Stubby-Installer-Asuswrt-Merlin

[genuine]

@Xentrk hi im having problems with diversion particular when enable / restarting pixelserv stubby is stopping, blokking ads won't work in other words diversion don't work for me did you had also problems with diversion?

 

[Xentrk]

@Xentrk hi im having problems with diversion particular when enable / restarting pixelserv stubby is stopping, blokking ads won't work in other words diversion don't work for me did you had also problems with diversion?

What router and firmware version are you using?

Check the System Log for pixelserv messages for clues. Confirm you see two lines for your LAN IP and Ports 443 and 80:

pixelserv-tls[20543]: Listening on :192.168.x.2:443
pixelserv-tls[20543]: Listening on :192.168.x.2:80

If you added any additional switches to pixelserv in the Diversion menu, remove them so you default to base pixselserv settings to eliminate that being the source of the problem.

All of the test team has Diversion and Skynet installed and reported no issues. I did a test after seeing your post and stopped pixelserv-tls using the Diversion menu and Stubby was still running and passing tests. No problems to report after a start-up. I did this test six times and no issues.

Run the install_stubby.sh and select the option to uninstall. This will reboot the router. The router will now default to Cloudflare DNS 1.1.1.1 without the DNS over TLS option. Then, test bouncing pixelserv to see if you can replicate the issue.

If okay, then run the install_stubby.sh script again and choose the install option again. to make sure nothing got missed in the first installed. You can also try doing an update or reinstall of Diversion. I had to do this to fix a pixelserv error I experienced one time.

 

[genuine]

Hi just did a reinstall of diversion and it fixed my problem thx for the quick response

 

[strangeluck]

I have noticed today that I am no longer passing the DNSSEC check at https://www.cloudflare.com/ssl/encrypted-sni/

However I am still passing checks on other resolver tests such as https://cmdns.dev.dns-oarc.net/ and https://dnssec.vs.uni-due.de/ and http://en.conn.internet.nl/connection/

Though these tests seem to be taking longer than normal. Could this be a Cloudflare issue? Anyone else seeing a DNSSEC failure on the Cloudflare test page?

 

[Xentrk]

I have noticed today that I am no longer passing the DNSSEC check at https://www.cloudflare.com/ssl/encrypted-sni/

However I am still passing checks on other resolver tests such as https://cmdns.dev.dns-oarc.net/ and https://dnssec.vs.uni-due.de/ and http://en.conn.internet.nl/connection/

Though these tests seem to be taking longer than normal. Could this be a Cloudflare issue? Anyone else seeing a DNSSEC failure on the Cloudflare test page?

I still pass the test at https://www.cloudflare.com/ssl/encrypted-sni/. If you enabled DNSSEC on the router firmware, the site will report a fail for Secure DNS but a pass for DNSSEC. Run the install_stubby.sh again and retest. No need to select the uninstall option first.

 

[strangeluck]

I still pass the test at https://www.cloudflare.com/ssl/encrypted-sni/. If you enabled DNSSEC on the router firmware, the site will report a fail for Secure DNS but a pass for DNSSEC. Run the install_stubby.sh again and retest. No need to select the uninstall option first.

Thank you for checking. Rebooting the router seems to have fixed it.

DNSSEC disabled in firmware and no changes to the stubby config file. I did a reinstall but with the DNSSEC check still failing on that page, though Secure DNS continued to pass. After reboot the test is now passing again. Not sure what broke it, though I was messing around with custom QoS rules to properly classify encrypted DNS traffic so probably my fault.

 

[john9527]

On another note I've discovered that the stubby in John's fork does not use DNSSEC and I've not been able to prove it is as secure as this stubby add on.

My fork uses dnsmasq to do the dnssec validation, and I'm sure it works.
I'm experimenting now with the stubby based validation.

 

[skeal]

My fork uses dnsmasq to do the dnssec validation, and I'm sure it works.
I'm experimenting now with the stubby based validation.

Looking forward to your results @john9527

 

[john9527]

Looking forward to your results @john9527

So far, so good....the trust anchors are being automatically downloaded and all the dnssec tests are passing.
It still causes the cloudflare /help page to fail however.

 

[skeal]

So far, so good....the trust anchors are being automatically downloaded and all the dnssec tests are passing.
It still causes the cloudflare /help page to fail however.

The test site won't work, so it isn't important. If a guy can prove it out with a few commands, that works too.

 

[bbunge]

I am now able to get the "ad" flag with DNSSEC enabled on stubby using dig (both bind-dig installed with entware on the router and the Dig iOS app).

In stubby.yml add:

dnssec_return_status: GETDNS_EXTENSION_TRUE

In /jffs/dnsmasq.conf.add

server=127.0.0.1#5453
server=0::1#5453
proxy-dnssec

Set the NTP Server on the router Admin/System GUI to a time server IP address.
Restart the router or bump dnsmasq and stubby. My preliminary testing is with Cloudflare resolvers but others should work.

