What's new

Stubby-Installer-Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

That works, thanks.

I feel like I'm missing something, though. Just came out of another general anesthesia round so my mind may be a little foggy....
If you drill with @1.1.1.1 you aren’t using Stubby anymore. So that’s what you’re missing.

Check your stubby.yml and dnsmasq.conf files for dnssec parameters and post them here.
Code:
grep -i dnssec /etc/dnsmasq.conf
grep -i dnssec /opt/etc/stubby/stubby.yml
 
If you drill with @1.1.1.1 you aren’t using Stubby anymore. So that’s what you’re missing.

Check your stubby.yml and dnsmasq.conf files for dnssec parameters and post them here.
Code:
grep -i dnssec /etc/dnsmasq.conf
grep -i dnssec /opt/etc/stubby/stubby.yml
First command I get nothing.
Second command I get:
Code:
dnssec: GETDNS_EXTENSION_TRUE
 
Interesting. I don't need to enter @server on mine. I still get the ad flag when I use:

Code:
@RT-AX88U-29F0:/tmp/home/root# drill -D x3mtek.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 64903
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; x3mtek.com.    IN    A

;; ANSWER SECTION:
x3mtek.com.    300    IN    A    104.27.172.243
x3mtek.com.    300    IN    A    104.27.173.243
 
If you drill with @1.1.1.1 you aren’t using Stubby anymore. So that’s what you’re missing.

Check your stubby.yml and dnsmasq.conf files for dnssec parameters and post them here.
Code:
grep -i dnssec /etc/dnsmasq.conf
grep -i dnssec /opt/etc/stubby/stubby.yml

From the first command, I get:

Code:
proxy-dnssec

From the second command, I don't get anything.

Note, I don't have:

Code:
dnssec: GETDNS_EXTENSION_TRUE

in my stubby.yml.
 
From the first command, I get:

Code:
proxy-dnssec

From the second command, I don't get anything.

Note, I don't have:

Code:
dnssec: GETDNS_EXTENSION_TRUE

in my stubby.yml.
That’s expected based on the installer.
 
I think you need proxy-dnssec in /jffs/config/dnsmasq.conf.add.
Ok I figured out that this stubby.yml configuration for dnssec doesn't work.
Code:
dnssec: GETDNS_EXTENSION_TRUE
I enabled the dnssec setting in the webui and now I can run this query:
Code:
drill -D example.com
The "AD" flag shows up now. How long was I running without dnssec I don't know. Shoot!! :confused:o_O
 
Ok I figured out that this stubby.yml configuration for dnssec doesn't work.
Code:
dnssec: GETDNS_EXTENSION_TRUE
I enabled the dnssec setting in the webui and now I can run this query:
Code:
drill -D example.com
The "AD" flag shows up now. How long was I running without dnssec I don't know. Shoot!! :confused:o_O

Does your DNSSEC setup in GUI look like this?

upload_2019-4-1_19-27-57.png


I am curious, when is the "strict unsigned validation" ever used as "Yes"? If I check both, that creates an error in cloudflare.com. When I leave it as shown above, it works just fine and validation works fine. I prefer to use this setup rather than adding a DNSSEC entry in my stubby.yml.
 

Attachments

  • upload_2019-4-1_19-27-2.png
    upload_2019-4-1_19-27-2.png
    110.2 KB · Views: 311
If you drill with @1.1.1.1 you aren’t using Stubby anymore. So that’s what you’re missing.

Check your stubby.yml and dnsmasq.conf files for dnssec parameters and post them here.
Code:
grep -i dnssec /etc/dnsmasq.conf
grep -i dnssec /opt/etc/stubby/stubby.yml

So then after entering the first command I get this:

Code:
RT-AX88U-29F0:/tmp/home/root# grep -i dnssec /etc/dnsmasq.conf
dnssec
dnssec-check-unsigned=no
proxy-dnssec

When I enter the second, I don't get anything.
 
Does your DNSSEC setup in GUI look like this?

View attachment 16812

I am curious, when is the "strict unsigned validation" ever used as "Yes"? If I check both, that creates an error in cloudflare.com. When I leave it as shown above, it works just fine and validation works fine. I prefer to use this setup rather than adding a DNSSEC entry in my stubby.yml.
Without strict validation is not the best way to go though. Sure cloudflare breaks and you get errors when a site isn't fully supported (Both of witch I rarely ever see). But for me security has become paramount. @RMerlin suggests to use strict validation or don't use dnssec, it is self defeating.
 
Enabling dnssec in the GUI is different than enabling dnssec via the installer script. Seems like you both have drifted from the installer’s configuration.
 
So then after entering the first command I get this:

Code:
RT-AX88U-29F0:/tmp/home/root# grep -i dnssec /etc/dnsmasq.conf
dnssec
dnssec-check-unsigned=no
proxy-dnssec

When I enter the second, I don't get anything.
So it looks like you have both dnssec-proxy and dnssec in the webui set. I've never seen that before.
 
And after enabling both DNSSEC settings in GUI and enter the first command, I get:

Code:
RT-AX88U-29F0:/tmp/home/root#  grep -i dnssec /etc/dnsmasq.conf
dnssec
proxy-dnssec

and nothing with the second command.

1.1.1.1/help shows "No" on everything (and this behaviour has been discussed before).
 
So then after entering the first command I get this:

Code:
RT-AX88U-29F0:/tmp/home/root# grep -i dnssec /etc/dnsmasq.conf
dnssec
dnssec-check-unsigned=no
proxy-dnssec

When I enter the second, I don't get anything.
I have dnssec and strict validation set in the webui and when I run the first command it gives this as output only.
Code:
dnssec
 
And after enabling both DNSSEC settings in GUI and enter the first command, I get:

Code:
RT-AX88U-29F0:/tmp/home/root#  grep -i dnssec /etc/dnsmasq.conf
dnssec
proxy-dnssec

and nothing with the second command.

1.1.1.1/help shows "No" on everything (and this behaviour has been discussed before).
You need to edit out the proxy-dnssec line.
 
Thats what I had originally....thanks, I was experimenting with my GUI after reading @skeal's posts
What are you trying to accomplish by enabling dnssec in the UI? Isn't stubby handling dnssec and that's why its turned off during the install routine.
 
What are you trying to accomplish by enabling dnssec in the UI? Isn't stubby handling dnssec and that's why its turned off during the install routine.
Stubby uses a dnssec proxy. I want strict validation. I'm not concerned with the cloudflare page not working I know DoT is working. So I use the webui, and let the router handle dnssec. ;):)
 
What are you trying to accomplish by enabling dnssec in the UI? Isn't stubby handling dnssec and that's why its turned off during the install routine.

Review the reasoning behind this starting from this post: https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-58#post-471829

There is still a debate about this and as far as I know there is no verdict on what should be the best way to enable DNSSEC (through current Stubby installation and no GUI DNSSEC vs. adding a DNSSEC line in stubby.yml or enabling DNSSEC in GUI). The latter option will give you a result on 1.1.1.1/help that is different from what you see if you go with the first option (or current install method in AMTM.

I am simply still experimenting with @bbunge's and @skeal's ideas at this time, that's all.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top