Stubby-Installer-Asuswrt-Merlin

[bmn1]

Esni only works with using the built in doh of Firefox. If the rest of the test is good like dnssec/doh/dot then it is good when using the cloudflare test page.

Indeed, SNI seems to be browser related, and currently only for the Nightlies of Firefox.

Regarding DoH/DoT, having DNSCrypt turned on seems to mess with the DoT settings, or atleast it seems so regarding 1.1.1.1/help.
If DNSCrypt is uninstalled DoT works, but then of course DoH is not.

Is there a way to test if DoT is actually working, I saw someone said that 1.1.1.1/help 's test is not necessarily returning proper results in this case.

 

[Marin]

Indeed, SNI seems to be browser related, and currently only for the Nightlies of Firefox.

Regarding DoH/DoT, having DNSCrypt turned on seems to mess with the DoT settings, or atleast it seems so regarding 1.1.1.1/help.
If DNSCrypt is uninstalled DoT works, but then of course DoH is not.

Is there a way to test if DoT is actually working, I saw someone said that 1.1.1.1/help 's test is not necessarily returning proper results in this case.

Go to Stubby’s installation website https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin and look under “Validating that Stubby is working....” section and enter each command on your router (you must SSH for this).

Compare your output with those displayed there.




Sent from my iPhone using Tapatalk

 

[bmn1]

Go to Stubby’s installation website https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin and look under “Validating that Stubby is working....” section and enter each command on your router (you must SSH for this).

Compare your output with those displayed there.

That all seems to be fine. Stubby, DNSSec and DoT seem to be working all fine.
The 1.1.1.1/help matches expected results for Stubby.

I'm sorry if I should move over my concerns for DoH over to the DNSCrypt topic.

But I cannot, at this time, visit: https://dns-over-https.com/
( https://downforeveryoneorjustme.com/https://dns-over-https.com/ )

Is that supposed to be the side effect of Stubby?

Edit:
It seems Skynet was blocking DNS-Over-HTTPS.com for me!
Still, no DoH, still gonna have to figure that one out.

 

[skeal]

That all seems to be fine. Stubby, DNSSec and DoT seem to be working all fine.
The 1.1.1.1/help matches expected results for Stubby.

I'm sorry if I should move over my concerns for DoH over to the DNSCrypt topic.

But I cannot, at this time, visit: https://dns-over-https.com/
( https://downforeveryoneorjustme.com/https://dns-over-https.com/ )

Is that supposed to be the side effect of Stubby?

I will repeat again what you were told before. Do not run or have installed both dnscrypt and stubby. Make a decision and stay with it. You cannot run both at this time. Also you could avoid some confusion by posting only once and in the right thread.

 

[bmn1]

Alright, clear.

I'll stick with just Stubby, thank all for your input and help!

 

[Martin_D]

I have been trying to get Stubby to work on my AX88U but just cant

Steps taken

Removed DNSCrypt

Set server=/pool.ntp.org/1.1.1.1 & server=/ntp.alsysdata.net/1.1.1.1 to /jffs/configs/dnsmasq.conf.add

https://i.imgur.com/0QvvWmQ.png

install_stubby.sh

Set Wan: Use DNS probes to determine if WAN is up (To No)

https://i.imgur.com/SOHpFb0.png

DNS Set up

https://i.imgur.com/goXo3vF.png

 

[Jack Yaz]

I have been trying to get Stubby to work on my AX88U but just cant

Steps taken

Removed DNSCrypt

Set server=/pool.ntp.org/1.1.1.1 & server=/ntp.alsysdata.net/1.1.1.1 to /jffs/configs/dnsmasq.conf.add

https://i.imgur.com/0QvvWmQ.png

install_stubby.sh

Set Wan: Use DNS probes to determine if WAN is up (To No)

https://i.imgur.com/SOHpFb0.png

DNS Set up

https://i.imgur.com/goXo3vF.png

What do you get if you run

getdns_query -s @127.0.0.1 github.com

 

[Martin_D]

What do you get if you run

getdns_query -s @127.0.0.1 github.com

Thank you for the quick response will post results shortly.

 

[bmn1]

I just factory reset my RT-AC5300.

Installing Stubby again and after a reboot, doing "getdns_query -s @127.0.0.1 github.com" results in: ""status": GETDNS_RESPSTATUS_NO_NAME".
As soon as I change WAN > DNS from 192.168.1.1 to 1.1.1.1 (and 1.0.01 on DNS2), then the internet works again.
But of course, the 1.1.1.1/help says I don't have DoT, which is kinda the point of it.

Any idea what I've done wrong here?

Skynet and Diversion are the only other things that are installed, and working on Merlin 384.8_2.

 

[bbunge]

I just factory reset my RT-AC5300.

Installing Stubby again and after a reboot, doing "getdns_query -s @127.0.0.1 github.com" results in: ""status": GETDNS_RESPSTATUS_NO_NAME".
As soon as I change WAN > DNS from 192.168.1.1 to 1.1.1.1 (and 1.0.01 on DNS2), then the internet works again.
But of course, the 1.1.1.1/help says I don't have DoT, which is kinda the point of it.

Any idea what I've done wrong here?

Skynet and Diversion are the only other things that are installed, and working on Merlin 384.8_2.

Did you check to see that your router set its time after reboot? There is a fix you can do to the dnsmasq.conf.add file.

