Info: Stubby 0.2.3 (latest) is on entware.

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

ColinTaylor

Part of the Furniture
dnsmasq will listen for dns requests on 127.0.0.1 port 53 by default so those IP tables are still good for that.
dnsmasq will then forward the requests to stubby at 127.0.0.1 on what ever port you have selected for it. Stubby will then do its encryption magic and forward the request to the upstream dns on port 853
Just to be pedantic, the LAN client's requests will be coming in on interface br0 (i.e. 192.168.1.1) not 127.0.0.1. But the iptables rules will still work because dnsmasq also listens on that. And to be doubly pedantic, the stubby port number is 5453 according to post #67.
 

ColinTaylor

Part of the Furniture
That's the stubby 'listening' port.....dnsmasq is sending the port 53 request to 5453 as dnsmasq's upstream server. Then stubby sends out on port 853 after encrypting it.
Indeed. I thought it was a typo because it was in response to DonnyJohnny's question "does the dns queries goes thru 53 then reroute to 127.0.0.1#8453". But reading it again I realise that tomsk's answer was referring to the upstream server port. :oops: That part of the reply should have been directed to DonnyJohnny.
 

tomsk

Very Senior Member
Indeed. I thought it was a typo because it was in response to DonnyJohnny's question "does the dns queries goes thru 53 then reroute to 127.0.0.1#8453". But reading it again I realise that tomsk's answer was referring to the upstream server port. :oops: That part of the reply should have been directed to DonnyJohnny.
Well i'm still more wrong than right... haha...i was under the false impression that dnsmasq was listening on the loopback address.... that you for correcting me sir.. the dead giveaway was the
$(nvram get lan_ipaddr) in the iptables rule... as i said..."clever like that"
 

ColinTaylor

Part of the Furniture
i was under the false impression that dnsmasq was listening on the loopback address....
No you are correct, it is. It listens on br0 as well. So if you're logged into the router and did a lookup it would indeed go to 127.0.0.1 because that's what's in resolv.conf.
Code:
# cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver ::1
# nslookup bbc.co.uk
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      bbc.co.uk
Address 1: 2a04:4e42:600::81
Address 2: 151.101.128.81
Address 3: 151.101.192.81
Address 4: 151.101.0.81
Address 5: 151.101.64.81
Compare that to the resolv.conf file of a Linux client on the LAN:
Code:
# cat /etc/resolv.conf
# Generated by NetworkManager
search home.lan
nameserver 192.168.1.1
 
Last edited:

tomsk

Very Senior Member
No you are correct, it is. It listens on br0 as well. So if you're logged into the router and did a lookup it would indeed go to 127.0.0.1 because that's what's in resolv.conf.
Code:
# cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver ::1
# nslookup bbc.co.uk
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      bbc.co.uk
Address 1: 2a04:4e42:600::81
Address 2: 151.101.128.81
Address 3: 151.101.192.81
Address 4: 151.101.0.81
Address 5: 151.101.64.81
Ok got it... thanks for the enlightenment......now.... if only i could retain all this information at the same time.....
 

DonnyJohnny

Very Senior Member
Thx all. @john9527 @tomsk @ColinTaylor
The iptables I mentioned on my post works.
Tested by changing my wifi dns server to Google dns. Did a dnsleak test and the dns is still as per stubby defined dns.

I don’t use QOS so I am fine.
 

bbunge

Part of the Furniture
Any recommendation for best install steps on Asus?

Sent from my P01M using Tapatalk
 

Xentrk

Part of the Furniture
Any recommendation for best install steps on Asus?

Sent from my P01M using Tapatalk
You need to have entware installed. I am writing an install script and estimate to have it ready by the weekend. If you want to install now, see post #10 for the steps.
 

DonnyJohnny

Very Senior Member
Ok this is my steps.
First you need to have entware do the command below.
Code:
opkg update
opkg install stubby
opkg install ca-certificates

Create a file S61stubby in /opt/etc/init.d/

Code:
nano /opt/etc/init.d/S61stubby
Copy the following inside and save
Code:
#!/bin/sh

ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

After you save the above file. You need to make it executable.
Code:
chmod 755 /opt/etc/init.d/S61stubby

You probably already have ca-certificates installed. Look in /opt/etc/ssl

nano /opt/etc/stubby/stubby.yml

Copy this inside.
Code:
#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions
resolution_type: GETDNS_RESOLUTION_STUB
dnssec_return_status: GETDNS_EXTENSION_TRUE
appdata_dir: "/opt/var/cache/stubby"
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_backoff_time: 900
listen_addresses:
  - [email protected]
upstream_recursive_servers:
# IPv4 addresses
# # Cloudflare servers
  - address_data: 1.1.1.1
    tls_port: 853
    tls_auth_name: "cloudflare-dns.com"
              
