Stubby-Installer-Asuswrt-Merlin

[Xentrk]

I tested John's latest release overnight and it worked very well with Stubby and DNSSEC enabled. The ability to make changes to upstream resolvers in the GUI is great for the average user.
I decided to go back to Merlin 384.7_2 with the Entware Stubby add on because of a couple of "extras" that are included in the firmware.
I also wanted to try a different location for the trust anchors. The default location is on the USB drive which is not really a fast read/write. I had mentioned a while back that I tested using the /jffs to store the trust anchors and got loads of grief about wearing out the NAND. Thinking about where elst that is fast I decided to try the /dev/shm as in most Linux distros this is tmpfs or, for the old guys, RAM drive. Asus probably does not have a lot of space there to use but with three files of 7KB total it should work. And it does quite well.
In the stubby.yml change to:

appdata_dir: "/dev/shm"

Some of you will quickly point out that tmpfs is wiped on restart and those three files will be lost forever. So what? Stubby will download fresh trust anchors the first time a DNS request is made.
Oh, I have set the NTP Server to an IP address of a time server.
Am also successfully using the CleanBrowsing Security resolvers.

If you do not specify an appdata_dir, getdns creates a folder in ${HOME}/.getdns/. If you want to try the default folder location, you can comment out or remove the appdata_dir setting in stubby.yml and restart. Then, use the stubby -i command to verify the location.

 

[heysoundude]

@Xentrk has anyone asked if this script will be included in @thelonelycoder 's amtm and Diversion as another option at some future point?

 

[Zastoff]

@Xentrk has anyone asked if this script will be included in @thelonelycoder 's amtm and Diversion as another option at some future point?

Stubby-Installer-Asuswrt-Merlin

 

[genuine]

Notice another problem but i don't know if anyone have noticed it
But when enable esni so the network.security.esni.enabled and network.trr.mode = 2 in firefox diversion won't block any ads anymore so i don't know if this an issue for diversion or stubby

 

[skeal]

Notice another problem but i don't know if anyone have noticed it
But when enable esni so the network.security.esni.enabled and network.trr.mode = 2 in firefox diversion won't block any ads anymore so i don't know if this an issue for diversion or stubby

Basically you are seeing the limitations of using cloudflare services ONLY. Don't get me wrong, this is secure but without local resolution (Your Router IP Here) then no Diversion. Diversion uses a IP from your router to run pixelserv-tls for instance. Your browser is high jacking the connection, sort of.

 

[genuine]

Nope seems like i have this behavior only for andriod
Just test it no problem for my debian and on windows 10 works fine you can see the dns are blocked but in android nope

 

[skeal]

Nope seems like i have this behavior only for andriod

Your issue is with Firefox not Diversion or Stubby.

Edit: I have the same issue using FireFox Nightly.

 

[genuine]

Windows 10 nightly ok
Debian beta ok
Test it android beta and nightly no luck After testing it's indeed nothing to do with diversion or stubby but wtf it's giving me the nerves first it was working than suddenly not.
Think the main problem esni is still in early fase

 

[consorts]

is my use of stubby why tracert no longer shows all hops - if so, can someone explain why, thanks.

C:\Users>tracert finance.yahoo.com
Tracing route to oob-fo-finance-router.g03.yahoodns.net [74.6.144.139] over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms mydevice.mydomain [192.168.1.1]
2 19 ms 2 ms 9 ms media-router1.prod.media.vip.bf1.yahoo.com [74.6.144.139]
Trace complete.
C:\Users>

 

[genuine]

your problem is not related with stubby particular because it's encrypting not blocking traffic seems your problems is somewhere else
but yeah for that you need more information like what is installed and so to eliminate your problem

 

[kvic]

As a science project, I think an installation script is very good exercise and help people in need (I haven't looked at the scripting code).

But a script like this should not be an encouragement... for people to try DoT nor DoH IMHO. Both technologies at the moment slow down your DNS queries..

I would think people should be made aware that you only need them perhaps your ISP is caught spying or cheating DNS..

 

[genuine]

Sorry but how can you declare that! there are some people that are IT professionals out there....
Slowing down 1/100000 ms you must be joking.
You can say for business or personal way don't use VPN or Firewall, checkpoints , Antivirus well heck turn it all off it slows down.
People should know that ISP setup dns servers at low cost and no Security that is what you need to tell them.
I can only encourage people looking for more security because i'm a part of the furniture in the hackers/ pentester community.
If you writing this you really need to learn more "as a science project" about your thinking beeeeeeep your wrong.
And why use Xentrk script what is nothing wrong with it but doing yourself as a science project ) and learn something.
Perhaps you are living in China , there is everything what concerns internet F***up there you need a life boat.

