Stubby-Installer-Asuswrt-Merlin

[Xentrk]

I did that. Also changed the DNS server address (router IP) on PC. Now my DNS resolved to Cloudflare on DNS Leak Test. Neflix-VPN-Bypass also works. Passed the DNSSEC Resolver Test. On Cloudflare SNI Checker, Encrypted SNI failed. Used Firefox Nightly with Encrypted SNI enabled. Is there a way to forced other gadgets on network to use Cloudflare DNS without manually changing it on each device?

As you discovered, Encrypted SNI settings need to made in the Firefox browser. Nothing to do with Stubby. For the benefit of others, please see:

https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/

Blocking Client DNS requests
A client device with DNS configured will override the DNS configured on the router. To override client DNS settings and force all LAN clients to use Stubby, enter the following commands in an SSH session.

   iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
   iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

Add the commands to /jffs/scripts/firewall-start in order for the rules to be applied upon a restart.

 

[dave14305]

Add the commands to /jffs/scripts/firewall-start in order for the rules to be applied upon a restart.

Since everyone running your script is also using Merlin, you could also just enable DNSFilter and set the Global mode to “Router” to get the same effect.

 

[Butterfly Bones]

Blocking Client DNS requests
A client device with DNS configured will override the DNS configured on the router. To override client DNS settings and force all LAN clients to use Stubby, enter the following commands in an SSH session.

   iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
   iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

Add the commands to /jffs/scripts/firewall-start in order for the rules to be applied upon a restart.

Thanks for this.

@Adamm Will this conflict with Skynet, with or without Stubby? Is it a feature worth adding to Skynet, even for those who may not run Stubby?

 

[Xentrk]

Since everyone running your script is also using Merlin, you could also just enable DNSFilter and set the Global mode to “Router” to get the same effect.

This may have a negative impact if one uses Diversion though.

DNS Filter was incompatible with AB-Solution, the predecessor of Diversion. I confirmed this in my own testing on AB-Solution. But have not tested it on Diversion though. @thelonelycoder can confirm. May be good to note this on the Diversion FAQ page https://diversion.ch/faq-reader/diversion-is-installed-and-i-still-see-ads.html if it still holds true.

 

[Blackbox]

Hey guys,
Just one question regarding caching DNSSEC Authenticated Data.
What does it mean during the install of Stubby and is it recommended to cache DNSSEC Authenticated Data (proxy-dnssec)?

 

[Xentrk]

Thanks for this.

@Adamm Will this conflict with Skynet, with or without Stubby? Is it a feature worth adding to Skynet, even for those who may not run Stubby?

No one has reported an issue so far. All of the beta testers also had Skynet installed.

 

[Xentrk]

Hey guys,
Just one question regarding caching DNSSEC Authenticated Data.
What does it mean during the install of Stubby and is it recommended to cache DNSSEC Authenticated Data (proxy-dnssec)?

From http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

--proxy-dnssec
Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.

 

[Butterfly Bones]

No one has reported an issue so far. All of the beta testers also had Skynet installed.

I meant by adding the above iptables commands to firewall-start, since mine only has one line to start Skynet, and with Skynet updates it may get removed or cause errors in starting Skynet. Since I am a total retard with scripting, I just want to be careful, since I have seen Adamm and thelonelycoder caution again making changes with any jffs scripts that call their utilities.

 

[dave14305]

This may have a negative impact if one uses Diversion though.

DNS Filter was incompatible with AB-Solution, the predecessor of Diversion. I confirmed this in my own testing on AB-Solution. But have not tested it on Diversion though. @thelonelycoder can confirm. May be a good to note this on the Diversion FAQ page https://diversion.ch/faq-reader/diversion-is-installed-and-i-still-see-ads.html if it still holds true.

I use DNSFilter to ensure every device on my LAN uses the router DNS IP and therefore gets protected by Diversion. If you use DNSFilter with any external DNS server, then I agree it would bypass Diversion.

Here’s a snippet of the iptables from DNSFilter on my router:

iptables -t nat -S | grep DNS
-N DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -j DNAT --to-destination 192.168.1.1

Look familiar?

 

[cmkelley]

Blocking Client DNS requests
A client device with DNS configured will override the DNS configured on the router. To override client DNS settings and force all LAN clients to use Stubby, enter the following commands in an SSH session.

   iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
   iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

Add the commands to /jffs/scripts/firewall-start in order for the rules to be applied upon a restart.

Query: Based on the descriptions of the scripts here, why firewall-start and not nat-start? I'm ignorant about iptables, I'm just curious.

And given the output:

# iptables -t nat -S
-- snip, snip --
-A PREROUTING -p udp -m udp --dport 53 -j YazFiDNSFILTER
-A PREROUTING -p tcp -m tcp --dport 53 -j YazFiDNSFILTER
-A PREROUTING -i br0 -p udp -m udp --dport 53 -j DNAT --to-destination RO.UT.ER.IP
-A PREROUTING -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination RO.UT.ER.IP
-- snip, snip --

Is this going to cause problems with YazFi??

 

[Blackbox]

From http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

Thanks Xntrk, so is it recommended or not?

