Stubby-Installer-Asuswrt-Merlin

[skeal]

I've forked and PR'd a fix using @Odkrys patched version of getdns: https://github.com/jackyaz/Stubby-Installer-Asuswrt-Merlin

Outstanding my friend!!

 

[DonnyJohnny]

I've forked and PR'd a fix using @Odkrys patched version of getdns: https://github.com/jackyaz/Stubby-Installer-Asuswrt-Merlin

https://github.com/getdnsapi/getdns/releases/tag/v1.5.0-rc1
1.50 development stage is here.. Anyway to get it for Merlin?

 

[Marin]

So after installing Stubby on my AC86U and the patch by @Odkrys, I decided to try the commands from https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin to see if my install went ok. I have a feeling that a certificate info is missing from this configuration. Two commands that I tried that I am not getting same results are shown below:

@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs
 -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4146480336:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:126
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: CF552B1FB807282FACB210771979BB6C270C86E6D445E4499FBB044DA881FB3D
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1544965779
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

and the other one:

@RT-AC86U-99A8:/tmp/home/root# getdns_query -s @127.0.0.1 github.com
Killed

Then when I access Cloudflare's Help Page, I get the info below. The interesting part is that at one point, I had connection to 1.1.1.1 as YES, DOT = N0 and DOH (Yes??).

I am also using a VPN and adjusted the Accept DNS Config to Disabled per Stubby install recommendations on the site.

Obviously, something is missing from my configuration or I am not doing something right? Any ideas?

 

[Marin]

Including all the validation commands from Github:

@RT-AC86U-99A8:/tmp/home/root# ps | grep stubby | grep -v grep
 9326 xxxx  5536 S    stubby -C /opt/etc/stubby/stubby.yml

@RT-AC86U-99A8:/tmp/home/root# /opt/etc/init.d/S61stubby check
 Checking stubby...              alive.

@RT-AC86U-99A8:/tmp/home/root# netstat -lnptu | grep stubby
tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      9326/stubby
udp        0      0 127.0.0.1:5453          0.0.0.0:*                           9326/stubby

@RT-AC86U-99A8:/tmp/home/root# netstat -lnpt | grep -P '^Active|^Proto|/stubby'
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      9326/stubby

@RT-AC86U-99A8:/tmp/home/root# nslookup github.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      github.com
Address 1: 192.30.253.112 lb-192-30-253-112-iad.github.com
Address 2: 192.30.253.113 lb-192-30-253-113-iad.github.com

@RT-AC86U-99A8:/tmp/home/root# getdns_query -s @127.0.0.1 github.com
Killed

@RT-AC86U-99A8:/tmp/home/root# stubby -l
[13:40:31.326581] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[13:40:31.327548] STUBBY: DNSSEC Validation is OFF
[13:40:31.327684] STUBBY: Transport list is:
[13:40:31.327800] STUBBY:   - TLS
[13:40:31.327916] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[13:40:31.328039] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[13:40:31.328118] STUBBY: Starting DAEMON....

@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs
 -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4151383248:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:126
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 4E23B1390BBDEC8E66FF413892BA811B177D0C158588FD4EF4F201D5A137F304
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1544967704
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

and it does not look like Quad 9 it is blocking this one:

@RT-AC86U-99A8:/tmp/home/root# nslookup isitblocked.org
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      isitblocked.org
Address 1: 74.208.236.124 74-208-236-124.elastic-ssl.ui-r.com
Address 2: 2607:f1c0:100f:f000::2d1 2607-f1c0-100f-f000-0000-0000-0000-02d1.elastic-ssl.ui-r.com

 

[dave14305]

I don’t think you really are running the patched version since you’re still getting the Killed error.

 

[Marin]

I don’t think you really are running the patched version since you’re still getting the Killed error.

That is what I am thinking....The only step from that patch that I am still having hard time is:

opkg install /path/getdns_1.4.2-1a_aarch64-3.10.ipk

Isn't this installed from Stubby's original script?

If not where can I download this from so I can specify the path?

 

[Jack Yaz]

That is what I am thinking....The only step from that patch that I am still having hard time is:

opkg install /path/getdns_1.4.2-1a_aarch64-3.10.ipk

Isn't this installed from Stubby's original script?

If not where can I download this from so I can specify the path?

Try

/usr/sbin/curl -L -s --retry 3 "https://github.com/jackyaz/Stubby-Installer-Asuswrt-Merlin/raw/master/getdns_1.4.2-1a_aarch64-3.10.ipk" -o /var/tmp/patchedgetdns.ipk
opkg install /var/tmp/patchedgetdns.ipk && printf "getdns successfully patched\n" || printf "An error occurred patching getdns\n" || exit 1
rm /var/tmp/patchedgetdns.ipk

 

[Marin]

I think this did it @Jack Yaz! I will try the other steps from @Odkrys patch and see how is goes. If you have any other commands from your patch that you can share, that would be appreciated!! Thank you!!

@RT-AC86U-99A8:/tmp/home/root# /usr/sbin/curl -L -s --retry 3 "https://github.com/jackyaz/St
ubby-Installer-Asuswrt-Merlin/raw/master/getdns_1.4.2-1a_aarch64-3.10.ipk" -o /var/tmp/patchedgetdns.ipk
xxxxxx@RT-AC86U-99A8:/tmp/home/root#             opkg install /var/tmp/patchedgetdns.ipk && printf
 "getdns successfully patched\n" || printf "An error occurred patching getdns\n" || exit 1
Upgrading getdns on root from 1.4.2-1 to 1.4.2-1a...
Configuring getdns.
getdns successfully patched
xxxxxx@RT-AC86U-99A8:/tmp/home/root#             rm /var/tmp/patchedgetdns.ipk

 

[Marin]

@Jack Yaz, @Odkrys (and others) can you please clarify the following below from: https://www.snbforums.com/threads/dot-on-86u.50122/#post-449794?

