Stubby-Installer-Asuswrt-Merlin

[EmeraldDeer]

It comes from this discussion when restarting Stubby interactively.
Info: Stubby 0.2.3 (latest) is on entware.

I just sent a kill -SIGTERM to my stubby process and it did go down.

 

[Xentrk]

@Xentrk or @Adamm there's a PREARGS="nohup" in the S61stubby. This runs probably in a subshell of rc.unslung.

Why is it needed?
And could it be the cause that when rc.unslung stop with services-stop runs that it not properly terminates the service and therefore causing devices not properly unmount?

I had to search thru the old posts myself to make sure. @dave14305 posted the link to the thread. In summary...

The nohup value in the S61stubby file is key to prevent stubby from being killed when you exit the shell.

 

[Blackbox]

Hey guys,

I need some advice. So I installed Stubby and changed the DNS IPs from Cloudflare in the stubby.yml file to another DNS provider (dismail.de who also supports DNS-over-TLS). However, doing a DNS check online it always shows Cloudflare as my current DNS server.

During the install I set Cache DNSSEC Authenticated Data (proxy-dnssec) to No.

Any hints on how to solve that?

 

[Xentrk]

Hey guys,

I need some advice. So I installed Stubby and changed the DNS IPs from Cloudflare in the stubby.yml file to another DNS provider (dismail.de who also supports DNS-over-TLS). However, doing a DNS check online it always shows Cloudflare as my current DNS server.

During the install I set Cache DNSSEC Authenticated Data (proxy-dnssec) to No.

Any hints on how to solve that?

You have to bounce Stubby after making the change to stubby.yml.

/opt/etc/init.d/S61stubby restart

 

[skeal]

Hey guys,

I need some advice. So I installed Stubby and changed the DNS IPs from Cloudflare in the stubby.yml file to another DNS provider (dismail.de who also supports DNS-over-TLS). However, doing a DNS check online it always shows Cloudflare as my current DNS server.

During the install I set Cache DNSSEC Authenticated Data (proxy-dnssec) to No.

Any hints on how to solve that?

Copy and paste DNS server part of the .yml here so I can see how you have it set up.

 

[Xentrk]

My VPN provider recently added support for WireGuard VPN on the gl-inet AR300M travel router which I happen to own. I flashed the new OpenWRT Beta firmware as it makes the setup a breeze compared to the current production firmware. Look what I found when looking over the menus:

That feature requires an Easy Button gif

 

[Blackbox]

You have to bounce Stubby after making the change to stubby.yml.

/opt/etc/init.d/S61stubby restart

Thanks for your reply Xntrk. After I restarted Stubby I cannot connect to the internet anymore.
Did I miss anything? I basically just changed the below DNS data with the onees that is provided here: https://dismail.de/info.html#dns

Do I also need to change my DNS settings in the router, as I am using Strict and added dhcp-option DNS 80.241.218.68?

Here is what is in my stubby.yml file:

# stubby.yml configuration file created by Xentrk
# version 1.0.0
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
- 127.0.0.1@5453
- 0::1@5453

upstream_recursive_servers:
# Cloudflare Primary IPv4
- address_data: 80.241.218.68
tls_auth_name: "fdns1.dismail.de"
# Cloudflare Secondary IPv4
- address_data: 80.241.218.68
tls_auth_name: "fdns1.dismail.de"
# Cloudflare Primary IPv6
- address_data: 2a02:c205:3001:4558::1
tls_auth_name: "fdns1.dismail.de"
# Cloudflare Secondary IPv6
- address_data: 2a02:c205:3001:4558::1
tls_auth_name: "fdns1.dismail.de"

# Tweaks for statically linked binaries
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

 

[skeal]

The format of the DNS servers is not exactly like the original .yml and it has to or it doesn't work.

 

[Blackbox]

The format of the DNS servers is not exactly like the original .yml and it has to or it doesn't work.

Thanks skeal. What exactly do you mean, as I simply just replaced their IP addresses and tls auth name.

 

[skeal]

The spacing on the left has to be the same as the original. Yours looks great but it has to be the same spacing or tabbing before the lines of code.

 

[skeal]

Thanks skeal. What exactly do you mean, as I simply just replaced their IP addresses and tls auth name.

This is the original spacing:

upstream_recursive_servers:
# Quad 9 Secure Primary
#  - address_data: 9.9.9.9
#    tls_auth_name: "dns.quad9.net"
# Quad 9 Secure Primary
#  - address_data: 2620:fe::fe
#    tls_auth_name: "dns.quad9.net"
# Cloudflare Primary IPv4
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv4
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Primary IPv6
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv6
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"

Notice the space difference between the address data and the tls auth name.

 

[Blackbox]

This is the original spacing:

upstream_recursive_servers:
# Quad 9 Secure Primary
#  - address_data: 9.9.9.9
#    tls_auth_name: "dns.quad9.net"
# Quad 9 Secure Primary
#  - address_data: 2620:fe::fe
#    tls_auth_name: "dns.quad9.net"
# Cloudflare Primary IPv4
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv4
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Primary IPv6
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv6
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"

Notice the space difference between the address data and the tls auth name.