 

[Xentrk]

Query: Based on the descriptions of the scripts here, why firewall-start and not nat-start? I'm ignorant about iptables, I'm just curious.

And given the output:

# iptables -t nat -S
-- snip, snip --
-A PREROUTING -p udp -m udp --dport 53 -j YazFiDNSFILTER
-A PREROUTING -p tcp -m tcp --dport 53 -j YazFiDNSFILTER
-A PREROUTING -i br0 -p udp -m udp --dport 53 -j DNAT --to-destination RO.UT.ER.IP
-A PREROUTING -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination RO.UT.ER.IP
-- snip, snip --

Is this going to cause problems with YazFi??

Good question and I am open to making a change if there is a good reason. I knew from previous experience that that nat-start gets called during OpenVPN Client up and down events. I have some custom scripts called from nat-start that perform selective routing for that reason. I felt placing it in nat-start would cause the iptables commands to be run unnecessarily during these types of events. If placed in nat-start, then adding the -D lines before the -A lines would be recommended.

iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

The command to list the rule chain in iptables is:

iptables -nvL PREROUTING -t nat --line

Good question though and interesting to have the community chime in on where the commands should be be called from.

 

[Xentrk]

Thanks Xntrk, so is it recommended or not?

Hi @Blackbox,
I recommend enabling it. Caching should improve performance. I based the settings on some tutorials on the OpenWRT forums and they also suggest using it. But I did forget to add it in the early release as we were focusing on some other issues. No one has reported issues with it since it has been added to the installer script.

 

[skeal]

I meant by adding the above iptables commands to firewall-start, since mine only has one line to start Skynet, and with Skynet updates it may get removed or cause errors in starting Skynet. Since I am a total retard with scripting, I just want to be careful, since I have seen Adamm and thelonelycoder caution again making changes with any jffs scripts that call their utilities.

I created a nat-start script and added this to it. It only gets executed once so you don't see it forwarded twice like if you do it in firewall-start. And it survives firewall-start and other kinds of starts.

 

[skeal]

Good question and I am open to making a change if there is a good reason. I knew from previous experience that that nat-start gets called during OpenVPN Client up and down events. I have some custom scripts called from nat-start that perform selective routing for that reason. I felt placing it in nat-start would cause the iptables commands to be run unnecessarily during these types of events. If placed in nat-start, then adding the -D lines before the -A lines would be recommended.

iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

The command to list the rule chain in iptables is:

iptables -nvL PREROUTING -t nat --line

Good question though and interesting to have the community chime in on where the commands should be be called from.

I use nat-start with only the two entries. I haven't seen it erased from port forward log, ever.

 

[Butterfly Bones]

I created a nat-start script and added this to it. It only gets executed once so you don't see it forwarded twice like if you do it in firewall-start. And it survives firewall-start and other kinds of starts.

Does this need a shebang or no, since not a script to run?

 

[skeal]

Does this need a shebang or no, since not a script to run?

I use this as my nat-start script. It has to executable so, I'm guessing it needs the shebang I have.

#!/bin/sh
# Force Client DNS requests to use Stubby
logger "Please wait while all DNS is forced through Stubby."
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
logger "Forced DNS routing through Stubby complete."

 

[thelonelycoder]

I meant by adding the above iptables commands to firewall-start, since mine only has one line to start Skynet, and with Skynet updates it may get removed or cause errors in starting Skynet. Since I am a total retard with scripting, I just want to be careful, since I have seen Adamm and thelonelycoder caution again making changes with any jffs scripts that call their utilities.

We care about the proper workings of our scripts and services we offer. Many coders do on this board.
To make them all work nicely together in the files written to /jffs/ we follow a simple rule: Only add one line to the file and add a comment to it who created it. These one-liner(s) may then source a separate file to run code or run it directly in that one line.

Installing or removing our scripts is then a simple matter of looking if the line is there or not and acting accordingly.

When adding your own lines to the /jffs/ file(s) we ask you not to alter our line and be aware of the order of execution (top down).

 

[thelonelycoder]

Does this need a shebang or no, since not a script to run?

Files in /jffs/scripts need a shebang and have the executable bit set. Those in /jffs/configs don't need those.
Both need to be saved with Unix type End of line (EOL).

 

[thelonelycoder]

This may have a negative impact if one uses Diversion though.

DNS Filter was incompatible with AB-Solution, the predecessor of Diversion. I confirmed this in my own testing on AB-Solution. But have not tested it on Diversion though. @thelonelycoder can confirm. May be good to note this on the Diversion FAQ page https://diversion.ch/faq-reader/diversion-is-installed-and-i-still-see-ads.html if it still holds true.

Setting the Global Filter mode to "Router" and leaving the Custom (user-defined) DNS* fields blank works with Diversion just fine as it forces clients to use the routers Dnsmasq to resolve domains. Dnsmasq is the centerpiece of Diversion ad-blocking.

When adding Custom (user-defined) DNS* and assigning Clients in the list below to it, those clients may circumvent Diversion. This is how one can exclude clients from the services Diversion offers, as explained here.