Stubby-Installer-Asuswrt-Merlin

[dave14305]

That works, thanks.

I feel like I'm missing something, though. Just came out of another general anesthesia round so my mind may be a little foggy....

If you drill with @1.1.1.1 you aren’t using Stubby anymore. So that’s what you’re missing.

Check your stubby.yml and dnsmasq.conf files for dnssec parameters and post them here.

grep -i dnssec /etc/dnsmasq.conf
grep -i dnssec /opt/etc/stubby/stubby.yml

 

[skeal]

If you drill with @1.1.1.1 you aren’t using Stubby anymore. So that’s what you’re missing.

Check your stubby.yml and dnsmasq.conf files for dnssec parameters and post them here.

grep -i dnssec /etc/dnsmasq.conf
grep -i dnssec /opt/etc/stubby/stubby.yml

First command I get nothing.
Second command I get:

dnssec: GETDNS_EXTENSION_TRUE

 

[Marin]

Interesting. I don't need to enter @server on mine. I still get the ad flag when I use:

@RT-AX88U-29F0:/tmp/home/root# drill -D x3mtek.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 64903
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; x3mtek.com.    IN    A

;; ANSWER SECTION:
x3mtek.com.    300    IN    A    104.27.172.243
x3mtek.com.    300    IN    A    104.27.173.243

 

[dave14305]

First command I get nothing.
Second command I get:

dnssec: GETDNS_EXTENSION_TRUE

I think you need proxy-dnssec in /jffs/config/dnsmasq.conf.add.

 

[Marin]

If you drill with @1.1.1.1 you aren’t using Stubby anymore. So that’s what you’re missing.

Check your stubby.yml and dnsmasq.conf files for dnssec parameters and post them here.

grep -i dnssec /etc/dnsmasq.conf
grep -i dnssec /opt/etc/stubby/stubby.yml

From the first command, I get:

proxy-dnssec

From the second command, I don't get anything.

Note, I don't have:

dnssec: GETDNS_EXTENSION_TRUE

in my stubby.yml.

 

[dave14305]

From the first command, I get:

proxy-dnssec

From the second command, I don't get anything.

Note, I don't have:

dnssec: GETDNS_EXTENSION_TRUE

in my stubby.yml.

That’s expected based on the installer.

 

[skeal]

I think you need proxy-dnssec in /jffs/config/dnsmasq.conf.add.

Ok I figured out that this stubby.yml configuration for dnssec doesn't work.

dnssec: GETDNS_EXTENSION_TRUE

I enabled the dnssec setting in the webui and now I can run this query:

drill -D example.com

The "AD" flag shows up now. How long was I running without dnssec I don't know. Shoot!!

 

[Marin]

Ok I figured out that this stubby.yml configuration for dnssec doesn't work.

dnssec: GETDNS_EXTENSION_TRUE

I enabled the dnssec setting in the webui and now I can run this query:

drill -D example.com

The "AD" flag shows up now. How long was I running without dnssec I don't know. Shoot!!

Does your DNSSEC setup in GUI look like this?

I am curious, when is the "strict unsigned validation" ever used as "Yes"? If I check both, that creates an error in cloudflare.com. When I leave it as shown above, it works just fine and validation works fine. I prefer to use this setup rather than adding a DNSSEC entry in my stubby.yml.

 

[Marin]

If you drill with @1.1.1.1 you aren’t using Stubby anymore. So that’s what you’re missing.

Check your stubby.yml and dnsmasq.conf files for dnssec parameters and post them here.

grep -i dnssec /etc/dnsmasq.conf
grep -i dnssec /opt/etc/stubby/stubby.yml

So then after entering the first command I get this:

RT-AX88U-29F0:/tmp/home/root# grep -i dnssec /etc/dnsmasq.conf
dnssec
dnssec-check-unsigned=no
proxy-dnssec

When I enter the second, I don't get anything.

 

[skeal]

Does your DNSSEC setup in GUI look like this?

View attachment 16812

I am curious, when is the "strict unsigned validation" ever used as "Yes"? If I check both, that creates an error in cloudflare.com. When I leave it as shown above, it works just fine and validation works fine. I prefer to use this setup rather than adding a DNSSEC entry in my stubby.yml.

Without strict validation is not the best way to go though. Sure cloudflare breaks and you get errors when a site isn't fully supported (Both of witch I rarely ever see). But for me security has become paramount. @RMerlin suggests to use strict validation or don't use dnssec, it is self defeating.

 

[dave14305]

Enabling dnssec in the GUI is different than enabling dnssec via the installer script. Seems like you both have drifted from the installer’s configuration.

 

[skeal]

So then after entering the first command I get this:

RT-AX88U-29F0:/tmp/home/root# grep -i dnssec /etc/dnsmasq.conf
dnssec
dnssec-check-unsigned=no
proxy-dnssec

When I enter the second, I don't get anything.

So it looks like you have both dnssec-proxy and dnssec in the webui set. I've never seen that before.

 

[dave14305]

So it looks like you have both dnssec-proxy and dnssec in the webui set. I've never seen that before.

@Marin needs to disable dnssec in the GUI.

 

[Marin]

And after enabling both DNSSEC settings in GUI and enter the first command, I get:

RT-AX88U-29F0:/tmp/home/root#  grep -i dnssec /etc/dnsmasq.conf
dnssec
proxy-dnssec

and nothing with the second command.

1.1.1.1/help shows "No" on everything (and this behaviour has been discussed before).

 

[skeal]

So then after entering the first command I get this:

RT-AX88U-29F0:/tmp/home/root# grep -i dnssec /etc/dnsmasq.conf
dnssec
dnssec-check-unsigned=no
proxy-dnssec

When I enter the second, I don't get anything.

I have dnssec and strict validation set in the webui and when I run the first command it gives this as output only.

dnssec

 

[Marin]

@Marin needs to disable dnssec in the GUI.

Thats what I had originally....thanks, I was experimenting with my GUI after reading @skeal's posts

 

[skeal]

And after enabling both DNSSEC settings in GUI and enter the first command, I get:

RT-AX88U-29F0:/tmp/home/root#  grep -i dnssec /etc/dnsmasq.conf
dnssec
proxy-dnssec

and nothing with the second command.

1.1.1.1/help shows "No" on everything (and this behaviour has been discussed before).

You need to edit out the proxy-dnssec line.

 

[Mutzli]

Thats what I had originally....thanks, I was experimenting with my GUI after reading @skeal's posts

What are you trying to accomplish by enabling dnssec in the UI? Isn't stubby handling dnssec and that's why its turned off during the install routine.

 

[skeal]

What are you trying to accomplish by enabling dnssec in the UI? Isn't stubby handling dnssec and that's why its turned off during the install routine.

Stubby uses a dnssec proxy. I want strict validation. I'm not concerned with the cloudflare page not working I know DoT is working. So I use the webui, and let the router handle dnssec.

 

[Marin]

What are you trying to accomplish by enabling dnssec in the UI? Isn't stubby handling dnssec and that's why its turned off during the install routine.

Review the reasoning behind this starting from this post: https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-58#post-471829

There is still a debate about this and as far as I know there is no verdict on what should be the best way to enable DNSSEC (through current Stubby installation and no GUI DNSSEC vs. adding a DNSSEC line in stubby.yml or enabling DNSSEC in GUI). The latter option will give you a result on 1.1.1.1/help that is different from what you see if you go with the first option (or current install method in AMTM.

I am simply still experimenting with @bbunge's and @skeal's ideas at this time, that's all.