OK, I double checked and the spacing is exactly the same as in your example skeal and I only changed thee IP addresses with the new DNS provider:

# stubby.yml configuration file created by Xentrk
# version 1.0.0
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

upstream_recursive_servers:
# Cloudflare Primary IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Secondary IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Primary IPv6
  - address_data: 2a02:c205:3001:4558::1
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Secondary IPv6
  - address_data: 2a02:c205:3001:4558::1
    tls_auth_name: "fdns1.dismail.de"

# Tweaks for statically linked binaries
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

However when I use the above code I cannot connect to the internet anymore....

 

[skeal]

OK, I double checked and the spacing is exactly the same as in your example skeal and I only changed thee IP addresses with the new DNS provider:

# stubby.yml configuration file created by Xentrk
# version 1.0.0
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

upstream_recursive_servers:
# Cloudflare Primary IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Secondary IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Primary IPv6
  - address_data: 2a02:c205:3001:4558::1
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Secondary IPv6
  - address_data: 2a02:c205:3001:4558::1
    tls_auth_name: "fdns1.dismail.de"

# Tweaks for statically linked binaries
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

However when I use the above code I cannot connect to the internet anymore....

I'm starting to think your added instructions at the bottom are coming across something it doesn't like.

 

[Blackbox]

I'm starting to think your added instructions at the bottom are coming across something it doesn't like.

So you're saying I should delete this line, which is in the original file (I did not add it):

# Tweaks for statically linked binaries
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

 

[dave14305]

OK, I double checked and the spacing is exactly the same as in your example skeal and I only changed thee IP addresses with the new DNS provider:

# stubby.yml configuration file created by Xentrk
# version 1.0.0
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

upstream_recursive_servers:
# Cloudflare Primary IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Secondary IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Primary IPv6
  - address_data: 2a02:c205:3001:4558::1
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Secondary IPv6
  - address_data: 2a02:c205:3001:4558::1
    tls_auth_name: "fdns1.dismail.de"

# Tweaks for statically linked binaries
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

However when I use the above code I cannot connect to the internet anymore....

Don’t duplicate the entries if there is only one IP address provided by the provider.

 

[visortgw]

OK, I double checked and the spacing is exactly the same as in your example skeal and I only changed thee IP addresses with the new DNS provider:

# stubby.yml configuration file created by Xentrk
# version 1.0.0
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

upstream_recursive_servers:
# Cloudflare Primary IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Secondary IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Primary IPv6
  - address_data: 2a02:c205:3001:4558::1
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare Secondary IPv6
  - address_data: 2a02:c205:3001:4558::1
    tls_auth_name: "fdns1.dismail.de"

# Tweaks for statically linked binaries
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

However when I use the above code I cannot connect to the internet anymore....

Your provider doesn't support TLS v1.3. You need to change the tls_min_version line to reflect TLS v1.2:

tls_min_version: GETDNS_TLS1_2

 

[bbunge]

First, remove the last three lines beginning with "# Tweaks for statically linked binaries"

Restart Stubby and see if it works.
Next change round_robin_upstreams: 1 to round_robin_upstreams: 0

Change upstream_recursive_servers: to

upstream_recursive_servers:
# dismail.de IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# dismail.de IPv6
#  - address_data: 2a02:c205:3001:4558::1
#    tls_auth_name: "fdns1.dismail.de"

See: https://dismail.de/info.html#dns
Your service provider has only one IPV4 and one IPV6 DNS address. If you use IPV6 remove the pound signs in two places.

 

[dave14305]

Another variation to try:

  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU=

 

[Blackbox]

Alrigth, it seems to work now, after I changed the tls_min_version: GETDNS_TLS1_3 to 1_2:

# stubby.yml configuration file created by Xentrk
# version 1.0.0
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

upstream_recursive_servers:
# Cloudflare IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare IPv6
  - address_data: 2a02:c205:3001:4558::1
    tls_auth_name: "fdns1.dismail.de"

# Tweaks for statically linked binaries
tls_min_version: GETDNS_TLS1_2
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

Thanks everyone who helped!!!

Should I also change now round_robin_upstreams: 1 to round_robin_upstreams: 0?

Also, since the above works, would that be a better version to use:

- address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU=

 

[cmkelley]

Alrigth, it seems to work now, after I changed the tls_min_version: GETDNS_TLS1_3 to 1_2:

# stubby.yml configuration file created by Xentrk
# version 1.0.0
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/opt/var/cache/stubby"
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

upstream_recursive_servers:
# Cloudflare IPv4
  - address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
# Cloudflare IPv6
  - address_data: 2a02:c205:3001:4558::1
    tls_auth_name: "fdns1.dismail.de"

# Tweaks for statically linked binaries
tls_min_version: GETDNS_TLS1_2
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

Thanks everyone who helped!!!

Should I also change now round_robin_upstreams: 1 to round_robin_upstreams: 0?

Also, since the above works, would that be a better version to use:

- address_data: 80.241.218.68
    tls_auth_name: "fdns1.dismail.de"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU=

No, the two things aren't connected. Leave it.