Stubby-Installer-Asuswrt-Merlin

[vesalius]

@vesalius … RT-AX88U

I assume you were taken down by the same bug, in the older entware getdns/stubby that took down RT-AC86u and other HND based asus routers, including the RT-AX88U at first.

I had similar issues when I initially tried stubby, but since then @Odkrys compiled the latest Stubby and GetDNS for HND routers RT-AC86U, RT-AX88U, GT-AC5300, statically linked to OpenSSL 1.1.1a which beyond fixing the show-stopping bugs provided performance improvements through TLS 1.3.

@Xentrk incorporated them into his distro and with some help and code cleanup from heavy hitters here all has worked well for those of with ASUS HND based routers since then. Give it another shot, should be a much much better experience now.

 

[Adamm]

I can confirm Stubby works flawlessly on my AX88U over the past week since I decided to get involved. FWIW its probably the most tested device now for this script.

 

[bluzfanmr1]

Another perhaps helpful DNSSEC test: http://0skar.cz/dns/en/

Great link! I was having issues with Quad9 so I switched to Cloudflare and it passes all the test!

 

[bbunge]

@vesalius … RT-AX88U

Some tips to success with Stubby:
Do not install Download Master. See: https://github.com/RMerl/asuswrt-merlin/wiki/Entware
Format the thumb drive to EXT2 or 3 and assign a label (don't rely on the router assigned drive label as this can change).
If you use a USB3 port change its operation to USB2 in Merlin (Yes the router will recognize the USB3 on insertion but may not on reboot).
Leave the Lan/DHCP Server/DNS Server 1 and 2 blank.
Might also be a great idea to save your settings and /jffs content before you install Entware or stubby. Makes it easier to go back.
Install Entware then Stubby. Try the default settings. Should work out of the box.

Best of success!

 

[XIII]

Turned on DNSSEC with Cloudflare and all tests passed again although test 1 and 6 were slow to finish.

Exactly the same with my unbound (non-stubby) configuration.

 

[bbunge]

Exactly the same with my unbound (non-stubby) configuration.

Makes sense as the test only checks the remote DNS server's ability to do DNSSEC.


Sent from my SM-T380 using Tapatalk

 

[vesalius]

@eclp

I would add to Bbunges suggestions that many of us use ext4 with journalling on our USB thumb drives and/or SSD as well.

as to entware, if you are like many of us and take advantage of diversion you already have entware set up correctly by that script. Just update Entware from within diversion and/or AMTM before installing stubby and you will be good to go. Hopefully, the planned AMTM update to manage the Stubby install happens soon and things should get even easier as everything, including formatting a usb correctly will be doable within that script.

 

[Xentrk]

Another perhaps helpful DNSSEC test: http://0skar.cz/dns/en/

I will add the link to the GitHub README page.

Update: DONE!

 

[bbunge]

@eclp

I would add to Bbunges suggestions that many of us use ext4 with journalling on our USB thumb drives and/or SSD as well.

as to entware, if you are like many of us and take advantage of diversion you already have entware set up correctly by that script. Just update Entware from within diversion and/or AMTM before installing stubby and you will be good to go. Hopefully, the planned AMTM update to manage the Stubby install happens soon and things should get even easier as everything, including formatting a usb correctly will be doable within that script.

I intentionally omitted EXT4 as I have had problems getting the router to mount the EXT4 formatted drive. Yes, it could be operator error...

 

[cmkelley]

I intentionally omitted EXT4 as I have had problems getting the router to mount the EXT4 formatted drive. Yes, it could be operator error...

FWIW, I've had no problems mounting ext4 with or without journaling on my AC86U.

 

[cmkelley]

Test report:

Config: 2nd Alpha 2 build (g2c530c69b) and Cloudflare DNS:

1.1.1.1/help fails as expected with DNSSEC and strict unsigned validation on in the router GUI. Leaving DNSSEC on and turning off strict unsigned validation (SUV) results in 1.1.1.1/help working (I presume this is expected, as that setting seems to defeat the purpose of DNSSEC). Cloudflare's ESNI test page similarly follows the SUV setting, albeit with a ? for Secure DNS rather than an X as ESNI shows. DNSSEC still has a checkmark in this configuration.

