Stubby-Installer-Asuswrt-Merlin

[bbunge]

Review the reasoning behind this starting from this post: https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-58#post-471829

There is still a debate about this and as far as I know there is no verdict on what should be the best way to enable DNSSEC (through current Stubby installation and no GUI DNSSEC vs. adding a DNSSEC line in stubby.yml or enabling DNSSEC in GUI). The latter option will give you a result on 1.1.1.1/help that is different from what you see if you go with the first option (or current install method in AMTM.

I am simply still experimenting with @bbunge's and @skeal's ideas at this time, that's all.

Stubby does not do DNSSEC out of the box. DNSSEC must be enabled in the stubby.yml or in the gui. As I have stated on several occasions either works, neither is preferred. But, use only one and choose wisely!
Testing if DNSSEC works can be a pain.
So, if you have problems just use DoH. My testing on my rig with Quad9 resolvers has issues with DNSSEC. Cloudflare is ok.

Sent from my SM-T380 using Tapatalk

 

[The Chief]

Odd, I guess I don't understand something?

I have the newest Stubby installed - Stubby DNS v1.1.1

I've figured source of a problem. It's getdns package that was not updated after Entware update. Reinstalled it, it works now, problem solved.

 

[bluzfanmr1]

Odd, I guess I don't understand something?

I have the newest Stubby installed - Stubby DNS v1.1.1
It has been running fine with all entware updates on my AC86U.

user@RT-AC86U-1234:/tmp/home/root# opkg list-installed
getdns - 1.5.1-tls1.3
haveged - 1.9.4-1
libopenssl - 1.1.1a-2
stubby - 0.2.5-1

I notice in this post above it shows version number:

getdns - 1.5.1-tls1.3

I'm up to date but show version:

getdns - 1.5.1-1

Should I enable tls1.3 somewhere or am I good with what I have? Is it the different router I have or something else?

 

[Butterfly Bones]

I notice in this post above it shows version number:

getdns - 1.5.1-tls1.3

I'm up to date but show version:

getdns - 1.5.1-1

Should I enable tls1.3 somewhere or am I good with what I have? Is it the different router I have or something else?

My guess is different routers. Mine is an AC86U using different chips and I think Entware repos. I'm not that much of an expert on these things, I had an N66U over 5 years ago, and I think it is different from your model AC66_B1. Maybe someone with more knowledge on hardware differences will know.

 

[bbunge]

I notice in this post above it shows version number:

getdns - 1.5.1-tls1.3

I'm up to date but show version:

getdns - 1.5.1-1

Should I enable tls1.3 somewhere or am I good with what I have? Is it the different router I have or something else?

If you have run the Stubby 1.1.1 installer TLS 1.3 was enabled via the last two lines in stubby.yml.

Sent from my SM-T380 using Tapatalk

 

[EmeraldDeer]

I notice in this post above it shows version number:

getdns - 1.5.1-tls1.3

I'm up to date but show version:

getdns - 1.5.1-1

Should I enable tls1.3 somewhere or am I good with what I have? Is it the different router I have or something else?

I think it is you who has the correct version "getdns - 1.5.1-1" from Entware and it is we who still have "getdns - 1.5.1-tls1.3" which is the custom static build which has not been replaced by upgrading Stubby versions.

# opkg list | grep getdns
getdns - 1.5.1-1 - This package contains the getdns library (libgetdns). This package also contains the "getdns_query" command line wrapper for getdns exposing the features of this implementation (both in the official API and the additional API functions).
getdns - 1.5.1-tls1.3
stubby - 0.2.5-1 - This package contains the Stubby daemon (which utilizes the getdns library).  See https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md for more details.

# opkg info getdns
Package: getdns
Version: 1.5.1-1
Depends: libc, libssp, librt, libpthread, libopenssl
Status: unknown ok not-installed
Section: libs
Architecture: aarch64-3.10
Size: 393042
Filename: getdns_1.5.1-1_aarch64-3.10.ipk
Description: This package contains the getdns library (libgetdns).
 This package also contains the "getdns_query" command line wrapper for getdns exposing the features of this implementation (both in the official API and the additional API functions).

