What's new

Stubby-Installer-Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hello,

All Gentoo mirrors hangs when using wget. Takes a minute or two before wget starts downloading. Downloading with Firefox works fine.

Code:
Resolving mirror.dkm.cz (mirror.dkm.cz)... 2a02:8300:8000:3::49, 86.49.49.49
Connecting to mirror.dkm.cz (mirror.dkm.cz)|2a02:8300:8000:3::49|:443...
Would assume you are using Stubby DoT? Do you have IPV6 resolvers set in Stubby? Keep in mind some IPV4 DNS resolvers do not like to resolve IPV6 addresses.

Sent from my SM-T380 using Tapatalk
 
I, too, feel the stubby settings of the installer version work best and have modified dnsmasq and stubby.yml. Am using DNSSEC via stubby. I also went back to the original loopback and port config as I have been uncomfortable with the 127.0.1.1#53 set up by Merlin.
Still feel Cloudflare works best for me as my ISP seems to be playing routing games with Quad9 when I use DoT.

Sent from my SM-T380 using Tapatalk
I feel you about the ISP games... I am using cloudflare for base DNS as well. I added the extra listening address that I want, but I also have it setup to use the 127.0.1.1 feature.
 
note if you want to steer your TLS you can also WYNDHAM TOWERS ON THE GROVE

this would be in /jffs/configs/stubby.yml.add
Code:
tls_min_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
tls_max_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
another variation would be

Code:
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

this will tell it to only use TLS1.3

and since we are sharing this is how I modified my stubby.yml with /jffs/scripts/stubby.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
pc_replace "idle_timeout: 9000" "idle_timeout: 2000" $CONFIG
pc_replace "tls_connection_retries: 2" "tls_connection_retries: 5" $CONFIG
pc_replace "timeout: 3000" "timeout: 2000" $CONFIG
pc_insert "dnssec_return_status: GETDNS_EXTENSION_TRUE" "return_both_v4_and_v6: GETDNS_EXTENSION_TRUE" $CONFIG
, but this works best for my servers--
you can modify however you like.

@Swistheater, are you still running these scripts on latest beta? Also, for the average user do you recommend them?
 
@Swistheater, are you still running these scripts on latest beta? Also, for the average user do you recommend them?
i have switched to only running /jffs/configs/stubby.yml.add at the moment
Code:
tls_min_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
tls_max_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
dnssec_return_status: GETDNS_EXTENSION_TRUE

chmod 755 /jffs/configs/stubby.yml.add

I opted to remove the timing modifications because it wasn't really necessary with the number of servers i use.

and stubby.postconf actually stalls the process longer than necessary. it is best to use config.add v.s. postconf if you can get your settings added that way.
 
There are several posts in the 384.11 support thread of some settings. Here are mine:

Basic DoT Settings

WAN->Internet Connection:

View attachment 18034


Advanced / Optional Settings

Tools->Other Settings, Advanced Tweaks and Hacks Section:

View attachment 18033

Add the line below to /jffs/configs/dnsmasq.conf.add:

Code:
proxy-dnssec

Then, bounce dnsmasq:

Code:
service restart_dnsmasq

Note: enabling DNSSEC causes the Cloudflare DoT test page to fail. So do this step after performing all validation tests:

/jffs/scripts/stubby.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Then, restart stubby:

Code:
service restart_stubby
Thank you so much this worked.
 
Thank you so much this worked.

Advanced / Optional Settings

Tools->Other Settings, Advanced Tweaks and Hacks Section:

View attachment 18033
@Xentrk , all my settings are similar to you're except under the tools, other settings option.
What's the outcome is the Wan: use local caching DNS server system resolver is set to No?
 
I have a question.
I have turn on my DOT on my android 9.0 under private DNS.

Is there a way to force this android phone to use router DNS (stubby) without disable the private DNS.

I have tried the following but it failed to use the router DNS.
Code:
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

As DOT used port 853. Wonder if changing the dport from 53 to 853 helps? Will there be any issues with router doing dns queries?


Edited.
Lol..
Can’t be done. Changed to 853 cost my android to stop working.
Likely due to the dns queries coming from android is already encrypted under DOT (private dns).

At least we proved that the private dns in android 9.0 is working well... Guess I have to just turn it off when I connect to my router at home. Haha.
 
Last edited:
Advanced / Optional Settings

Tools->Other Settings, Advanced Tweaks and Hacks Section:

View attachment 18033
@Xentrk , all my settings are similar to you're except under the tools, other settings option.
What's the outcome is the Wan: use local caching DNS server system resolver is set to No?
Port 53 queries are from the router itself due to the new 384.12 default setting of "No" for "Wan: Use local caching DNS server as system resolver" (Tools-Other Settings). Client requests will still go through Stubby.

If you want the DNS checks to go through Stubby, change the setting to Yes.

Some people found they needed to have it set to No or they could not get ntp at boot time. I have mine set to yes. I also specify Cloudflare DNS on the WAN page so the router can get DNS from that source until DoT starts up.
 
In case anyone is still using the Stubby installer script with Cloudflare, you may be experiencing issues due to the “tls_min_version: GETDNS_TLS1_3” line in /opt/etc/stubby/stubby.yml. If so, remove this line and restart Stubby.

This issue was first noticed in John’s fork thread and would apply to anyone still using the default config from this installer.
 
In case anyone is still using the Stubby installer script with Cloudflare, you may be experiencing issues due to the “tls_min_version: GETDNS_TLS1_3” line in /opt/etc/stubby/stubby.yml. If so, remove this line and restart Stubby.

This issue was first noticed in John’s fork thread and would apply to anyone still using the default config from this installer.

Do you know if Stubby can be installed on the T-Mobile Asus router? (I know this router is not supported by Merlin, but I have a friend who owns one and was wondering...apologies to the gods; i don't mean to offend)
 
Do you know if Stubby can be installed on the <bad word> Asus router? (I know this router is not supported by Merlin, but I have a friend who owns one and was wondering...apologies to the gods; i don't mean to offend)
If that firmware was worth anything, there wouldn't be so many people looking to flash the Asus firmware. I don't know definitively, but I would assume the answer is no, since it relies heavily on Entware and custom config files to hook into the normal DNS path.
 
Ok thank you. I’d be on my own if I tried, I guess. Best to leave well enough alone


Sent from my iPhone using Tapatalk
 
I have a problem with my son's tablet: on roblox game it gave me this error:

HttpError: DnsResolve (Error Code: 610)

And on my PC on google chrome i have this: DNS_PROBE_FINISHED_BAD_CONFIG

Do you have any ideeea? I use stubby dns over tls with latest merlin firmware on asus ac68u.
 
Last edited:
@razvanu there is no error shown in your post.
 
Sorry, i've edited now, had to leave home at that moment...quick fix: i've restarted the router and disabled dns filter
 
Last edited:
I have a problem with my son's tablet: on roblox game it gave me this error:

HttpError: DnsResolve (Error Code: 610)

And on my PC on google chrome i have this: DNS_PROBE_FINISHED_BAD_CONFIG

Do you have any ideeea? I use stubby dns over tls with latest merlin firmware on asus ac68u.
I did a quick search on google about the error. Didn't have time to read many of the results, but these references may be of help.
https://www.drivereasy.com/knowledge/fix-dns-probe-finished-bad-config-error/
https://www.quora.com/What-is-DNS_PROBE_FINISHED_BAD_CONFIG
 
Hi Xentrk,

I wanted to install Stubby via AMTM but I don't see it as a option.

I just updated to AMTM version 3.0

Do i have to use the command line script instead?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top