# # Cloudflare servers
  - address_data: 1.0.0.1 
    tls_port: 853         
    tls_auth_name: "cloudflare-dns.com"

nano /jffs/configs/dnsmasq.conf.add (also, disable DNSSEC in webgui)

Code:
no-resolv
server=127.0.0.1#5453

Lastly, go to web GUI, under WAN, Internet Connection, WAN DNS Setting
Set DNS to Manual.
Dns#1 : your router ip eg. 192.168.1.1
Dns#2 : leave blank

Now final step. You can immediately start stubby to see if working by using the following command
Code:
/opt/etc/init.d/S61stubby start

If you want restart
/opt/etc/init.d/S61stubby restart

Or stop
/opt/etc/init.d/S61stubby stop

Next try save net and go https://1.1.1.1/help to see if tls working.

Last final test, restart router to see if everything goes well.

These are not my steps. I am just summarising what @Xentrk did over the past weeks. For those who are impatient to try it out.
 
Last edited:

bbunge

Part of the Furniture
With "dnssec_return_status: GETDNS_EXTENSION_TRUE" in stubby.yml, Enable DNSSEC support (Merlin 384.7_B2, LAN, DHCP Server) should be set to "No"?
What about "Enable DNS Rebind protection" in Merlin?
 

DonnyJohnny

Very Senior Member
With "dnssec_return_status: GETDNS_EXTENSION_TRUE" in stubby.yml, Enable DNSSEC support (Merlin 384.7_B2, LAN, DHCP Server) should be set to "No"?
What about "Enable DNS Rebind protection" in Merlin?
That dnssec_return_status is same stuff as in Merlin LAN dnssec setting. Do not enable for quad9 or cloudflare. Also don’t use the stubby dnssec setting as stubby have problem with generating logs. So you would know what is going on. If really need to do dnssec verification, then activate via Merlin webgui.

Enable dns rebind protection got nothing to do with dnssec. It is to prevent dns rebinding Attack by filtering Private IP addresses out of DNS responses. See here
 

owine

Regular Contributor
Ok this is my steps.
First you need to have entware do the command below.
Code:
opkg update
opkg install stubby
opkg install ca-certificates

Create a file S61stubby in /opt/etc/init.d/

Code:
nano /opt/etc/init.d/S61stubby
Copy the following inside and save
Code:
#!/bin/sh

ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

After you save the above file. You need to make it executable.
Code:
chmod +755 /opt/etc/init.d/S61stubby

You probably already have ca-certificates installed. Look in /opt/etc/ssl

nano /opt/etc/stubby/stubby.yml

Copy this inside.
Code:
#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions
resolution_type: GETDNS_RESOLUTION_STUB
dnssec_return_status: GETDNS_EXTENSION_TRUE
appdata_dir: "/opt/var/cache/stubby"
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_backoff_time: 900
listen_addresses:
  - [email protected]
upstream_recursive_servers:
# IPv4 addresses
# # Cloudflare servers
  - address_data: 1.1.1.1
    tls_port: 853
    tls_auth_name: "cloudflare-dns.com"
             
# # Cloudflare servers
  - address_data: 1.0.0.1
    tls_port: 853        
    tls_auth_name: "cloudflare-dns.com"

nano /jffs/configs/dnsmasq.conf.add (also, disable DNSSEC in webgui)

Code:
no-resolv
server=127.0.0.1#5453

Lastly, go to web GUI, under WAN, Internet Connection, WAN DNS Setting
Set DNS to Manual.
Dns#1 : your router ip eg. 192.168.1.1
Dns#2 : leave blank

Now final step. You can immediately start stubby to see if working by using the following command
Code:
/opt/etc/init.d/S61stubby start

If you want restart
/opt/etc/init.d/S61stubby restart

Or stop
/opt/etc/init.d/S61stubby stop

Next try save net and go https://1.1.1.1/help to see if tls working.

Last final test, restart router to see if everything goes well.

These are not my steps. I am just summarising what @Xentrk did over the past weeks. For those who are impatient to try it out.
Great summary. One minor thing, no + needed in your chmod command.

Anyone experimented with putting stubby in jffs so as to not rely on Entware/external drive mounting?