Sent from my SM-T380 using Tapatalk

 

[Marin]

Yes this going to happen and you should try your installation again. In order for Stubby to work your router’s IP must be on DNS 1 but you must let Stubby do that during installation. Leave DNS 2 space blank. The only thing that you can do is , if you use a VPN, to make sure to set the Accept DNS Configuration setting on the VPN Client to “Disable”.




Sent from my iPhone using Tapatalk

 

[bmn1]

Did you check to see that your router set its time after reboot? There is a fix you can do to the dnsmasq.conf.add file.

How would I go about doing that? I couldn't find the dnsmasq.conf.add file when Stubby was installed either by the way?

Yes this going to happen and you should try your installation again. In order for Stubby to work your router’s IP must be on DNS 1 but you must let Stubby do that during installation. Leave DNS 2 space blank. The only thing that you can do is , if you use a VPN, to make sure to set the Accept DNS Configuration setting on the VPN Client to “Disable”.

I have reinstalled Stubby 2 or 3 times now. I have not set up a VPN Client yet either.
And indeed, I only changed it because I had no internet connection otherwise, and was uninstalling it therefore at the time.

Maybe doing something with making sure the Router checks it's time(zone) should make things run smoother, but I have no clue I should go about that. Hah

 

[Marin]

How would I go about doing that? I couldn't find the dnsmasq.conf.add file when Stubby was installed either by the way?



I have reinstalled Stubby 2 or 3 times now. I have not set up a VPN Client yet either.
And indeed, I only changed it because I had no internet connection otherwise, and was uninstalling it therefore at the time.

Maybe doing something with making sure the Router checks it's time(zone) should make things run smoother, but I have no clue I should go about that. Hah

Try this command:

 nano /jffs/configs/dnsmasq.conf.add

And add this on the screen that opens up:

 no-resolv
server=127.0.0.1#5453

Then type Ctrl + X to exit and type Y to save (for Yes).

Then hit Enter.

Then type this command to make what you saved executable:

 chmod +x /jffs/configs/dnsmasq.conf.add

Then enter this command:

 /opt/etc/init.d/S61stubby start

And then enter this command:

 service restart_dnsmasq

Then enter:

reboot

Sent from my iPhone using Tapatalk

 

[bmn1]

Seems to work wonders.
Thank you!

What does:

no-resolv
server=127.0.0.1#5453

Do for me, I mean it works, but you know, what happened here?

 

[JemTheWire]

Hello. I am having similar issued with no NTP after a reboot.

I Install Stubby OK and it works brilliently, thank you. However, after a reboot, I don't have any WAN connection becausee it cannot sync time to an NTP server.

I have followed the instructions in post #393 above, but the issue remains and I have to revert back to my previous saved config to get things working.

Can you help please?

 

[Marin]

Hello. I am having similar issued with no NTP after a reboot.

I Install Stubby OK and it works brilliently, thank you. However, after a reboot, I don't have any WAN connection becausee it cannot sync time to an NTP server.

I have followed the instructions in post #393 above, but the issue remains and I have to revert back to my previous saved config to get things working.

Can you help please?

Try to add:

 server=/pool.ntp.org/1.1.1.1

to your:

 /jffs/configs/dnsmasq.conf.add

Sent from my iPhone using Tapatalk

 

[Marin]

Seems to work wonders.
Thank you!

What does:

no-resolv
server=127.0.0.1#5453

Do for me, I mean it works, but you know, what happened here?

It just ensures that all DNS requests go through Stubby.


Sent from my iPhone using Tapatalk

 

[bbunge]

You may want to add:

proxy-dnssec

to the dnsmasq.conf.add file if you plan to use dnssec.

Edit: I decided to add to this post instead of creating another...

Several folks have had the same "issue" with Stubby install recently. Everything one needs is in the Github post

https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin

One should not attempt to install Stubby without reading the instructions first.
If you do not understand a procedure, ask first.
For Windows users I recommend you get and install on your PC WinSCP and Putty. WInSCP is a great tool for browsing and editing files on a remote device such as an Asus router. Putty is needed to issue commands and check if processes work.

Some other things you need to know:
The Stubby Installer disables DNSSEC in Merlin. There is some debate if you really need DNSSEC if you have encrypted DNS provided by Stubby. So, it is you choice to turn DNSSEC back on or not.
Enabling DNSSEC will break the Cloudflare help test.
Most DNSSEC tests on the web only check if the remote resolver is capable of DNSSEC not that your DNSSEC is working. Using Dig is about the only way to test your connection. Yes, there are iOS and Android apps for this.
DNSSEC can be enabled in Stubby or Merlin (dnsmasq). Either work and neither is preferred. At this time I'm using Clean Browsing Security DNS with DNSSEC enabled in Merlin.
As a temporary fix for the time server issue you can use an IP address of a time server in NTP Server setting. Although the fix to /jffs/configs/dnsmasq.conf.add is preferred.

 

[Martin_D]

What do you get if you run

getdns_query -s @127.0.0.1 github.com

administrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# getdns_query -s @127.0.0.1 gi
thub.com
Killed

 

[JemTheWire]

Try to add:

 server=/pool.ntp.org/1.1.1.1

to your:

 /jffs/configs/dnsmasq.conf.add

Sent from my iPhone using Tapatalk

Thank you so much! It has worked.