Package: getdns
Version: 1.5.1-tls1.3
Depends: libc, libssp, librt, libpthread, libopenssl
Status: install user installed
Architecture: aarch64-3.10
Installed-Time: 1553304436

# opkg files getdns
Package getdns (1.5.1-tls1.3) is installed on root and has the following files:
/opt/sbin/getdns_query
/opt/lib/libgetdns.so.10.1.1
/opt/lib/libgetdns.so.10

# ls -la /opt/sbin/getdns_query /opt/lib/libgetdns.so.10.1.1 /opt/lib/libgetdns.so.10
-rw-r--r--    1 HdB34266 root       2813616 Dec 22 14:44 /opt/lib/libgetdns.so.10
-rw-r--r--    1 HdB34266 root       2813616 Dec 22 14:44 /opt/lib/libgetdns.so.10.1.1
-rwxr-xr-x    1 HdB34266 root         47032 Dec 22 14:44 /opt/sbin/getdns_query

 

[bluzfanmr1]

Thank you both for the clarification. I had run stubby installer 1.1.1, hence the difference.

 

[Xentrk]

The new GnuTLS, bugfix and maintenance version 1.5.2 of getdns was released on 2-April. This release has experimental support for GnuTLS >= 3.5.0 as replacement for OpenSSL. This release has the 0.2.6 release of Stubby included, with updates to documentation and fixes for the Windows build. Will need to wait for the entware team to make the updates to the package list.

 

[faria]

Hi I have installed Stubby last night with default config in a fresh updated/reseted(rt-ac86u 384.10_2 merlin) and found the folowing problem:

May  5 06:05:47 RT-AC86U inadyn[1950]: Failed resolving hostname xxxx.asuscomm.com: Temporary failure in name resolution
May  5 06:05:47 RT-AC86U inadyn[1950]: Update forced for alias xxxx.asuscomm.com, new IP# 62.68.181.149
May  5 06:05:47 RT-AC86U inadyn[1950]: Failed resolving hostname nwsrv-ns1.asus.com: Temporary failure in name resolution

Asus ddns fails to update after a system reboot. (after 4 reboots the same)
But network map shows ddns fine.
checking the /tmp/inadyn.cache folder it show empty.
If i force ddns update after reboot it update properly.
I have came across this issue weeks ago in another firmware version but i did not have the time to investigate as i was having other issues.
Once i remove Stubby ddns updates as it should at reboot.
It looks like the rooter is unable to resolve the ddns update address at boot with Stubby installed.
Your thoughts please.

 

[bbunge]

Hi I have installed Stubby last night with default config in a fresh updated/reseted(rt-ac86u 384.10_2 merlin) and found the folowing problem:

May  5 06:05:47 RT-AC86U inadyn[1950]: Failed resolving hostname xxxx.asuscomm.com: Temporary failure in name resolution
May  5 06:05:47 RT-AC86U inadyn[1950]: Update forced for alias xxxx.asuscomm.com, new IP# 62.68.181.149
May  5 06:05:47 RT-AC86U inadyn[1950]: Failed resolving hostname nwsrv-ns1.asus.com: Temporary failure in name resolution

Asus ddns fails to update after a system reboot. (after 4 reboots the same)
But network map shows ddns fine.
checking the /tmp/inadyn.cache folder it show empty.
If i force ddns update after reboot it update properly.
I have came across this issue weeks ago in another firmware version but i did not have the time to investigate as i was having other issues.
Once i remove Stubby ddns updates as it should at reboot.
It looks like the rooter is unable to resolve the ddns update address at boot with Stubby installed.
Your thoughts please.

Asus DDNS working well here with Stubby. Check your Administration-System, Basic Config and disable (uncheck) both values next to Network Monitoring.
Make sure you are using the latest Stubby Installer - Version 1.1.1

 

[faria]

Asus DDNS working well here with Stubby. Check your Administration-System, Basic Config and disable (uncheck) both values next to Network Monitoring.
Make sure you are using the latest Stubby Installer - Version 1.1.1

Did that , yes v1.1.1 , no internet after reboot ,over 10 minutes , had to change dns settings in the wan page to acquire internet as stubby refuse to launch because of lockfile.
Gonna test this more this weekend.
thanks.

 

[EmeraldDeer]

Did that , yes v1.1.1 , no internet after reboot ,over 10 minutes , had to change dns settings in the wan page to acquire internet as stubby refuse to launch because of lockfile.
Gonna test this more this weekend.
thanks.

I had to delete /tmp/mnt/ent/entware/var/run/stubby.pid to get stubby started after a reinstallation.

 

[mafiaboy01]

I'm having a similar issue. Once my 86u restarts it takes a while to get an internet connection giving routing errors in the logs and doesn't update the DDNS with the new IP address.

 

[L&LD]

I'm having a similar issue. Once my 86u restarts it takes a while to get an internet connection giving routing errors in the logs and doesn't update the DDNS with the new IP address.

