bbunge
Part of the Furniture
This procedure uses Stubby/GetDNS on Entware. As of this writing Stubby was at version 0.2.6 on Entware but seems to work well.
I have tested this on an RT-AC86U and a RT-AC66U_B1. I expect this will work on any asus router. The beauty of this is that you don't have to change any WAN or LAN router settings! If something dosen't work pull the USB and reboot.
What you will need:
An Asus router with a USB port.
A USB drive formatted to EXT2, EXT3 or EXT4 (note that some older routers may not recognize EXT4).
Log into the router GUI. Upgrade the router firmware if needed. On the Administration/System page enable SSH Lan Only then click Apply. Take note of the router LAN IP Address on the LAN/LAN-LANIP page.
Connect to the router via ssh. I use Putty (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) from a Windows PC. You can also use WinSCP to do some file creation, editing and file transfer. This procedure uses "vi" to create and edit files. For a list of "VI" commands see: https://kb.iu.edu/d/afdc
Create file post-mount in /jffs: vi /jffs/post-mount
Note: This file is used to set up the USB drive and start Entware and Stubby. (The Github install for Entware on stock Asus uses scripts embedded into NVRAM that I could not get to work) I have added delays to allow the router to start up and get the system time set before running Entware.
Do "df" to find the USB mount point. Should be /dev/sda1
/jffs/post-mount content
(Esc)ZZ to save and exit vi
Make /jffs/post-mount executible
Create file unmount in /jffs: vi /jffs/unmount
/jffs/unmount content
(Esc)ZZ to save and exit vi
Make /jffs/unmount executible
chmod 755 /jffs/unmount
Set up nvram to use the two script files
Next install Entware. To prepare the USB drive run these commands:
See https://github.com/Entware/Entware/wiki/Install-on-Asus-stock-firmware Deploying Entware for the script to run for your router. Copy and paste the command into Putty and install Entware.
Install Stubby
Edit and replace stubby.yml
Note: Set the line below listen addresses to the LAN IP of your router
/opt/etc/stubby/stubby.yml contents
(Esc)ZZ to save and close
Create the Stubby init file:
Contents of /opt/etc/init.d/S61stubby
Make /opt/etc/init.d/S61stubby execuitable:
Start Stubby:
To check if Stubby is running enter:
This initial setup uses Cloudflare IPV4 DNS servers. You can check if Stubby DoT is working, without DNSSEC enabled, at: https://cloudflare-dns.com/help/
The /opt/etc/stubby/stubby.yml file contains upstream resolvers, DNS servers, for Quad9 and Cloudflare IPV4 and IPV6. Remove the (#) to enable the resolver maintaining the spacing as shown below:
# Cloudflare
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
To enable DNSSEC, which is recommended, remove the (#) in front of dnssec_return_status: GETDNS_EXTENSION_TRUE
Take care when editing the stubby.yml as errors in the file can cause stubby to not run as planned!
IPV6 has not been fully tested due to issues I have with my ISP and their implementation of IPV6 using 6rd. However, your IPV4 resolvers should resolve IPV6 addresses. You should be able to add the router LAN IPV6 address below listen_address in stubby.yml.
# Set the listen addresses to the LAN IP of your router
listen_addresses:
- 192.168.50.1
- 2606:xxx.xxxx::
If you want to add a swap file to your USB see https://www.snbforums.com/threads/add-swap-to-usb-drive-on-asus-router.46911/ You can add the swap mount to the post-mount file just after the shebang (#!/bin/sh).
I have tested this on an RT-AC86U and a RT-AC66U_B1. I expect this will work on any asus router. The beauty of this is that you don't have to change any WAN or LAN router settings! If something dosen't work pull the USB and reboot.
What you will need:
An Asus router with a USB port.
A USB drive formatted to EXT2, EXT3 or EXT4 (note that some older routers may not recognize EXT4).
Log into the router GUI. Upgrade the router firmware if needed. On the Administration/System page enable SSH Lan Only then click Apply. Take note of the router LAN IP Address on the LAN/LAN-LANIP page.
