Stubby-Installer-Asuswrt-Merlin

[skeal]

I done got bit by @skeal 's bug!

ALL UDP 53 192.168.1.1 53 PREROUTING
ALL TCP 53 192.168.1.1 53 PREROUTING
ALL UDP 53 192.168.1.1 53 PREROUTING
ALL UDP 53 192.168.1.1 53 PREROUTING
ALL TCP 53 192.168.1.1 53 PREROUTING
ALL TCP 53 192.168.1.1 53 PREROUTING

I had some issues with my VPN connection, so i used "halt" from a terminal to power cycle. Left it off about 10 minutes. On restart everything looks fine in the syslog, nothing out of ordinary. Then I check Port Forwarding in the System Log section and get the above. I checked earlier today and when I opened Stubby from amtm, it gave me the option to update, so I did. Change nothing in configuration. I have the cache DNSSEC setting to no, and the force all DNS through Stubby to yes.

As per @Adamm this is not mathematically possible....lol Jus kidding mang!!

 

[visortgw]

I done got bit by @skeal 's bug!

ALL UDP 53 192.168.1.1 53 PREROUTING
ALL TCP 53 192.168.1.1 53 PREROUTING
ALL UDP 53 192.168.1.1 53 PREROUTING
ALL UDP 53 192.168.1.1 53 PREROUTING
ALL TCP 53 192.168.1.1 53 PREROUTING
ALL TCP 53 192.168.1.1 53 PREROUTING

I had some issues with my VPN connection, so i used "halt" from a terminal to power cycle. Left it off about 10 minutes. On restart everything looks fine in the syslog, nothing out of ordinary. Then I check Port Forwarding in the System Log section and get the above. I checked earlier today and when I opened Stubby from amtm, it gave me the option to update, so I did. Change nothing in configuration. I have the cache DNSSEC setting to no, and the force all DNS through Stubby to yes.

I am seeing the same...

 

[skeal]

I am seeing the same...

No longer an isolated incident, I'm afraid. I have a fix for this but let's wait for @Adamm or @Xentrk to respond first.

 

[eclp]

@skeal ...

But you should not hold back possible solutions, even if you are not the developer. To give ideas and impulses are in my opinion always advantageous.

 

[skeal]

@skeal ...

But you should not hold back possible solutions, even if you are not the developer. To give ideas and impulses are in my opinion always advantageous.

Ok first you have to re-run the installer and say no to routing everything through Stubby. Then create this file in /jffs/scripts called "dns-redirect" with this content:

#!/bin/sh
# Force Client DNS requests to use Stubby
logger "Please wait while all DNS is forced through Stubby."
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" > /dev/null 2>&1
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" > /dev/null 2>&1

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
logger "Forced DNS routing through Stubby complete."

Next call the scripts from nat-start, if you don't have nat-start just create it. Call the script something like this:

#!/bin/sh

/jffs/scripts/dns-redirect   # Force Client DNS requests to use Stubby

Make sure to run both:

dos2unix /jffs/scripts/dns-redirect
dos2unix /jffs/scripts/nat-start
chmod a+rx /jffs/scvripts/dns-redirect
chmod a+rx /jffs/scripts/nat-start

Give this a try.

EDIT: THIS IS NO LONGER NEEDED AS @Adamm FIXED IN POST #1034

 

[Adamm]

Ok first you have to re-run the installer and say no to routing everything through Stubby. Then create this file in /jffs/scripts called "dns-redirect" with this content:

#!/bin/sh
# Force Client DNS requests to use Stubby
logger "Please wait while all DNS is forced through Stubby."
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" > /dev/null 2>&1
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" > /dev/null 2>&1

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
logger "Forced DNS routing through Stubby complete."

Next call the scripts from nat-start, if you don't have nat-start just create it. Call the script something like this:

#!/bin/sh

/jffs/scripts/dns-redirect   # Force Client DNS requests to use Stubby

Make sure to run both:

dos2unix /jffs/scripts/dns-redirect
dos2unix /jffs/scripts/nat-start
chmod a+rx /jffs/scvripts/dns-redirect
chmod a+rx /jffs/scripts/nat-start

Give this a try.

The steps listed above are no different to what install_stubby does, any issue you are facing will still persist.

The problem is with the unpredictable nat-start (and firewall-start) events which cause race conditions. I had similar issues back with Skynet a long time ago, I assumed it wouldn't be an issue with only two rules and almost no other code being executed... guess I was wrong.