 

[bbunge]

As a science project, I think an installation script is very good exercise and help people in need (I haven't looked at the scripting code).

But a script like this should not be an encouragement... for people to try DoT nor DoH IMHO. Both technologies at the moment slow down your DNS queries..

I would think people should be made aware that you only need them perhaps your ISP is caught spying or cheating DNS..

Science project? Four of us went through that for several weeks with this Stubby install. And as with most evolving technology projects there will be changes that improve the process. I have had my share of issues especially testing different resolvers (Cloudflare works best for me). Install scripts do work well for most folks who do not play with computers.

Sent from my SM-T380 using Tapatalk

 

[skeal]

As a science project, I think an installation script is very good exercise and help people in need (I haven't looked at the scripting code).

But a script like this should not be an encouragement... for people to try DoT nor DoH IMHO. Both technologies at the moment slow down your DNS queries..

I would think people should be made aware that you only need them perhaps your ISP is caught spying or cheating DNS..

This may be a little"pot calling the kettle black" syndrome. @kvic don't you have science project on this forum? I believe pixelserv right?

 

[kvic]

The responses were a bit overwhelming. Two people being picky on my use of "science project". I thought that is a positive term on this forum. Perhaps not then I'll take it back and apologise.

Look.. if people think I'm trying to demote Xentrak's effort on doing projects, I think you guys miss the boat and pick the wrong fight..

My intention was to give out awareness of the need of running DoT/DoH.

 

[RMerlin]

My intention was to give out awareness of the need of running DoT/DoH.

I'd say the same applies (to a lesser degree) to anyone using one of the numerous filtering DNS services such as OpenDNS. A lot of these will break CDNs to various levels, depending whether or not they support EDNS (if I remember correctly, Cloudflare is one that does NOT support EDNS). They will always bypass any local ISP cache, which for services like Netflix or Youtube can provide a significant performance degradation in some cases.

It's a compromise, based on one's needs: performance versus security.

 

[bbunge]

My intention was to give out awareness of the need of running DoT/DoH.

Good point! Yes, we took your use of science project as meaning this was still in the experiment phase. Well, in some respects everything computer security is in an experiment phase as those who would harm us are ever aggressive to defeat the security measure we've just put in place.The enemy is always on guard!

On my wish list for Stubby is a stand alone install that does not need Entware and will install to the /jffs as DNSCRYPT does.

“Always pass on what you have learned.” ... Yoda

 

[kvic]

A "science project" to me is akin to "research project" that an individual or a team discovering something new and perhaps even unique. So it carries a sense of scarcity, innovation, uniqueness, edge tech, etc. That doesn't seem to be shared by everyone but let's not digress into it further.

In addition to Merlin's comments, I would add below for the moment.

As I've mentioned to some ppl off the board, practically DoT/DoH provides security in the last mile. For users, that's your ISP. So if your ISP is not evasdropping DNS queries, the need and benefit of deploying a heavy armour for protection is little and sometimes counter productive.

Performance wise. A couple of areas: UDP vs TCP, on top of that TLS for both DoT/DoH and network latency to DNS server.

Users usually have the smallest network latency to their ISP's DNS servers. When your last mile is clean, as someone on the forum used to say using your ISP's DNS servers are actually the best performing.

DNS commonly talks over UDP that's very fast. Don't doubt about it for a moment. The web will be moving to UDP for everything! TCP is slower in comparison. TLS adds additional bulk of delays. TLS 1.3 helps a bit. I have doubt that Stubby/Dnscrypt-Proxy is making good use of it already. Even it does in future it would still be slower than UDP.

In a nutshell, if people don't have reason to think their last mile is hostile, I don't see the need for DoT/DoH. DNSSEC on the other hand helps but its slow rate of adopt says that DNS safety is still pretty good since its old days.

 

[RMerlin]

I ran into that interesting thread earlier today (pure coincidence):

https://mobile.twitter.com/PowerDNS_Bert/status/1064290946731384832

His measurements do confirm that DoH is horribly inefficient whenever either the client or the server has a broken implementation. Tons of overhead.

Would love to see how DoT compares to DoH in that area.

 

[rgnldo]

DoH or DoT are used by external servers of large enterprise networks. The ideal solution is to build a solution with encrypted local DNS resolution.