Test using: dig +dnssec +multi cloudflare.com

Be advised that enabling DNSSEC will break the Cloudflare tests for DoH/DoT. Rootcanary test (https://rootcanary.org/test.html) works as well as (https://dnssec.vs.uni-due.de/).

 

[Xentrk]

So far, so good....the trust anchors are being automatically downloaded and all the dnssec tests are passing.
It still causes the cloudflare /help page to fail however.

That is what I find too. Both the cloudflare help page and https://www.cloudflare.com/ssl/encrypted-sni/ (which supports DNSSEC) will report Secure DNS as not working.

I reported early in my testing that I saw trust anchors downloaded. I have not had that happen in the last four weeks of my testing. @M@rco reported the trust anchor files were downloaded using the same configuration as I. I have not been able to duplicate his success. Luckily, I saved a backup of them. Otherwise, I would not be believing it actually happened.

Here are my test results when testing different settings:

TEST 1
#tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
dnssec_return_status: GETDNS_EXTENSION_FALSE
NO root anchors in /opt/var/cache/stubby
Results:
1. DNSSEC test sites work
2. Cloudflare test page works
3. https://www.cloudflare.com/ssl/encrypted-sni/
    yes - SECURE DNS
    yes - DNSSEC
4. stubby -l: STUBBY: DNSSEC Validation is OFF
   
TEST 2
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
dnssec_return_status: GETDNS_EXTENSION_TRUE
NO root anchors in /opt/var/cache/stubby
Results:
1. DNSSEC test sites DO NOT work
2. Cloudflare test page works
3. https://www.cloudflare.com/ssl/encrypted-sni/
    yes - SECURE DNS
    NO - DNSSEC
4. stubby -l: STUBBY: DNSSEC Validation is ON
   
TEST 3
#tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
dnssec_return_status: GETDNS_EXTENSION_TRUE
root anchors in /opt/var/cache/stubby
Results:
1. DNSSEC test sites work
2. Cloudflare test page DOES NOT work
3. https://www.cloudflare.com/ssl/encrypted-sni/
    No - SECURE DNS
    yes - DNSSEC
4. stubby -l: STUBBY: DNSSEC Validation is OFF
   
TEST 4
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
dnssec_return_status: GETDNS_EXTENSION_FALSE
root anchor files in /opt/var/cache/stubby
Results:
1. DNSSEC test sites work
2. Cloudflare test page works
3. https://www.cloudflare.com/ssl/encrypted-sni/
    No - SECURE DNS
    yes - DNSSEC

 

[bbunge]

Update. Have been running Stubby with DNSSEC for two days with good success! I am using Cloudflare resolvers in roundrobin configuration. I have tested Quad9 and CleanBrowsing secure but have had connection issues with their resolvers. I feel confident that DoT and DNSSEC are working as intended. Yes, the Cloudflare test site does not work with this configuration. Using dig does return the ad flag.

Sent from my SM-T380 using Tapatalk

 

[skeal]

If dnssec disables the cloudflare test site, what test are you using to ensure DoT is working at the same time?

 

[skeal]

Update. Have been running Stubby with DNSSEC for two days with good success! I am using Cloudflare resolvers in roundrobin configuration. I have tested Quad9 and CleanBrowsing secure but have had connection issues with their resolvers. I feel confident that DoT and DNSSEC are working as intended. Yes, the Cloudflare test site does not work with this configuration. Using dig does return the ad flag.

Sent from my SM-T380 using Tapatalk

What are you using for settings in regard to dnssec? Is it enabled in the .yml or is it enabled in the webui?

 

[john9527]

Just as an FYI....things have been running well for me using the stubby implementation of dnssec when DoT is active. So, the next release of my fork will automatically use stubby dnssec if stubby is active, and dnsmasq dnssec when stubby is inactive.

 

[skeal]

@john9527 will placing this in the .yml work for dnssec provided by Stubby?

dnssec_return_status: GETDNS_EXTENSION_TRUE

 

[john9527]

@john9527 will placing this in the .yml work for dnssec provided by Stubby?

dnssec_return_status: GETDNS_EXTENSION_TRUE

yes....and you also need to add
proxy-dnssec
to /etc/dnsmasq.conf with an add or postconf script

 

[Jack Yaz]

yes....and you also need to add
proxy-dnssec
to /etc/dnsmasq.conf with an add or postconf script

Bit of a tangent (ish), I wonder if that's what dnscrypt needs for dnssec...

EDIT: added, so far so good (apparently i had already proxy-dnssec to my dnsmasq but not yet re-enabled dnssec validation, oops)

 

[skeal]

yes....and you also need to add
proxy-dnssec
to /etc/dnsmasq.conf with an add or postconf script

Can this be done in /jffs/configs/ ?