What's new

Stubby-Installer-Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

By using Firefox trr, you are NOT USING stubby to resolve your dns queries. Everything is passed thru DOH via firefox built in resolver. That mean Diversion WILL NOT be working for you as they are intercepted by firefox. (That makes Stubby and diversion redundant.



Yes Stubby seem working with DOT but because u have firefox built in DOH, that's why you see DOH and DOT as YES.

Yes I am noticing that Diversion is not working when DOH is taking over. Thank you for pointing this!
 
Enabling DNSSEC will break the Cloudflare tests. We've been through this for some time so it is nothing new. Supposedly the only way to test if DNSSEC is working is to use dig and look for an "ad" flag (hope I have this right this time!).
To enable DNSSEC in Stubby add this line to stubby.yml:
Code:
dnssec_return_status: GETDNS_EXTENSION_TRUE

You should also add this to dnsmasq.conf.add
Code:
proxy-dnssec
server=/pool.ntp.org/1.1.1.1

As I said you can use DNSSEC in either Merlin settings or Stubby. Both work but you should have the proxy-dnssec added to dnsmasq.conf.add
 
Enabling DNSSEC will break the Cloudflare tests. We've been through this for some time so it is nothing new. Supposedly the only way to test if DNSSEC is working is to use dig and look for an "ad" flag (hope I have this right this time!).
To enable DNSSEC in Stubby add this line to stubby.yml:
Code:
dnssec_return_status: GETDNS_EXTENSION_TRUE

You should also add this to dnsmasq.conf.add
Code:
proxy-dnssec
server=/pool.ntp.org/1.1.1.1

As I said you can use DNSSEC in either Merlin settings or Stubby. Both work but you should have the proxy-dnssec added to dnsmasq.conf.add

Ah, there it is!
 
i really wish you guys would post critical fixes without
assuming the reader knows what you are talking about o_O

/opt/ent/stubby/stubby.yml

/jffs/configs/dnsmasq.conf.add
 
i really wish you guys would post critical fixes without
assuming the reader knows what you are talking about o_O

/opt/ent/stubby/stubby.yml

/jffs/configs/dnsmasq.conf.add
If you do not understand something as said then please, ask a question and wait for a follow up. Also you may want to be a little less condescending in your tone. :rolleyes:
 
dnssec_return_status: GETDNS_EXTENSION_TRUE

adding this statement to: /opt/ent/stubby/stubby.yml
leaves the cloudflare test results "may not be" inconclusive
for secure dns, while dnssec feedback remains the same.


4rUMS4J.jpg


could you explain more clearly why i would want this?
from my novice vantage point, your statement seems to
break something that may be working, while having no
actual effect on what it may have intended to improve,
or is the cloudflare test just giving us inaccurate results?
 
Last edited:
When using dnssec with stubby the tests become unreliable. You can test the situation with an Ubuntu live install using kdig. Run this command if you have that option:
Code:
$ kdig -d @1.1.1.1 +dnssec +tls-ca +tls-host=cloudflare-dns.com  example.com
If not then there is no real easy method to test this. The help site on Cloudflare test doesn't support dnssec.
 
adding this statement to: /opt/ent/stubby/stubby.yml
leaves the cloudflare test results "may not be" inconclusive
for secure dns, while dnssec feedback remains the same.


4rUMS4J.jpg


could you explain more clearly why i would want this?
from my novice vantage point, your statement seems to
break something that may be working, while having no
actual effect on what it may have intended to improve,
or is the cloudflare test just giving us inaccurate results?
That is the $64,000 question best answered by this:
https://blog.apnic.net/2018/08/17/sunrise-dns-over-tls-sunset-dnssec/

Sent from my SM-T380 using Tapatalk
 
i really wish you guys would post critical fixes without
assuming the reader knows what you are talking about o_O

/opt/ent/stubby/stubby.yml

/jffs/configs/dnsmasq.conf.add
I will review and update the Repo README.md to clarify the location of key files.
 
Merry Christmas everyone. Here is the link containing the details on the Christmas release of 1.5.0 getdns and 0.2.4 stubby.

https://getdnsapi.net/releases/getdns-1-5-0/

I have no idea when entware will be updated with the new version though. Will need to do some testing, especially with DNSSEC changes, once entware has been updated.
 
Merry Christmas everyone. Here is the link containing the details on the Christmas release of 1.5.0 getdns and 0.2.4 stubby.

https://getdnsapi.net/releases/getdns-1-5-0/

I have no idea when entware will be updated with the new version though. Will need to do some testing, especially with DNSSEC changes, once entware has been updated.
Are these new packages dependent on OpenSSL 1.1.1 or did I misread that? Might be a while from entware, unfortunately.

Regardless, looking forward to getting stubby a bit more idiot proof on the ac86 and even getting it on AMTM.
 
