ASUSWRT-Merlin and NextDNS issue

[RejZoR]

First you blame FW Merlin when the problem is a particular DoT service. In any case, the minimum of knowledge is required. Follows an appropriate post.
https://www.augusteo.com/blog/how-to-use-nextdns-with-asuswrt-merlin-tutorial/

I didn't blame anyone, I just said it appears to the casual user that way. I'm kinda tired of cryptic BS and everyone blaming each other and I just can't get this crap to work. That's what I am blaming.

Also, I've done that and it keeps on randomly failing to resolve things. And all I got as a response is create some weird script and upload it to router. If only things were so easy... I can do many things and find resources, but for the love of all thats binary, I couldn't find how to upload scripts to router. And everyone keeps on saying like it's the easiest thing ever and almost common knowledge.

 

[bbunge]

I didn't blame anyone, I just said it appears to the casual user that way. I'm kinda tired of cryptic BS and everyone blaming each other and I just can't get this crap to work. That's what I am blaming.

Also, I've done that and it keeps on randomly failing to resolve things. And all I got as a response is create some weird script and upload it to router. If only things were so easy... I can do many things and find resources, but for the love of all thats binary, I couldn't find how to upload scripts to router. And everyone keeps on saying like it's the easiest thing ever and almost common knowledge.

One workaround is to use just one resolver, DNS server, in your DNS over TLS Server List. Yes, you will not have a fallback if that server becomes unavailable.
I can also write up step by step instructions for you to turn off round robin.

 

[ajp2k14]

@RejZoR I couldn't get it working reliably either so I use their own linux client on a Raspberry Pi instead, works great and has more options.

 

[rgnldo]

It has nothing to do with FW Merlin or Stubby. I made the setup simple, as recommended by NextDNS. It works fine. Getting back to Unbound here.

@rgnldo:/jffs/scripts# cat /etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
appdata_dir: "/var/lib/misc"
resolvconf: "/tmp/resolv.conf"
edns_client_subnet_private: 1
round_robin_upstreams: 1
idle_timeout: 9000
tls_connection_retries: 2
tls_backoff_time: 900
timeout: 3000
listen_addresses:
  - 127.0.1.1@53
upstream_recursive_servers:
  - address_data: 45.90.28.0
    tls_auth_name: "xxxxx.dns1.nextdns.io"
  - address_data: 2a07:a8c0::0
    tls_auth_name: "xxxxx.dns1.nextdns.io"
  - address_data: 45.90.30.0
    tls_auth_name: "xxxxx.dns2.nextdns.io"
  - address_data: 2a07:a8c1::0
    tls_auth_name: "xxxxx.dns2.nextdns.io"

 

[RejZoR]

None of this helps me because I hgave no bloody clue how to upload scripts to folder everyone keeps saying I should place scripts. I know how to make the script file, I know you need to enable SSH and JFFS, but I can't upload the stuff...

NextDNS guys are offering router integration via this: https://github.com/nextdns/nextdns

Could NextDNS be officially supported by default maybe?

 

[rgnldo]

None of this helps me because I hgave no bloody clue how to upload scripts to folder everyone keeps saying I should place scripts

I didn't use any script. I just used the fw MERLIN gui. Simple.

 

[RejZoR]

I didn't use any script. I just used the fw MERLIN gui. Simple.

Um, how?!

 

[fuzzynet]

I spoke with the NextDNS on their live chat because I am having the same issue.

I showed them this thread and they said they will be adding native support for Merlin firmware soon.

Now what that means or how soon I don't know, but this is good news.

 

[RejZoR]

I spoke with the NextDNS on their live chat because I am having the same issue.

I showed them this thread and they said they will be adding native support for Merlin firmware soon.

Now what that means or how soon I don't know, but this is good news.

I spoke with them too months ago when I found out NextDNS and I kept getting bounced back and forth between them and Merlin FW. They blamed Merlin, Merlin users blamed them and I was in the middle with non functioning DNS on a router level. I hope they'll sort this out soon coz I want a good privacy focused DNS with filter lists. Seems to be the only good DNS that offers this.

 

[rgnldo]

adding native support for Merlin

Native support? There is no such thing. There is nothing to be done. It's like the @RMerlin, he mentions, Stubby is Stubby.

 

[rgnldo]

Um, how?!

IPv4 (with linked IP)
All devices connected to the router.
Make sure you have linked the IP of the network you will setup.
1. Open the preferences for your router. Usually you can access it from your browser via a URL (like http://192.168.0.1/ or http://192.168.1.1/).
2. Locate the DNS settings inside the interface on WAN.
3. Remove all addresses (if any) then add 45.90.28.241 and 45.90.30.241.
4. Click Save (or similar).

