Diversion + VPN = Stubby?

[rugglebear]

Diversion is up and running.
But I found out to keep it actually working I need to set my VPN Client settings
From:
Accept DNS Configuration = Exclusive
To:
Accept DNS Configuration = Strict

However, Strict ends up showing some goofy stuff when I run dnsleaktest.com or dnsleak.net
Well, not goofy, but not the same things it shows if DNS Configuration = Exclusive.

1) Do I need to be concerned at all with Accept DNS Configuration = Strict?
2) If I want to enjoy the "benefits" of 'Exclusive' I've learned I need to install Stubby.
2a) However, I can't find any straightforward way to configure Stubby after it's installed. Is there a widely accepted guide? Or am I mistaken and it's just "Install and go!" with no post-configuration labyrinth to navigate?

Thanks!

 

[Zastoff]

There you have some info on different settings
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

 

[rugglebear]

There you have some info on different settings
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

Thanks for that link!
That's actually the link which has allowed me to even get this far to where I am today in my current state.

It reminded me though that I might have misspoke on my original post.
I know that I need to set it to "Disabled" then use STUBBY.
But is Stubby just "install and go" or do I need to follow his guide on creating the script files myself, etc. for configuration?

 

[Zastoff]

Think Stubby is more install and go, Think i read the default install will use DNS 1.1.1.1
Have not tried Stubby myself yet, I use DNSCrypt-proxy at the moment (My vpn-providers dns server support dnscrypt)

 

[rugglebear]

Think Stubby is more install and go, Think i read the default install will use DNS 1.1.1.1
Have not tried Stubby myself yet, I use DNSCrypt-proxy at the moment (My vpn-providers dns server support dnscrypt)

Thanks, I did end up installing Stubby, but can't really say it's working or that I even know how to tell.

After installing the opkg and the ca-certificate, I think I started Stubby up via SSH with the 'stubby' command, and got this:
STUBBY: Starting DAEMON....

But after running another DNS Leak test, I still see my ISP's hostname, so I'm not really sure what else I'm missing.
Thanks, what's the story on DNScrypt?
Is it just another Entware package I should be able to "install and go"?
Will following this get me up and running?
https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt

Sorry, I've had such success with Diversion and YazFi, I was hoping all of these Entware packages were just as "user-friendly".

 

[Zastoff]

Give the Stubby install another try

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/install_stubby.sh" -o "/jffs/scripts/install_stubby.sh" && chmod 755 /jffs/scripts/install_stubby.sh && sh /jffs/scripts/install_stubby.sh

The one i use is here https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/ (it dosent need entware) and it uses DoH or DNSCrypt servers not DoT
But think the way to go is with Stubby and DoT servers
Edit:
Dependant of course on what dns servers you want to use

 

[Adamm]

Thanks, I did end up installing Stubby, but can't really say it's working or that I even know how to tell.

After installing the opkg and the ca-certificate, I think I started Stubby up via SSH with the 'stubby' command, and got this:
STUBBY: Starting DAEMON....

Use the installer;

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/

 

[L&LD]

Thanks, I did end up installing Stubby, but can't really say it's working or that I even know how to tell.

After installing the opkg and the ca-certificate, I think I started Stubby up via SSH with the 'stubby' command, and got this:
STUBBY: Starting DAEMON....

But after running another DNS Leak test, I still see my ISP's hostname, so I'm not really sure what else I'm missing.
Thanks, what's the story on DNScrypt?
Is it just another Entware package I should be able to "install and go"?
Will following this get me up and running?
https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt

Sorry, I've had such success with Diversion and YazFi, I was hoping all of these Entware packages were just as "user-friendly".

You should go to the stubby install page and see the additional instructions then. Many ways and examples to verify it is working.

 

[rugglebear]

You should go to the stubby install page and see the additional instructions then. Many ways and examples to verify it is working.

Use the installer;

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/

Thanks for the help everyone.

Using the installer from that thread seems to have got me on my way.

It looks like I now have the following successfully set up:
-Diversion (successfully blocking ads)
-VPN via OVPN using PrivateInternetAccess (DNS set to 'Disabled')
-Stubby

Here's my next question for understanding my current situation:

Good:
- ip.voidsec.com successfully displays my VPN IP address

Questionable:
- dnsleaktest.com now shows two Cloudflare servers as my DNS results.
This makes sense to me because we determined Stubby uses 1.1.1.1
It's just that I'm used to seeing the PIA server as the only result, which I would trust, but do I interpret this to mean the Cloudflare servers would be able to log my DNS queries, etc?
Or does this not matter because the VPN is encrypting everything anyways?

- dnsleak.net shows two DIFFERENT IP addresses than dnsleaktest.com.
I'm not sure how to interpret this.
Even though it says:
"If you are now connected to a VPN and between the detected DNS you see your ISP DNS, then your system is leaking DNS requests"
I'm unsure of my IPS's IP addresses, so I can't be sure whether or not the two displayed here are associated.

Thanks again for everyone's help. Learning sure is giving me a headache, but it's like an ice cream headache...I want to keep eating the ice cream.

 

[heysoundude]

<SNIP> but do I interpret this to mean the Cloudflare servers would be able to log my DNS queries, etc?
Or does this not matter because the VPN is encrypting everything anyways? </SNIP>

I may be (HA! probably am) wrong, but as your tunnel to the VPN server is encrypted, your DNS lookups would appear to come from that server and as such you're only partially obfuscated at that point. I think for proper anonymity, IF I'm correct, you'd need stubby as the icing on the cake.
(If cloudflare's logs ever cease to be purged every 24 hours, then we'll have to re-evaluate)

 

[rugglebear]

I think for proper anonymity, IF I'm correct, you'd need stubby as the icing on the cake.
(If cloudflare's logs ever cease to be purged every 24 hours, then we'll have to re-evaluate)

Sorry, I reread my post and I guess I didn't really make it clear that I am currently using Stubby via the default installed settings.

 

[rugglebear]

All,

I found great answers on the Stubby Installer thread. Thanks for all your help.

 

[thelonelycoder]

-Diversion (successfully blocking ads)
-VPN via OVPN using PrivateInternetAccess (DNS set to 'Disabled')
-Stubby

Looks like amtm is missing in this list, ties yours and more scripts together with one single start point.

 

[rugglebear]

Looks like amtm is missing in this list, ties yours and more scripts together with one single start point.

Oh my Glob, thank you. This is amazing.