Merry Christmas everyone. Here is the link containing the details on the Christmas release of 1.5.0 getdns and 0.2.4 stubby.

https://getdnsapi.net/releases/getdns-1-5-0/

I have no idea when entware will be updated with the new version though. Will need to do some testing, especially with DNSSEC changes, once entware has been updated.
I think entware recently picked up getdns 1.4.2 so ac86u may now work ootb with your script
 
I think entware recently picked up getdns 1.4.2 so ac86u may now work ootb with your script
Code:
# opkg list | grep getdns
getdns - 1.4.2-2 - This package contains the getdns library (libgetdns). This package also contains the "getdns_query" command line wrapper for getdns exposing the features of this implementation (both in the official API and the additional API functions).
stubby - 0.2.3-3 - This package contains the Stubby daemon (which utilizes the getdns library).  See https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md for more details.
#
 
Are these new packages dependent on OpenSSL 1.1.1 or did I misread that? Might be a while from entware, unfortunately.

Regardless, looking forward to getting stubby a bit more idiot proof on the ac86 and even getting it on AMTM.
I would think it would "just" require being statically linked against OpenSSL 1.1.1 a la pixelserve-tls. TLS 1.3 requires OpenSSL 1.1.1.
 
Just upgraded Entware via amtm:

Code:
 Continue? [1=Yes e=Exit] 1

Downloading http://bin.entware.net/aarch64-k3.10/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware
Upgrading wget on root from 1.19.5-2 to 1.20-1a...
Downloading http://bin.entware.net/aarch64-k3.10/wget_1.20-1a_aarch64-3.10.ipk
Installing libpcre2 (10.32-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/libpcre2_10.32-1_aarch64-3.10.ipk
Upgrading zoneinfo-europe on root from 2018e-1 to 2018g-1...
Downloading http://bin.entware.net/aarch64-k3.10/zoneinfo-europe_2018g-1_aarch64-3.10.ipk
Upgrading jq on root from 1.5-2b to 1.6-1...
Downloading http://bin.entware.net/aarch64-k3.10/jq_1.6-1_aarch64-3.10.ipk
Upgrading getdns on root from 1.4.2-1a to 1.4.2-2...
Downloading http://bin.entware.net/aarch64-k3.10/getdns_1.4.2-2_aarch64-3.10.ipk
Upgrading pixelserv-tls on root from 2.1.2-1 to 2.2.0-1...
Downloading http://bin.entware.net/aarch64-k3.10/pixelserv-tls_2.2.0-1_aarch64-3.10.ipk
Upgrading zoneinfo-asia on root from 2018e-1 to 2018g-1...
Downloading http://bin.entware.net/aarch64-k3.10/zoneinfo-asia_2018g-1_aarch64-3.10.ipk
Upgrading oniguruma on root from 6.8.2-1 to 6.9.1-1...
Downloading http://bin.entware.net/aarch64-k3.10/oniguruma_6.9.1-1_aarch64-3.10.ipk
Upgrading sqlite3-cli on root from 3230100-1 to 3250300-1...
Downloading http://bin.entware.net/aarch64-k3.10/sqlite3-cli_3250300-1_aarch64-3.10.ipk
Upgrading libpng on root from 1.6.34-1 to 1.6.35-1...
Downloading http://bin.entware.net/aarch64-k3.10/libpng_1.6.35-1_aarch64-3.10.ipk
Removing obsolete file /opt/lib/libpng16.so.16.34.0.
Upgrading stubby on root from 0.2.3-1 to 0.2.3-3...
Downloading http://bin.entware.net/aarch64-k3.10/stubby_0.2.3-3_aarch64-3.10.ipk
Upgrading libsqlite3 on root from 3230100-1 to 3250300-1...
Downloading http://bin.entware.net/aarch64-k3.10/libsqlite3_3250300-1_aarch64-3.10.ipk
Upgrading libopenssl on root from 1.0.2p-1 to 1.0.2p-1a...
 amtm 1.5                by thelonelycoder
 The SNBForum Asuswrt-Merlin Terminal Menu
 
then when I try to see if Stubby is working well I get:

Code:
@RT-AC86U-99A8:/tmp/home/root# getdns_query -s @127.0.0.1 github.com
Killed

then:

Code:
@RT-AC86U-99A8:/tmp/home/root# stubby -l
[02:31:57.015200] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[02:31:57.016103] STUBBY: DNSSEC Validation is OFF
[02:31:57.016234] STUBBY: Transport list is:
[02:31:57.016349] STUBBY:   - TLS
[02:31:57.016465] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[02:31:57.016584] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY t
[02:31:57.016675] STUBBY: Starting DAEMON....
[02:32:00.015595] STUBBY: 1.1.1.1                                  : Conn opened: TL
[02:32:00.108157] STUBBY: 1.1.1.1                                  : Verify passed :
Killed

anything that I need to modify as result of this upgrade?
 
Of note, I did not reboot the router after upgrading Entware...I wonder if I should do this and rerun these commands again.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top