There is no need to configure DNSSEC. They use Unbound already configured with DNSSEC.

Since this is a specific DoT-adblock service, change round_robin_upstreams to "0".

At the terminal:
nano /jffs/scripts/stubby.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG

Give execution permission

chmod +x /jffs/scripts/stubby.postconf

Run:

service restart_stubby

 

[fuzzynet]

IPv4 (with linked IP)
All devices connected to the router.
Make sure you have linked the IP of the network you will setup.
1. Open the preferences for your router. Usually you can access it from your browser via a URL (like http://192.168.0.1/ or http://192.168.1.1/).
2. Locate the DNS settings inside the interface on WAN.
3. Remove all addresses (if any) then add 45.90.28.241 and 45.90.30.241.
4. Click Save (or similar).

There is no need to configure DNSSEC. They use Unbound already configured with DNSSEC.

Since this is a specific DoT-adblock service, change round_robin_upstreams to "0".

At the terminal:
nano /jffs/script/stubby.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG

Give execution permission

chmod +x /jffs/script/stubby.postconf

Run:

service restart_stubby

Thank you for this, but after using nano I get this error:

"[ Error writing /jffs/script/stubby.postconf: No such file or directory ]"

Can you handhold a little more?

 

[rgnldo]

/jffs/script/stubby.postconf

/jffs/scripts/stubby.postconf

 

[fuzzynet]

@rgnldo Thank you that worked, but it will won't display as working on the nextdns dashboard.

I have tried with both my static ip and DHCP.

 

[rgnldo]

working on the nextdns dashboard.

add wan dns NextDNS IPV4 IPV6
reboot your router.

 

[dave14305]

@rgnldo Thank you that worked, but it will won't display as working on the nextdns dashboard.

View attachment 20094

I have tried with both my static ip and DHCP.

Did you use your unique endpoint name (<unique ID>.dns.nextdns.io) in the TLS Hostname field?

 

[rgnldo]

TLS Hostname field?

I can't believe they were using my ID. lol

 

[rgnldo]

Just for punishment, who is using my ID, I put to block web services. lol
For all intents and purposes, I don't like services like that. I like Unbound + stubby and its adblock service. It works that is a beauty. I hope you can configure

 

[RejZoR]

IPv4 (with linked IP)
All devices connected to the router.
Make sure you have linked the IP of the network you will setup.
1. Open the preferences for your router. Usually you can access it from your browser via a URL (like http://192.168.0.1/ or http://192.168.1.1/).
2. Locate the DNS settings inside the interface on WAN.
3. Remove all addresses (if any) then add 45.90.28.241 and 45.90.30.241.
4. Click Save (or similar).

There is no need to configure DNSSEC. They use Unbound already configured with DNSSEC.

Since this is a specific DoT-adblock service, change round_robin_upstreams to "0".

At the terminal:
nano /jffs/scripts/stubby.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG

Give execution permission

chmod +x /jffs/scripts/stubby.postconf

Run:

service restart_stubby

Can this be done with PowerShell or do I need some other tool for it? Also how is this uploading the script to jffs folder? Or do you type it in directly from terminal thingie?

EDIT:
Would be nice if there was a simple switch in the router settings that would enable this easily without fiddling with scripts as compatibility mode for NextDNS...

 

[Martineau]

Can this be done with PowerShell or do I need some other tool for it? Also how is this uploading the script to jffs folder? Or do you type it in directly from terminal thingie?

There is a wealth of information here RMerlin Wiki and includes examples of implementing scripts on the router.

Basics for creating/exploiting scripts.

e.g. My_script.sh

1. Enable SSH access to router via the GUI

Administration->System TAB then Click 'Enable SSH=LAN only'

2. If you are using a Windows device then install WinSCP to create/edit the script file on the router.

I posted a mini-tutorial of getting a script onto the router via WinSCP: Using WinSCP to create scripts/files on Asus Router

or SSH into the router then use the router's nano editor.

3. As per the Wiki, ensure your script is executable

SSH to the router using your preferred SSH Client (Xshell6,MobaXterm or PuTTY etc.) and issue

dos2unix   /jffs/scripts/My_script.sh

chmod a+rx /jffs/scripts/My_script.sh

4. Ensure that execution of scripts is enabled (if creating auto-execute system scripts) - either via the GUI

Adminstration->System TAB then Click 'Enable JFFS custom scripts and configs=YES'

or from the command line

nvram set jffs2_scripts="1"

nvram commit

5. If you are logged on to the Routers SSH console you can now test the script

sh /jffs/scripts/My_script.sh