Connect to the router via ssh. I use Putty (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) from a Windows PC. You can also use WinSCP to do some file creation, editing and file transfer. This procedure uses "vi" to create and edit files. For a list of "VI" commands see: https://kb.iu.edu/d/afdc
Create file post-mount in /jffs: vi /jffs/post-mount
Note: This file is used to set up the USB drive and start Entware and Stubby. (The Github install for Entware on stock Asus uses scripts embedded into NVRAM that I could not get to work) I have added delays to allow the router to start up and get the system time set before running Entware.
Do "df" to find the USB mount point. Should be /dev/sda1
/jffs/post-mount content
Code:
#!/bin/sh
sleep 30
# recreate the opt dir after every reboot
mkdir /tmp/opt
# where /dev/sdX# is your usb opt partition
mount /dev/sda1 /tmp/opt
sleep 2
ln -sf \$1 /tmp/opt
/opt/etc/init.d/rc.unslung start
sleep 10
/opt/etc/init.d/S61stubby restart
Make /jffs/post-mount executible
Code:
chmod 755 /jffs/post-mount
/jffs/unmount content
Code:
#!/bin/sh
/opt/etc/init.d/rc.unslung stop
Make /jffs/unmount executible
chmod 755 /jffs/unmount
Set up nvram to use the two script files
Code:
nvram set script_usbmount="/jffs/post-mount"
nvram set script_usbumount="/jffs/unmount"
nvram commit
Code:
mkdir /tmp/opt
mount /dev/sda1 /tmp/opt
ln -sf \$1 /tmp/opt
Install Stubby
Code:
opkg install stubby
Code:
vi /opt/etc/stubby/stubby.yml
/opt/etc/stubby/stubby.yml contents
Code:
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
# Uncomment the next line to enable DNSSEC
# dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/tmp/share"
# Set the listen addresses to the LAN IP of your router
listen_addresses:
- 192.168.50.1
upstream_recursive_servers:
# Quad 9 Secure
# - address_data: 9.9.9.9
# tls_auth_name: "dns.quad9.net"
# - address_data: 149.112.112.112
# tls_auth_name: "dns.quad9.net"
# - address_data: 2620:fe::fe
# tls_auth_name: "dns.quad9.net"
# - address_data: 2620:fe::9
# tls_auth_name: "dns.quad9.net"
# Cloudflare
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
# - address_data: 2606:4700:4700::1111
# tls_auth_name: "cloudflare-dns.com"
# - address_data: 2606:4700:4700::1001
# tls_auth_name: "cloudflare-dns.com"
Create the Stubby init file:
Code:
vi /opt/etc/init.d/S61stubby
Code:
#!/bin/sh
logger -t S61stubby "$1 Stubby DNS over TLS $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
Code:
chmod 755 /opt/etc/init.d/S61stubby
Code:
/opt/etc/init.d/S61stubby start
Code:
stubby -l
The /opt/etc/stubby/stubby.yml file contains upstream resolvers, DNS servers, for Quad9 and Cloudflare IPV4 and IPV6. Remove the (#) to enable the resolver maintaining the spacing as shown below:
# Cloudflare
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
To enable DNSSEC, which is recommended, remove the (#) in front of dnssec_return_status: GETDNS_EXTENSION_TRUE
Take care when editing the stubby.yml as errors in the file can cause stubby to not run as planned!
IPV6 has not been fully tested due to issues I have with my ISP and their implementation of IPV6 using 6rd. However, your IPV4 resolvers should resolve IPV6 addresses. You should be able to add the router LAN IPV6 address below listen_address in stubby.yml.
# Set the listen addresses to the LAN IP of your router
listen_addresses:
- 192.168.50.1
- 2606:xxx.xxxx::
If you want to add a swap file to your USB see https://www.snbforums.com/threads/add-swap-to-usb-drive-on-asus-router.46911/ You can add the swap mount to the post-mount file just after the shebang (#!/bin/sh).