Stubby-Installer-Asuswrt-Merlin

[maxbraketorque]

Where do you have DNSSEC enabled? Gui or Stubby?
Errors like that may not cause performance issues as stubby in roundrobin mode will switch to the next resolver in a heartbeat or less.
I would not worry about that error.

Sent from my SM-T380 using Tapatalk

Within the GUI.

Is “Forward local domain queries to upstream DNS” enabled on your LAN DHCP page? The 168.192.in-addr.arpa is related to 192.168.0.0/16 reverse lookups. Just seems odd to me.

It is not enabled. What scenario would trigger a reverse look-up? If I'm accessing devices or servers within my local network, I use only the decimal address.

 

[rugglebear]

*Edit* Guys...I'm sorry. I do this all the time. I posted this, then went one page back and saw people ask the same thing, and got a great answer. I love this forum. *End Edit*

I've successfully installed Stubby.

I've read a few posts/blogs/articles that say something to the effect of:
"Perform a loopback using dig to ensure it's working"

Or "Monitor Port 853 using Wireshark to make sure that it's working!"

I've downloaded Wireshark, and I've visited the dig website, but I have no idea what any of those generic statements actually mean.
Is there a black and white way to confirm my DNS is being encrypted over TLS?

Thanks!

 

[dave14305]

I've successfully installed Stubby.

I've read a few posts/blogs/articles that say something to the effect of:
"Perform a loopback using dig to ensure it's working"

Or "Monitor Port 853 using Wireshark to make sure that it's working!"

I've downloaded Wireshark, and I've visited the dig website, but I have no idea what any of those generic statements actually mean.
Is there a black and white way to confirm my DNS is being encrypted over TLS?

Thanks!

See the commands at the github readme for this script.
https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/blob/master/README.md

 

[skeal]

I've successfully installed Stubby.

I've read a few posts/blogs/articles that say something to the effect of:
"Perform a loopback using dig to ensure it's working"

Or "Monitor Port 853 using Wireshark to make sure that it's working!"

I've downloaded Wireshark, and I've visited the dig website, but I have no idea what any of those generic statements actually mean.
Is there a black and white way to confirm my DNS is being encrypted over TLS?

Thanks!

Running:

stubby -l

Should show you the interaction with cloudflare.

 

[bbunge]

*Edit* Guys...I'm sorry. I do this all the time. I posted this, then went one page back and saw people ask the same thing, and got a great answer. I love this forum. *End Edit*

I've successfully installed Stubby.

I've read a few posts/blogs/articles that say something to the effect of:
"Perform a loopback using dig to ensure it's working"

Or "Monitor Port 853 using Wireshark to make sure that it's working!"

I've downloaded Wireshark, and I've visited the dig website, but I have no idea what any of those generic statements actually mean.
Is there a black and white way to confirm my DNS is being encrypted over TLS?

Thanks!

If you are using the "default" Cloudflare upstream resolvers with no DNSSEC go to :

https://cloudflare-dns.com/help/

That page will show you that you are using DoT. Enabling DNSSEC in either Stubby or the Merlin GUI will break the test.

 

[joe scian]

I

If you are using the "default" Cloudflare upstream resolvers with no DNSSEC go to :

https://cloudflare-dns.com/help/

That page will show you that you are using DoT. Enabling DNSSEC in either Stubby or the Merlin GUI will break the test.

I have DNSSEC enabled in GUI with stubby on an RT-AC5300 and the test is fine.

 

[Swistheater]

I


I have DNSSEC enabled in GUI with stubby on an RT-AC5300 and the test is fine. View attachment 17034

Enabled with strict validation turned on or off?

 

[Swistheater]

It should pass with strict validation turned.off and fail with strict validation turned on

 

[frooty]

Hello all, I have an N66U & am thinking of giving this a try. I've searched the thread but can't find any posts about weather it will work on an N66U, does anyone have any info before I dive in?

Regards.

 

[dave14305]

Hello all, I have an N66U & am thinking of giving this a try. I've searched the thread but can't find any posts about weather it will work on an N66U, does anyone have any info before I dive in?

Regards.

Not sure which firmware you're running, but you can easily get Stubby on an N66U by loading John's fork, which includes it natively. Plus it's more updated than any firmware you might be running from Merlin or ASUS.
https://www.snbforums.com/threads/fork-asuswrt-merlin-374-43-lts-releases-v39e1.18914/

 

[frooty]

Not sure which firmware you're running, but you can easily get Stubby on an N66U by loading John's fork, which includes it natively. Plus it's more updated than any firmware you might be running from Merlin or ASUS.
https://www.snbforums.com/threads/fork-asuswrt-merlin-374-43-lts-releases-v39e1.18914/

Hi. Actually, I'm already running that fork but I wasn't aware that it already includes it - is that right?

 

[dave14305]

Hi. Actually, I'm already running that fork but I wasn't aware that it already includes it - is that right?

Yes, since v 374.43_36E1j9527. Look on the WAN page for DoT (DNS over TLS).

 

[frooty]

Yes, since v 374.43_36E1j9527. Look on the WAN page for DoT (DNS over TLS).

Well bugger me sideways....so it is.....lol Thanks for pointing me to it. So is it just a case of enabling it or do I have to input the DNS addresses I want to use also?
Sorry for the noob questions.

 

[dave14305]

Well bugger me sideways....so it is.....lol Thanks for pointing me to it. So is it just a case of enabling it or do I have to input the DNS addresses I want to use also?
Sorry for the noob questions.

You can multi-click in the dropdown list to select which servers you want to use. There isn't any freeform entry allowed. Head over to John's thread for additional questions/support.

 

[frooty]

You can multi-click in the dropdown list to select which servers you want to use. There isn't any freeform entry allowed. Head over to John's thread for additional questions/support.

Will do. Many thanks for your help!

 

[bluzfanmr1]

server=/pool.ntp.org/1.1.1.1

I have switched from CF to Quad9. Do I need to modify the above to the Quad9 IP? Everything is working fine but I didn't know if this would be best practice?

 

[bbunge]

server=/pool.ntp.org/1.1.1.1

I have switched from CF to Quad9. Do I need to modify the above to the Quad9 IP? Everything is working fine but I didn't know if this would be best practice?

Best to leave that entry alone as it is used but once on boot.

 

[truglodite]

Sorry if this is out of right field... I scanned over the merlin beta release notes and noticed 2 things that may shake up the script scene: DOT and NTPD!

I am assuming that if all goes well, when 384.11 rolls out this stubby installer script won't be needed anymore, correct? ...or maybe the webui won't have all the options?

It's OT, but I think I'll also have to remove my little ntpd script since it sounds like the new integrated one may be more accurate. How will the merlin ntpd compare to the fancy kvic version that's currently available through AMTM?

 

[Adamm]

I am assuming that if all goes well, when 384.11 rolls out this stubby installer script won't be needed anymore, correct?

Correct, as of 384.11 users are advised to uninstall and use the native implementation as the installer will no longer be updated.

 

[RMerlin]

And users looking for more advanced customization will be able to do so using a postconf script.

The built-in version of getdns/stubby will use OpenSSL 1.1.1, allowing it to use TLS 1.3 when supported by the remote servers.