DNS over TLS for stock Asus router firmware

[bbunge]

This procedure uses Stubby/GetDNS on Entware. As of this writing Stubby was at version 0.2.6 on Entware but seems to work well.

I have tested this on an RT-AC86U and a RT-AC66U_B1. I expect this will work on any asus router. The beauty of this is that you don't have to change any WAN or LAN router settings! If something dosen't work pull the USB and reboot.

What you will need:
An Asus router with a USB port.
A USB drive formatted to EXT2, EXT3 or EXT4 (note that some older routers may not recognize EXT4).
Log into the router GUI. Upgrade the router firmware if needed. On the Administration/System page enable SSH Lan Only then click Apply. Take note of the router LAN IP Address on the LAN/LAN-LANIP page.

Connect to the router via ssh. I use Putty (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) from a Windows PC. You can also use WinSCP to do some file creation, editing and file transfer. This procedure uses "vi" to create and edit files. For a list of "VI" commands see: https://kb.iu.edu/d/afdc

Create file post-mount in /jffs: vi /jffs/post-mount
Note: This file is used to set up the USB drive and start Entware and Stubby. (The Github install for Entware on stock Asus uses scripts embedded into NVRAM that I could not get to work) I have added delays to allow the router to start up and get the system time set before running Entware.
Do "df" to find the USB mount point. Should be /dev/sda1
/jffs/post-mount content

#!/bin/sh
sleep 30
# recreate the opt dir after every reboot
mkdir /tmp/opt
# where /dev/sdX# is your usb opt partition
mount /dev/sda1 /tmp/opt
sleep 2
ln -sf \$1 /tmp/opt
/opt/etc/init.d/rc.unslung start
sleep 10
/opt/etc/init.d/S61stubby restart

(Esc)ZZ to save and exit vi

Make /jffs/post-mount executible

chmod 755 /jffs/post-mount

Create file unmount in /jffs: vi /jffs/unmount

/jffs/unmount content

#!/bin/sh
/opt/etc/init.d/rc.unslung stop

(Esc)ZZ to save and exit vi

Make /jffs/unmount executible

chmod 755 /jffs/unmount

Set up nvram to use the two script files

nvram set script_usbmount="/jffs/post-mount"
nvram set script_usbumount="/jffs/unmount"
nvram commit

Next install Entware. To prepare the USB drive run these commands:

mkdir /tmp/opt
mount /dev/sda1 /tmp/opt
ln -sf \$1 /tmp/opt

See https://github.com/Entware/Entware/wiki/Install-on-Asus-stock-firmware Deploying Entware for the script to run for your router. Copy and paste the command into Putty and install Entware.

Install Stubby

opkg install stubby

Edit and replace stubby.yml

vi /opt/etc/stubby/stubby.yml

Note: Set the line below listen addresses to the LAN IP of your router

/opt/etc/stubby/stubby.yml contents

tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
# Uncomment the next line to enable DNSSEC
# dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 2000
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
appdata_dir: "/tmp/share"
# Set the listen addresses to the LAN IP of your router
listen_addresses:
  - 192.168.50.1

upstream_recursive_servers:
# Quad 9 Secure
#  - address_data: 9.9.9.9
#    tls_auth_name: "dns.quad9.net"
#  - address_data: 149.112.112.112
#    tls_auth_name: "dns.quad9.net"
#  - address_data: 2620:fe::fe
#    tls_auth_name: "dns.quad9.net"
#  - address_data: 2620:fe::9
#    tls_auth_name: "dns.quad9.net"

# Cloudflare
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
#  - address_data: 2606:4700:4700::1111
#    tls_auth_name: "cloudflare-dns.com"
#  - address_data: 2606:4700:4700::1001
#    tls_auth_name: "cloudflare-dns.com"

(Esc)ZZ to save and close

Create the Stubby init file:

vi /opt/etc/init.d/S61stubby

Contents of /opt/etc/init.d/S61stubby

#!/bin/sh

logger -t S61stubby "$1 Stubby DNS over TLS $0"

# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH

export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func

Make /opt/etc/init.d/S61stubby execuitable:

chmod 755 /opt/etc/init.d/S61stubby

Start Stubby:

/opt/etc/init.d/S61stubby start

To check if Stubby is running enter:

stubby -l

This initial setup uses Cloudflare IPV4 DNS servers. You can check if Stubby DoT is working, without DNSSEC enabled, at: https://cloudflare-dns.com/help/

The /opt/etc/stubby/stubby.yml file contains upstream resolvers, DNS servers, for Quad9 and Cloudflare IPV4 and IPV6. Remove the (#) to enable the resolver maintaining the spacing as shown below:

# Cloudflare
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"

To enable DNSSEC, which is recommended, remove the (#) in front of dnssec_return_status: GETDNS_EXTENSION_TRUE

Take care when editing the stubby.yml as errors in the file can cause stubby to not run as planned!

IPV6 has not been fully tested due to issues I have with my ISP and their implementation of IPV6 using 6rd. However, your IPV4 resolvers should resolve IPV6 addresses. You should be able to add the router LAN IPV6 address below listen_address in stubby.yml.
# Set the listen addresses to the LAN IP of your router
listen_addresses:
- 192.168.50.1
- 2606:xxx.xxxx::

If you want to add a swap file to your USB see https://www.snbforums.com/threads/add-swap-to-usb-drive-on-asus-router.46911/ You can add the swap mount to the post-mount file just after the shebang (#!/bin/sh).

 

[dave14305]

How does this not conflict with dnsmasq on 192.168.50.1:53 since you do not override the port? Or is it an omission?

 

[bbunge]

How does this not conflict with dnsmasq on 192.168.50.1:53 since you do not override the port? Or is it an omission?

Nope, not an omission. I initially used the loop back address in DNS Server1 with DNS Server2 blank. I also used the LAN IP in DNS Server1. Had issues with the router not getting time sync just as in the initial Stubby testing. Knowing there was not much I could do with dnsmasq in the default I gave it a try the way it is written up. I was really surprised that it worked as long as I let the router boot up before starting Stubby. I know it shouldn't work but it does. My DSN Server1 and 2 are set to Cloudflare and my Stubby is st to Quad9 and yes, the Quad9 test server is blocked. With Stubby set to Cloudflare the CF test (help) page does show DoT in use. Yes, it shouldn't work but I've been running it for 5 days on the AC86U and was able to repeat the success on an AC66U_B1.

 

[dave14305]

Can you login with ssh and run

netstat -ntlup | grep -E "stubby$|dnsmasq$"

I'm glad it works, but I'm more curious how.

 

[bbunge]

Can you login with ssh and run

netstat -ntlup | grep -E "stubby$|dnsmasq$"

I'm glad it works, but I'm more curious how.

Do not have a "p" option. Ran netstat -a and there was nothing listed for dnsmasq or stubby.