Stubby-Installer-Asuswrt-Merlin

[thelonelycoder]

He meant deprecated, not depreciated.
In any case it means the stubby script you have used to install the entware verions of stubby is being superseded by @RMerlin's latest firmware (currently in beta) which has Stubby built in, and available to configure via webui. A more stable and integrated verion of stubby if you will.

Stubby installer is already deprecated in amtm if the router firmware supports native DoT.

 

[bbunge]

What does that mean, exactly?



My router is set to "Connect to DNS Server automatically", so I assume it's my ISP's DNS servers. Same as before installing amtm and any scripts.



Nope.

With Stubby installed WAN/DNS Server 1 needs to be set to the LAN IP address of your router. The Stubby installer script should do this for you. When you uninstall Stubby it will set WAN/DNS Server 1 to 1.1.1.1

 

[EeK]

He meant deprecated, not depreciated.
In any case it means the stubby script you have used to install the entware verions of stubby is being superseded by @RMerlin's latest firmware (currently in beta) which has Stubby built in, and available to configure via webui. A more stable and integrated verion of stubby if you will.

Ah, I see. I usually wait for the stable versions to be released before updating the firmware. I'm still on 384.10_2.

With Stubby installed WAN/DNS Server 1 needs to be set to the LAN IP address of your router. The Stubby installer script should do this for you. When you uninstall Stubby it will set WAN/DNS Server 1 to 1.1.1.1

I didn't make any manual changes before or after installing Stubby, but I checked the router's GUI and it was still set to "Connect to DNS Server automatically" and DNS Servers 1 and 2 (under LAN > DHCP Server) were left blank, regardless of Stubby being installed or not.

You mentioned that installing Stubby should have automatically changed DNS Server 1 to my router's IP address, and uninstalling it, revert that to 1.1.1.1? Because none of that happened. All I can say is that Stubby definitely affected Steam, so I had to uninstall it.

 

[Xentrk]

With Stubby installed WAN/DNS Server 1 needs to be set to the LAN IP address of your router. The Stubby installer script should do this for you. When you uninstall Stubby it will set WAN/DNS Server 1 to 1.1.1.1

In one of the recent updates, @Adamm changed the uninstall to use the DNS of your ISP by setting "Connect to DNS Server Automatically" to "Yes" rather than reverting to Cloudflare 1.1.1.1.

 

[bbunge]

In one of the recent updates, @Adamm changed the uninstall to use the DNS of your ISP by setting "Connect to DNS Server Automatically" to "Yes" rather than reverting to Cloudflare 1.1.1.1.

Good idea!
Yesterday I replaced my Asus router with a Netgear Orbi. Much better wifi coverage. Quad9 resolvers work better, too.

Sent from my SM-T380 using Tapatalk

 

[consorts]

can someone tell me exactly how to remove or uninstall stubby?
all i can find it how to stop or kill it, but not how to keep it away
like from coming back after i reboot my router.

something this basic should be a lot easier to find and do

 

[thelonelycoder]

can someone tell me exactly how to remove or uninstall stubby?
all i can find it how to stop or kill it, but not how to keep it away
like from coming back after i reboot my router.

something this basic should be a lot easier to find and do

The uninstall option in the stubby installer ssh menu.

 

[laracroftonline]

stubby for me works better than merlins implementation i don't even get it to work. i asked for a decent manual but no one is providing one other than that quick hasty writeup on the asuswrt merlin wiki.

 

[RMerlin]

stubby for me works better than merlins implementation i don't even get it to work. i asked for a decent manual but no one is providing one other than that quick hasty writeup on the asuswrt merlin wiki.

There's nothing hasty about these instructions, they are simply as simple as they say.

1) Enable DNS over TLS
2) Add at least one server to the list, using the preset dropdown
3) Apply settings
4) You're done.

There's no need to configure anything else, so I'm not sure what kind of additional details you are expecting.

 

[Xentrk]

stubby for me works better than merlins implementation i don't even get it to work. i asked for a decent manual but no one is providing one other than that quick hasty writeup on the asuswrt merlin wiki.