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-70#post-478221

Did that post not work for you?

 

[mafiaboy01]

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-70#post-478221

Did that post not work for you?

That worked! Thanks

 

[Marin]

I ran the following validation test in Stubby today and I see my IP address under the server info. I was under the impression that Stubby was using 127.0.0.1 instead.

RT-AX88U-29F0:/tmp/home/root# drill github.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 26730
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; github.com.  IN      A

;; ANSWER SECTION:
github.com.     55      IN      A       192.30.253.112
github.com.     55      IN      A       192.30.253.113

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 147 msec
;; EDNS: version 0; flags: ; udp: 1452
;; SERVER: 192.168.50.1
;; WHEN: Sat Apr  6 16:24:21 2019
;; MSG SIZE  rcvd: 91

compared to what's on Stubby's Github page:

Then I ran:

7@RT-AX88U-29F0:/tmp/home/root# nslookup github.com
Server:    192.168.50.1
Address 1: 192.168.50.1 router.asus.com

Name:      github.com
Address 1: 192.30.253.112 lb-192-30-253-112-iad.github.com
Address 2: 192.30.253.113 lb-192-30-253-113-iad.github.com

and again I compared with the output of example given on Github:

I already have server=127.0.0.1#5453 and server=0::1#5453 in my /jffs/configs/dnsmasq.conf.add

However, I don't have "no-resolve" in either /tmp/dnsmasq.conf or /jffs/configs/dnsmasq.conf.add. I was under the impression that Stubby would add to /jffs/configs/dnsmasq.conf.add if it did not exist in /tmp/dnsmasq.conf.

Is this expected behavior or do I need to tweak my settings?

I unistalled Stubby and reainstalled it again without making any changes. Ran the above validation steps and I am still getting my IP showing under my server instead of 127.0.0.1.

Am I doing something wrong here?

 

[skeal]

I ran the following validation test in Stubby today and I see my IP address under the server info. I was under the impression that Stubby was using 127.0.0.1 instead.

RT-AX88U-29F0:/tmp/home/root# drill github.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 26730
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; github.com.  IN      A

;; ANSWER SECTION:
github.com.     55      IN      A       192.30.253.112
github.com.     55      IN      A       192.30.253.113

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 147 msec
;; EDNS: version 0; flags: ; udp: 1452
;; SERVER: 192.168.50.1
;; WHEN: Sat Apr  6 16:24:21 2019
;; MSG SIZE  rcvd: 91

compared to what's on Stubby's Github page:

View attachment 16913

Then I ran:

7@RT-AX88U-29F0:/tmp/home/root# nslookup github.com
Server:    192.168.50.1
Address 1: 192.168.50.1 router.asus.com

Name:      github.com
Address 1: 192.30.253.112 lb-192-30-253-112-iad.github.com
Address 2: 192.30.253.113 lb-192-30-253-113-iad.github.com

and again I compared with the output of example given on Github:

View attachment 16914

I already have server=127.0.0.1#5453 and server=0::1#5453 in my /jffs/configs/dnsmasq.conf.add

However, I don't have "no-resolve" in either /tmp/dnsmasq.conf or /jffs/configs/dnsmasq.conf.add. I was under the impression that Stubby would add to /jffs/configs/dnsmasq.conf.add if it did not exist in /tmp/dnsmasq.conf.

Is this expected behavior or do I need to tweak my settings?

I unistalled Stubby and reainstalled it again without making any changes. Ran the above validation steps and I am still getting my IP showing under my server instead of 127.0.0.1.

Am I doing something wrong here?

I have same router as you with Stubby.

RT-AX88U-9B20:/tmp/home/root# nslookup github.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      github.com
Address 1: 192.30.253.112 lb-192-30-253-112-iad.github.com
Address 2: 192.30.253.113 lb-192-30-253-113-iad.github.com

 

[skeal]

I don't have this file. /tmp/dnsmasq.conf but I do have /tmp/etc/dnsmasq.conf and yes it has no-resolve.

 

[Marin]

This is interesting indeed.....not sure why my IP is being picked instead.

I don't have "no-resolv" in my /tmp/dnsmasq.conf either but again it is not on /jffs/configs/dnsmasq.conf.add as this says:

 

[skeal]

This is interesting indeed.....not sure why my IP is being picked instead.

I don't have "no-resolv" in my /tmp/dnsmasq.conf either but again it is not on /jffs/configs/dnsmasq.conf.add as this says:

View attachment 16915

Something is not right.