I pushed v1.0.9 which ports the Check_Lock() function from Skynet to enforce 1 instance of install_stubby at a time. This should resolve any race conditions.

 

[skeal]

The steps listed above are no different to what install_stubby does, any issue you are facing will still persist.

The problem is with the unpredictable nat-start (and firewall-start) events which cause race conditions. I had similar issues back with Skynet a long time ago, I assumed it wouldn't be an issue with only two rules and almost no other code being executed... guess I was wrong.

I pushed v1.0.9 which ports the Check_Lock() function from Skynet to enforce 1 instance of install_stubby at a time. This should resolve any race conditions.

Fixed....Thanks @Adamm for your quick and precise response. This works awesome now.

 

[visortgw]

The steps listed above are no different to what install_stubby does, any issue you are facing will still persist.

The problem is with the unpredictable nat-start (and firewall-start) events which cause race conditions. I had similar issues back with Skynet a long time ago, I assumed it wouldn't be an issue with only two rules and almost no other code being executed... guess I was wrong.

I pushed v1.0.9 which ports the Check_Lock() function from Skynet to enforce 1 instance of install_stubby at a time. This should resolve any race conditions.

It works!

Feb 14 19:12:14 Stubby: [*] Lock File Detected (iptables) (pid=1258) - Exiting (cpid=3145)

 

[Xentrk]

The steps listed above are no different to what install_stubby does, any issue you are facing will still persist.

The problem is with the unpredictable nat-start (and firewall-start) events which cause race conditions. I had similar issues back with Skynet a long time ago, I assumed it wouldn't be an issue with only two rules and almost no other code being executed... guess I was wrong.

I pushed v1.0.9 which ports the Check_Lock() function from Skynet to enforce 1 instance of install_stubby at a time. This should resolve any race conditions.

Those with OpenVPN clients may have noticed the problem more when compared to others since nat-start gets executed during OpenVPN client up/down events. I like your implementation of the check and kill function compared to the method I use in netflix_vpn_bypass. I may have to "clone" the code in the next update.

 

[skeal]

The bug is back. I get sometimes 4 or 3 or 2 port forward entries on the port forwarding log page. I reverted to my solution and it works like a charm. @Adamm I'm not sure it's a race condition anymore.

 

[Davidncali001]

Those with OpenVPN clients may have noticed the problem more when compared to others since nat-start gets executed during OpenVPN client up/down events. I like your implementation of the check and kill function compared to the method I use in netflix_vpn_bypass. I may have to "clone" the code in the next update.

I think the latest stubby update, everything worked fine until this morning, all my vpn connections were dead. had to reset the vpn to default and reboot, still didn't work. Unplugged the modem and manually shut down the router and rebooted both then I was able to re-upload the vpn config file and then everything worked like normal.

I'm not sure if it was stubby, but I've been using this same vpn provider for a while and it wasn't until the latest stubby update (last night) is when things went wonky.

 

[visortgw]

The bug is back. I get sometimes 4 or 3 or 2 port forward entries on the port forwarding log page. I reverted to my solution and it works like a charm. @Adamm I'm not sure it's a race condition anymore.

Did you possibly forget to remove the entries from firewall-start? I removed those (formerly suggested in the FAQ), enabled forced use of Stubby DNS by clients in the Stubby installer, and everything has been golden since -- on all three routers that I manage.

 

[Butterfly Bones]

I think the latest stubby update, everything worked fine until this morning, all my vpn connections were dead. had to reset the vpn to default and reboot, still didn't work. Unplugged the modem and manually shut down the router and rebooted both then I was able to re-upload the vpn config file and then everything worked like normal.

I'm not sure if it was stubby, but I've been using this same vpn provider for a while and it wasn't until the latest stubby update (last night) is when things went wonky.

I run full time VPN for all clients and have for years. I updated to Stubby DNS 1.0.9 when it released yesterday, and my VPN is unaffected. All clients get DNS via Stubby.

 

[Xentrk]

I think the latest stubby update, everything worked fine until this morning, all my vpn connections were dead. had to reset the vpn to default and reboot, still didn't work. Unplugged the modem and manually shut down the router and rebooted both then I was able to re-upload the vpn config file and then everything worked like normal.

I'm not sure if it was stubby, but I've been using this same vpn provider for a while and it wasn't until the latest stubby update (last night) is when things went wonky.