There are several posts in the 384.11 support thread of some settings. Here are mine:

Basic DoT Settings

WAN->Internet Connection:

Advanced / Optional Settings

Tools->Other Settings, Advanced Tweaks and Hacks Section:

Add the line below to /jffs/configs/dnsmasq.conf.add:

proxy-dnssec

Then, bounce dnsmasq:

service restart_dnsmasq

Note: enabling DNSSEC causes the Cloudflare DoT test page to fail. So do this step after performing all validation tests:

/jffs/scripts/stubby.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Then, restart stubby:

service restart_stubby

 

[Swistheater]

There are several posts in the 384.11 support thread of some settings. Here are mine:

Basic DoT Settings

WAN->Internet Connection:

View attachment 18034


Advanced / Optional Settings

Tools->Other Settings, Advanced Tweaks and Hacks Section:

View attachment 18033

Add the line below to /jffs/configs/dnsmasq.conf.add:

proxy-dnssec

Then, bounce dnsmasq:

service restart_dnsmasq

Note: enabling DNSSEC causes the Cloudflare DoT test page to fail. So do this step after performing all validation tests:

/jffs/scripts/stubby.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Then, restart stubby:

service restart_stubby

note if you want to steer your TLS you can also use

this would be in /jffs/configs/stubby.yml.add

tls_min_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
tls_max_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

another variation would be

tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

this will tell it to only use TLS1.3

and since we are sharing this is how I modified my stubby.yml with /jffs/scripts/stubby.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
pc_replace "idle_timeout: 9000" "idle_timeout: 2000" $CONFIG
pc_replace "tls_connection_retries: 2" "tls_connection_retries: 5" $CONFIG
pc_replace "timeout: 3000" "timeout: 2000" $CONFIG
pc_insert "dnssec_return_status: GETDNS_EXTENSION_TRUE" "return_both_v4_and_v6: GETDNS_EXTENSION_TRUE" $CONFIG

, but this works best for my servers--
you can modify however you like.

 

[Swistheater]

Xentrk, I feel a customization guide being created in your near future- kind of like your VPN guide.

 

[Xentrk]

note if you want to steer your TLS you can also use

this would be in /jffs/configs/stubby.yml.add

tls_min_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
tls_max_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

another variation would be

tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

this will tell it to only use TLS1.3

and since we are sharing this is how I modified my stubby.yml with /jffs/scripts/stubby.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
pc_replace "idle_timeout: 9000" "idle_timeout: 2000" $CONFIG
pc_replace "tls_connection_retries: 2" "tls_connection_retries: 5" $CONFIG
pc_replace "timeout: 3000" "timeout: 2000" $CONFIG
pc_insert "dnssec_return_status: GETDNS_EXTENSION_TRUE" "return_both_v4_and_v6: GETDNS_EXTENSION_TRUE" $CONFIG

, but this works best for my servers--
you can modify however you like.

Thanks for sharing. I implemented the first TLS1.2/TLS1.3 hack for now and see how that goes. Have you gone with the TLS 1.3 only setting without any issues on Cloudflare?

 

[Swistheater]

Thanks for sharing. I implemented the first TLS1.2/TLS1.3 hack for now and see how that goes. Have you gone with the TLS 1.3 only setting without any issues on Cloudflare?

I have tested it and have not noticed any issues, i just see more flexibility by allowing the TLS 1.2 -- argument wouldn't be so much about the better security of TLS 1.3, but more so about how many platforms support it - I would rather be safe and have the tls 1.2 to fall back to if needed, but most of my sites show connections to tls 1.3 .

 

[Xentrk]

Xentrk, I feel a customization guide being created in your near future- kind of like your VPN guide.

Excellent idea. I'll do that.

 

[Swistheater]

this is what these forums show up as for me.

 

[Swistheater]

Excellent idea. I'll do that.

When i made my stubby.postconf , i tried to set it up to mirror most of the settings inside your scripts stubby.yml , I simply felt that it had been through the most testing and proven to show the best results with most servers.

 

[Xentrk]

When i made my stubby.postconf , i tried to set it up to mirror most of the settings inside your scripts stubby.yml , I simply felt that it had been through the most testing and proven to show the best results with most servers.

Ah! Good to know. That helps tie everything together! Most of those settings came from @john9527 stubby development work on the Fork. @john9527 was very generous in sharing testing results and configuration recommendations with me which is how the stubby installer configs came to be.

 

[luckyseven]

Hello,

All Gentoo mirrors hangs when using wget. Takes a minute or two before wget starts downloading. Downloading with Firefox works fine.

Resolving mirror.dkm.cz (mirror.dkm.cz)... 2a02:8300:8000:3::49, 86.49.49.49
Connecting to mirror.dkm.cz (mirror.dkm.cz)|2a02:8300:8000:3::49|:443...

 

[bbunge]

Ah! Good to know. That helps tie everything together! Most of those settings came from @john9527 stubby development work on the Fork. @john9527 was very generous in sharing testing results and configuration recommendations with me which is how the stubby installer configs came to be.

I, too, feel the stubby settings of the installer version work best and have modified dnsmasq and stubby.yml. Am using DNSSEC via stubby. I also went back to the original loopback and port config as I have been uncomfortable with the 127.0.1.1#53 set up by Merlin.
Still feel Cloudflare works best for me as my ISP seems to be playing routing games with Quad9 when I use DoT.

Sent from my SM-T380 using Tapatalk