Using DNS over TLS (DoT)

 

[bbunge]

Also, is possible to configure Stubby to allow for both:

Using DNS over HTTPS (DoH)
Using DNS over TLS (DoT)

Not yet but I have seen that DoH is in the works.

Sent from my SM-T380 using Tapatalk

 

[XIII]

network.trr.mode -> 2

Doesn't that mean that Firefox will use the DNS server configured in Firefox, instead of the system configured DNS?

(i.e., bypassing Stubby?)

 

[#TY]

Pardon the total noob question.

How do you update Entware and Stubby? (i.e. How do you even know there's a newer version? Is it by checking the Github pages or is there a more efficient way?)

 

[XIII]

How do you update Entware?

Entware:

opkg update
opkg upgrade

(I don't know about Stubby)

 

[heysoundude]

Pardon the total noob question.

How do you update Entware and Stubby? (i.e. How do you even know there's a newer version? Is it by checking the Github pages or is there a more efficient way?)

https://diversion.ch/amtm.html

donate to the developer/maintainer @thelonelycoder
it's actually kinda at the point that everyone whose work is included in this should be getting SOMETHING, but that would mean formalizing a business arrangement across international borders. maybe a subscription service is a better way, like a Patreon thing?

 

[bbunge]

Entware:

opkg update
opkg upgrade

(I don't know about Stubby)

With Entware upgraded re-run the Stubby installer:

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/install_stubby.sh" -o "/jffs/scripts/install_stubby.sh" && chmod 755 /jffs/scripts/install_stubby.sh && sh /jffs/scripts/install_stubby.sh

Note that this will backup your current stubby.yml and replace it with a new stubby.yml which uses Cloudflare upstream resolvers. There are also two lines added at the end of the stubby.yml to promote the use of TLS 1.3:

tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

You can comment out (#) these lines if your preferred resolvers do not support TLS 1.3.
If you have no internet connection after the upgrade reboot the router to make sure the new versions of the updates are active.

 

[EmeraldDeer]

Doesn't that mean that Firefox will use the DNS server configured in Firefox, instead of the system configured DNS?

(i.e., bypassing Stubby?)

Yes, it does. This is why I do not recommend using DoH.

 

[EmeraldDeer]

Also, is possible to configure Stubby to allow for both:

Using DNS over HTTPS (DoH)
Using DNS over TLS (DoT)

If you use DoH, then Stubby is bypassed. DNS goes directly from Firefox to Cloudflare.

 

[EmeraldDeer]

Both TLS 1.3 and Encrypted SNI is depending on your browser not stubby.

As far as I know; both Firefox and Chrome latest versions support TLS 1.3 so I think you are using older version of these or using another browser which doesn't support TLS 1.3.

For Encrypted SNI, I have no idea on Chrome but with firefox go to about:config and make the below changes.

network.security.esni.enabled -> true
network.trr.mode -> 2

After that you should see Encrypted SNI green.

In addition, your security software might have a web component which intercepts https traffic to scan it from a browser add-on. In my case, the web component only supported TLS 1.2 even though Chrome supports TLS 1.3. I ended up disabling this component.

TLS 1.3 is now supported in iOS Safari with the new iOS 12.2.

 

[pattiri]

Doesn't that mean that Firefox will use the DNS server configured in Firefox, instead of the system configured DNS?

Yes it'll bypass stubby

 

[#TY]

In addition, your security software might have a web component which intercepts https traffic to scan it from a browser add-on. In my case, the web component only supported TLS 1.2 even though Chrome supports TLS 1.3. I ended up disabling this component.

TLS 1.3 is now supported in iOS Safari with the new iOS 12.2.

You nailed it! It was my antivirus on that specific Mac that was preventing TLS 1.3 from lighting up in green. As soon as I disabled its "web security", TLS 1.3 lit up. The only thing left is the Encrypted SNI for now.

And yes, on macOS 10.14.4, Safari supports TLS 1.3

 

[#TY]

Doesn't that mean that Firefox will use the DNS server configured in Firefox, instead of the system configured DNS?

(i.e., bypassing Stubby?)

In Firefox, I modified these two settings and everything lit up green as shown in the attached picture.

That being said, Encrypted SNI only worked when I modified BOTH settings. However, if network.trr.mode = 2 bypasses Stubby, is there any good in doing so? Encrypted SNI will not turn green, unless I modify the network.trr.mode setting.

 

[#TY]

https://diversion.ch/amtm.html

This is fantastic! Thank you so much and to everyone contributing.

 

[DonnyJohnny]

In Firefox, I modified these two settings and everything lit up green as shown in the attached picture.

That being said, Encrypted SNI only worked when I modified BOTH settings. However, if network.trr.mode = 2 bypasses Stubby, is there any good in doing so? Encrypted SNI will not turn green, unless I modify the network.trr.mode setting.

If you have diversion (ad block) installed, by using browser built in doh, you will not only bypass stubby but also Diversion. eSNI currently only works with Firefox built in doh. There is no other way to have eSNI on stubby or dnscrypt-proxy etc.
If u don’t know eSNI, go google. Decide if you really need it at the expense of disable diversion.

 

[#TY]

I am ignoring Encrypted SNI for now. I don't think it is worth undoing/bypassing Stubby.

I have yet to install Diversion - worried it might start breaking all sorts of web pages

 

[DonnyJohnny]

I am ignoring Encrypted SNI for now. I don't think it is worth undoing/bypassing Stubby.

I have yet to install Diversion - worried it might start breaking all sorts of web pages

It might need some tweaking every now and then but most sites should function well. You may also choose the most basic list to block some commonly known ads and you can easily whitelist or blacklist with the application.