I have five clients running on my development router and do not have a problem. There could be a timing issue though. The installer checks to see if you have active VPN clients running, if so, it will add an entry to/jffs/scripts/openvpn-event to override the firmware pointing to VPN DNS servers. If the VPN clients were not running when you ran the installer, the entry will not get added. What entry do you have in the OpenVPN Client for Accept DNS Configuration? Setting it to Disabled will have the tunnel use Stubby. I found it speeds up browsing performance.

 

[Xentrk]

i don't see it on the option screen, must i run the update routine if all i want to do is find out what version i have?

ASUSWRT-Merlin RT-AC3100 384.8-2 Sat Dec  8 18:18:31 UTC 2018
domain@device:/tmp/home/root# /jffs/scripts/install_stubby.sh
_______________________________________________________________________
|                                                                     |
|  Welcome to the Stubby-Installer-Asuswrt-Merlin installation script |
|  Version 1.0.3 by Xentrk                                            |
|_____________________________________________________________________|

1 = Update Stubby Configuration
2 = Remove Existing Stubby Installation
3 = Update install_stubby.sh

e = Exit Script

or is my current script version 1.0.3 (and not just the installation version)
sorry, i know these questions seem dumb - but i don't know how this works.

I may have duplicated your concern. I had version 1.0.7 installed. I then ran Stubby from AMTM. I selected the update option on the installer menu. After it was done, I still had version 1.0.7.

I manually downloaded to get the new version. Next time there is an update, I can turn on debugging and repeat the steps to validate it is working as intended. It does appear that the code should download the the most recent version on GitHub with the update option though.

 

[Nebulaz]

I am out of my comfort zone but I have been reading a lot about subnets and routing but I am not sure if I am going in the right direction.

I currently have Skynet, diversion and Stubby all going on my 86u. Stubby was a fantastic addition (although I wish I knew more of what it does and how) as it allows me to have ads blocked and a VPN.

However, I don't get blocked ads when I use my phone to VPN. My end goal would be to route my phone traffic through my router in a way that it runs through Stubby and diversion when I am connected to my home VPN.

Can someone point me in the right direction as where or what to read up on?

Is Stubby or subnets my issue?

Sent from my Nokia 7.1 using Tapatalk

 

[L&LD]

I am out of my comfort zone but I have been reading a lot about subnets and routing but I am not sure if I am going in the right direction.

I currently have Skynet, diversion and Stubby all going on my 86u. Stubby was a fantastic addition (although I wish I knew more of what it does and how) as it allows me to have ads blocked and a VPN.

However, I don't get blocked ads when I use my phone to VPN. My end goal would be to route my phone traffic through my router in a way that it runs through Stubby and diversion when I am connected to my home VPN.

Can someone point me in the right direction as where or what to read up on?

Is Stubby or subnets my issue?

Sent from my Nokia 7.1 using Tapatalk

I would think that your VPN setup is the issue. Give more details here and I'm sure you'll be set on the right path in no time.

 

[visortgw]

I am out of my comfort zone but I have been reading a lot about subnets and routing but I am not sure if I am going in the right direction.

I currently have Skynet, diversion and Stubby all going on my 86u. Stubby was a fantastic addition (although I wish I knew more of what it does and how) as it allows me to have ads blocked and a VPN.

However, I don't get blocked ads when I use my phone to VPN. My end goal would be to route my phone traffic through my router in a way that it runs through Stubby and diversion when I am connected to my home VPN.

Can someone point me in the right direction as where or what to read up on?

Is Stubby or subnets my issue?

Sent from my Nokia 7.1 using Tapatalk

Try enabling "Advertise DNS to clients" in Advanced Settings for your VPN server.

 

[Nebulaz]

Try enabling "Advertise DNS to clients" in Advanced Settings for your VPN server.

Thanks for the advice. It did work, but it drove speed unbearably slow. Is there a chart for how Stubby reverses the DNS, so I can get a better idea of what is going on?

Internet is 100/30 from ISP.



Sent from my Nokia 7.1 using Tapatalk

 

[Adamm]

Thanks for the advice. It did work, but it drove speed unbearably slow. Is there a chart for how Stubby reverses the DNS, so I can get a better idea of what is going on?

Internet is 100/30 from ISP.



Sent from my Nokia 7.1 using Tapatalk

"Slow" as in how? DNS resolving speed, download speed, need to be more specific and explain how you are measuring this. I can max my 100/40 connection easily (nor should DNS requests affect download speed)