When I use:
nano /opt/etc/init.d/S61stubby

Do I wipe out everything that initially comes up on the text editor screen (from the original script) and use the info below?

#!/bin/sh

ENABLED=yes
PROCS=stubby
ARGS="-C /opt/etc/stubby/stubby.yml"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

and after I use:

nano /opt/etc/stubby/stubby.yml

I wipe out everything from there and literally paste in the following:

#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions

resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

tls_query_padding_blocksize: 128

edns_client_subnet_private : 0

round_robin_upstreams: 1

idle_timeout: 10000

listen_addresses:
  - 127.0.0.1@5453
#  -  0::1@5453

upstream_recursive_servers:
# IPv6 addresses
# # Cloudflare IPv6
#  - address_data: 2606:4700:4700::1111
#    tls_auth_name: "cloudflare-dns.com"

# # Quad 9 IPv6
#  - address_data: 2620:fe::10
#    tls_auth_name: "dns.quad9.net"

# IPv4 addresses
# # Cloudflare servers
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

# Quad 9 service
#  - address_data: 9.9.9.10
#    tls_auth_name: "dns.quad9.net"

And finally on the Stubby's info on Github (https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin), it says this installation will, among others,:

• Set WAN DNS1 to the Router's IP Address and set the WAN DNS2 entry to null.

I did notice this, however, I am also told to leave WAN DNS settings blank. What is the verdict with this piece?

Thank you all!

 

[skeal]

And finally on the Stubby's info on Github (https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin), it says this installation will, among others,:

• Set WAN DNS1 to the Router's IP Address and set the WAN DNS2 entry to null.

I did notice this, however, I am also told to leave WAN DNS settings blank. What is the verdict with this piece?

Thank you all!

Yes, this is the desired outcome. You want the WAN DNS server 1 to be your router's IP. DNS server 2 should remain blank.

 

[Xentrk]

I've forked and PR'd a fix using @Odkrys patched version of getdns: https://github.com/jackyaz/Stubby-Installer-Asuswrt-Merlin

Excellent, many thanks!

 

[Marin]

So I was able to install Stubby in my AC86U using the original @Xentrk script, patches from @Odkrys and @Jack Yaz (thank you guys!). From Cloudflare's Help Page I see that I have a DOT connection, however, the ESNI Checker website shows that I am not using any TLS certificate and SNI is not encrypted. Am I missing something here? It has been quite the challenge to keep my internet from crashing upon installation of the original script (which causes my DNS 1 to be my router's IP).

 

[Marin]

But then I look at this and I think the culprit is here:

@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4147033296:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 6FBA9F3D5C208BA9DBC7E6A3BB9BA883CC5D8FC0AF8B2BE7BBBE2EEF7858BE41
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1545101249
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

How do I install the TLS certificate?

 

[bbunge]

But then I look at this and I think the culprit is here:

@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4147033296:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 6FBA9F3D5C208BA9DBC7E6A3BB9BA883CC5D8FC0AF8B2BE7BBBE2EEF7858BE41
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1545101249
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

How do I install the TLS certificate?

Did you enable DNSSEC in Stubby? If so try the DNSSEC in Merlin.

Sent from my SM-T380 using Tapatalk

 

[Marin]

Yes it is enabled in Stubby and this automatically turns off DNSSEC in firmware.

 

[Marin]

Did you enable DNSSEC in Stubby? If so try the DNSSEC in Merlin.

Sent from my SM-T380 using Tapatalk

You are saying to try turn it on in Merlin's instead?

 

[Marin]

...if I turn on DNSSEC in Merlin then I get this....

 

[Xentrk]

So I was able to install Stubby in my AC86U using the original @Xentrk script, patches from @Odkrys and @Jack Yaz (thank you guys!). From Cloudflare's Help Page I see that I have a DOT connection, however, the ESNI Checker website shows that I am not using any TLS certificate and SNI is not encrypted. Am I missing something here? It has been quite the challenge to keep my internet from crashing upon installation of the original script (which causes my DNS 1 to be my router's IP).

The TLS 1.3 and SNI settings are made in the browser. I set this up myself on the Firefox nightly edition two months ago. I believe it has since rolled out to the production Firefox. A google search will give you the most recent information.

 

[Xentrk]

...if I turn on DNSSEC in Merlin then I get this....

If you read thru the thread you can see a lot of discussion on DNSSEC with Stubby. Myself and the test team spent many hours experimenting with it. I don't want to spend anymore time on it until the next version of Stubby comes out. The OpenWRT forums also have discussion on the topic as well as the Stubby GitHub site. I'm sure we can get the DNSSEC issues resolved once Stubby matures. One of the issues is the Cloudflare test page does not work when DNSSEC is enabled. I wanted people to have confirmation that DNS over TLS was working using the CF test page. For now, I recommend saving yourself some grief and using the configuration of the Stubby installer.

During the development of the Stubby installer, I installed a DNSSEC detection plug-in on Firefox. I recommend installing it. I was surprised to find out that many of the sites I reference are not configured to use DNSSEC.

 

[Marin]

The TLS 1.3 and SNI settings are made in the browser. I set this up myself on the Firefox nightly edition two months ago. I believe it has since rolled out to the production Firefox. A google search will give you the most recent information.

Thank you @Xentrk! Was able to set up TLS 1.3 in Chrome and Safari but have yet to figure out a way to encrypt SNI. I use both Chrome and Safari.