Back to DNSSEC and SUV on in the router and the DNSSEC tests on Xentrk's github work (although I admit I'm not exactly sure what the rootcanary.org test is supposed to be showing me). I get 100% on the internet.nl test as I have IPv6.

Turning DNSSEC back off, and removing the local IP of the router from the IPv6 DNS server 1 line results in all of the tests except the internet.nl one loading very slowly, and Cloudflare's ESNI page reporting questionable DNSSEC. One time I had to reload the 1.1.1.1/test page. IPv6 sites (v6.facebook.com, http://ipv6.test-ipv6.com/) wouldn't load, with a "took too long to respond" failure instead of a DNS not found. I restarted Stubby and dnsmasq after removing the local IPv6 address, and again after re-adding it. Everything returned to previous after re-entering the local IPv6 and restarting Stubby/dnsmasq.

Tentative conclusion: although some others have reported success with nothing in the IPv6 DNS server 1 field, unless someone reports a reproducible issue with the local IPv6 address in that field, it appears that it is necessary for at least some of us.

 

[vesalius]

@cmkelley

Do you have round_robin_upstreams: set to 1 or 0?

 

[cmkelley]

@cmkelley

Do you have round_robin_upstreams: set to 1 or 0?

0. I changed nothing in stubby.yml. I forgot to mention I elected not to use proxy-dnssec

 

[bbunge]

0. I changed nothing in stubby.yml. I forgot to mention I elected not to use proxy-dnssec

Recommend using both CF ipv4 and both CF ipv6 entries in stubby.yml. Enable roundrobbin and proxy-dnssec. For me it makes a difference!

Sent from my SM-T380 using Tapatalk

 

[visortgw]

Recommend using both CF ipv4 and both CF ipv6 entries in stubby.yml. Enable roundrobbin and proxy-dnssec. For me it makes a difference!

Sent from my SM-T380 using Tapatalk

Enable IPv6 entries even if IPv6 not enabled on router?

 

[vesalius]

@Xentrk

Is there a specific reason round_robin_upstreams: defaults to 0 in your distros stubby.yml? Setting to 1 and allowing stubby to query all available configured upstream DNS servers simultaneously, instead of 0 resulting in a sequential query and wait going down the list of configured srvers, sure seems like that would be the preferred default unless I am missing something obvious.

• round_robin_upstreams: Round robin queries across all the configured upstream servers. Without this option Stubby will use each upstream server sequentially until it becomes unavailable and then move on to use the next.

 

[cmkelley]

Recommend using both CF ipv4 and both CF ipv6 entries in stubby.yml. Enable roundrobbin and proxy-dnssec. For me it makes a difference!

Sent from my SM-T380 using Tapatalk

I lost power last night (California isn't designed to deal with rain), and I'm at work today. Trying both CF DNS servers was next on my list. Since DoT is more of a gee-whiz for me (I'm not a political dissident in a totalitarian country), I'd like to avoid proxy-dnssec, since it somewhat defeats the purpose of DoT.

 

[cmkelley]

Enable IPv6 entries even if IPv6 not enabled on router?

If your ISP doesn't support IPv6, it shouldn't "hurt", nothing should happen if your router doesn't get an IPv6 address, but it's not necessary either.

 

[bbunge]

Enable IPv6 entries even if IPv6 not enabled on router?

Nope.

Sent from my SM-T380 using Tapatalk

 

[Adamm]

@Xentrk

Is there a specific reason round_robin_upstreams: defaults to 0 in your distros stubby.yml? Setting to 1 and allowing stubby to query all available configured upstream DNS servers simultaneously, instead of 0 resulting in a sequential query and wait going down the list of configured srvers, sure seems like that would be the preferred default unless I am missing something obvious.

• round_robin_upstreams: Round robin queries across all the configured upstream servers. Without this option Stubby will use each upstream server sequentially until it becomes unavailable and then move on to use the next.

My guess would be because only one server is defined by default (1.1.1.1). I am unsure as to why the secondary 1.0.0.1 isn't also defined but I didn't generate the initial config.

I did some research and its recommended for performance to enable this. So I've done ahead and pushed a commit enabling the feature and also enabling the secondary cloudflare servers.


As usual, to apply this update you will need to run the "Update Stubby Configuration" option from the main menu.