How does stubby handle a fresh boot with no time set, does it need a successful NTP sync?
 

blueshark

Regular Contributor
for some strange reason i never get it to work, i reinstall last merlin (beta) and full reset i don’t restore backup, very clean!

i have iptv configured probably the problem! i dont know..

edit: obviously i install entware in a new usb drive ext2
 

skeal

Part of the Furniture
Ok this is my steps.
First you need to have entware do the command below.
Code:
opkg update
opkg install stubby
opkg install ca-certificates

Create a file S61stubby in /opt/etc/init.d/

Code:
nano /opt/etc/init.d/S61stubby
Copy the following inside and save
Code:
#!/bin/sh

ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

After you save the above file. You need to make it executable.
Code:
chmod 755 /opt/etc/init.d/S61stubby

You probably already have ca-certificates installed. Look in /opt/etc/ssl

nano /opt/etc/stubby/stubby.yml

Copy this inside.
Code:
#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions
resolution_type: GETDNS_RESOLUTION_STUB
dnssec_return_status: GETDNS_EXTENSION_TRUE
appdata_dir: "/opt/var/cache/stubby"
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_backoff_time: 900
listen_addresses:
  - [email protected]
upstream_recursive_servers:
# IPv4 addresses
# # Cloudflare servers
  - address_data: 1.1.1.1
    tls_port: 853
    tls_auth_name: "cloudflare-dns.com"
             
# # Cloudflare servers
  - address_data: 1.0.0.1
    tls_port: 853        
    tls_auth_name: "cloudflare-dns.com"

nano /jffs/configs/dnsmasq.conf.add (also, disable DNSSEC in webgui)

Code:
no-resolv
server=127.0.0.1#5453

Lastly, go to web GUI, under WAN, Internet Connection, WAN DNS Setting
Set DNS to Manual.
Dns#1 : your router ip eg. 192.168.1.1
Dns#2 : leave blank

Now final step. You can immediately start stubby to see if working by using the following command
Code:
/opt/etc/init.d/S61stubby start

If you want restart
/opt/etc/init.d/S61stubby restart

Or stop
/opt/etc/init.d/S61stubby stop

Next try save net and go https://1.1.1.1/help to see if tls working.

Last final test, restart router to see if everything goes well.

These are not my steps. I am just summarising what @Xentrk did over the past weeks. For those who are impatient to try it out.
I tried these steps but I get this for a test:
Code:
Connection Information
Please include this URL when you create a post in the community forum.

https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJObyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJObyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6IllWUiIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==
Click to copy
Debug Information
Connected to 1.1.1.1    No
Using DNS over HTTPS (DoH)    No
Using DNS over TLS (DoT)    No
AS Name    Cloudflare
AS Number    13335
Cloudflare Data Center    YVR
Connectivity to Resolver IP Addresses
1.1.1.1    Yes
1.0.0.1    Yes
2606:4700:4700::1111    No
2606:4700:4700::1001    No
 

DonnyJohnny

Very Senior Member
I tried these steps but I get this for a test:
Code:
Connection Information
Please include this URL when you create a post in the community forum.

https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJObyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJObyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6IllWUiIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==
Click to copy
Debug Information
Connected to 1.1.1.1    No
Using DNS over HTTPS (DoH)    No
Using DNS over TLS (DoT)    No
AS Name    Cloudflare
AS Number    13335
Cloudflare Data Center    YVR
Connectivity to Resolver IP Addresses
1.1.1.1    Yes
1.0.0.1    Yes
2606:4700:4700::1111    No
2606:4700:4700::1001    No
Ensure you disable dnssec verification in webgui under LAN, DHCP server.

upload_2018-9-27_1-58-32.jpeg


Assuming your webgui WAN dns is already set to router ip. It mean stubby proxy is working just that dnssec verification is enable causing it unable to function properly.

Testing: Try stop stubby to see if you can surf net. If you can’t surf, mean everything is good.
 

skeal

Part of the Furniture
It would seem DoT is not working.
Ensure you disable dnssec verification in webgui under LAN, DHCP server.

View attachment 14563

Assuming your webgui WAN dns is already set to router ip. It mean stubby proxy is working just that dnssec verification is enable causing it unable to function properly.

Testing: Try stop stubby to see if you can surf net. If you can’t surf, mean everything is good.
Do we overwrite what is in stubby.yml or append to what's there?
 
Last edited:

skeal

Part of the Furniture
Ensure you disable dnssec verification in webgui under LAN, DHCP server.

View attachment 14563

Assuming your webgui WAN dns is already set to router ip. It mean stubby proxy is working just that dnssec verification is enable causing it unable to function properly.

Testing: Try stop stubby to see if you can surf net. If you can’t surf, mean everything is good.
How do you reinstall stubby?
 

skeal

Part of the Furniture
Anybody....do we append the .yml or replace the text in it?
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top