Stubby-Installer-Asuswrt-Merlin

[Zonkd]

I’ve been running stubby for 2 days now. Today my AC86U stopped delivering internet access (100% packet loss) despite having a WAN IP from ISP. It’s possible it had something to do with stubby because net access returned after changing my WAN DNS from router back to 1.1.1.1. What might be happening here?

 

[bbunge]

I’ve been running stubby for 2 days now. Today my AC86U stopped delivering internet access (100% packet loss) despite having a WAN IP from ISP. It’s possible it had something to do with stubby because net access returned after changing my WAN DNS from router back to 1.1.1.1. What might be happening here?

Did you disable Network Monitoring?

Sent from my SM-T380 using Tapatalk

 

[Zonkd]

Did you disable Network Monitoring?

Sent from my SM-T380 using Tapatalk

Yes its disabled. I have never enabled network monitoring.

 

[bbunge]

Yes its disabled. I have never enabled network monitoring.

Yes its disabled. I have never enabled network monitoring.

If you never enabled it it is enabled by default. Check Administration/System.

 

[Zonkd]

If you never enabled it it is enabled by default. Check Administration/System.

I don't see it listed. See screenshot.

 

[skeal]

I don't see it listed. See screenshot.

View attachment 16287

What version of firmware are you using here?

 

[skeal]

It looks like this:

 

[Zonkd]

It looks like this:View attachment 16288

Strange. As you can see it's not there (on my AC68U or AC86U)

 

[L&LD]

Strange. As you can see it's not there (on my AC68U or AC86U)

As skeal asked above, what firmware version are you on? If you're on 384.9, then you need to do a full reset to factory defaults followed by a minimal and manual configuration of the router(s) to secure them and connect to the internet. Do not use a saved backup config file, type in the required info as needed.

 

[Zonkd]

What version of firmware are you using here?

Oh sorry didn't see your post, it is still on 384.7. Is this a new feature?

As skeal asked above, what firmware version are you on? If you're on 384.9, then you need to do a full reset to factory defaults followed by a minimal and manual configuration of the router(s) to secure them and connect to the internet. Do not use a saved backup config file, type in the required info as needed.

I'm going to update both routers to 384.9 in the next few days. I kept on 384.7 for a while because it has made the wifi so damn stable for the AC86U. And trust me I never restore from backups. I don't do dirty upgrades either.

 

[bbunge]

Oh sorry didn't see your post, it is still on 384.7. Is this a new feature?



I'm going to update both routers to 384.9 in the next few days. I kept on 384.7 for a while because it has made the wifi so damn stable for the AC86U. And trust me I never restore from backups. I don't do dirty upgrades either.

On prior versions Network Monitoring is under Tools. Don't remember which tab, though.

Dirty upgrade should be ok.

Sent from my SM-T380 using Tapatalk

 

[Nebulaz]

"Slow" as in how? DNS resolving speed, download speed, need to be more specific and explain how you are measuring this. I can max my 100/40 connection easily (nor should DNS requests affect download speed)

Okay, so apparently slow was not correct. I usually test ad blocking by going to Yahoo but it must have just loaded an already cached page. This morning I tested other pages and the loading bar will sit idling for about 15 seconds and then the page times out.

When I apply the Advertise DNS to clients, the internet breaks on my phone if I run it through the VPN. Once unchecked, the internet is back but with ads.

The VPN server runs on a 10.8x.x and the VPN local client on a 10.9x.x could that be the issue?

Sent from my Nokia 7.1 using Tapatalk

 

[Nebulaz]

If you never enabled it it is enabled by default. Check Administration/System.

DNS query on mine is checked. I thought Stubby makes this change. I never selected it, but I remember Stubby saying that it would change the default way the router handled DNS.

Sent from my Nokia 7.1 using Tapatalk

 

[skeal]

DNS query on mine is checked. I thought Stubby makes this change. I never selected it, but I remember Stubby saying that it would change the default way the router handled DNS.

Sent from my Nokia 7.1 using Tapatalk

Stubby has nothing to do with that setting. That setting uses DNS to determine if your network is up. It has 2 ways of doing so, neither of which are needed for a setup unless you have difficulty. It would be best to un-check both.

 

[EmeraldDeer]

This is the most minimalist stubby.yml configuration that functions with Cloudflare DNS over TLS.

# cat /opt/etc/stubby/stubby.yml
appdata_dir: "/opt/var/cache/stubby"
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
idle_timeout: 9900
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
#
upstream_recursive_servers:
# Cloudflare Primary IPv4
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv4
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Primary IPv6
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv6
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"
#
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453
#

 

[Nebulaz]

Stubby has nothing to do with that setting. That setting uses DNS to determine if your network is up. It has 2 ways of doing so, neither of which are needed for a setup unless you have difficulty. It would be best to un-check both.

I unchecked both and I invited no additional difficulties. However, the Advertise DNS to clients, still doesn't work. When I check no on that item, I am able to connect to the VPN with my phone off-site, but receive ads. When I select yes on that, my internet connection goes down for off-site devices.

Sent from my Nokia 7.1 using Tapatalk

 

[Nebulaz]

This is the most minimalist stubby.yml configuration that functions with Cloudflare DNS over TLS.

# cat /opt/etc/stubby/stubby.yml
appdata_dir: "/opt/var/cache/stubby"
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
idle_timeout: 9900
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
#
upstream_recursive_servers:
# Cloudflare Primary IPv4
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv4
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Primary IPv6
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
# Cloudflare Secondary IPv6
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"
#
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453
#

Thank you for posting this.

Is the listening address the range of the LANs local IPs?

Sent from my Nokia 7.1 using Tapatalk

 

[EmeraldDeer]

Thank you for posting this.

Is the listening address the range of the LANs local IPs?

Sent from my Nokia 7.1 using Tapatalk

Yes, the listen_address is where stubby receives DNS traffic from dnsmasq.

 

[bbunge]

Thank you for posting this.

Is the listening address the range of the LANs local IPs?

Sent from my Nokia 7.1 using Tapatalk

The listening addresses are the addresses used for loopback. They allow getdns/stubby to recieve and send DNS packets from and to the router/dnsmasq and thus from and to clients.

When you make changes to the VPN Server you will need to generate a new config file to load on your remote clients.

 

[EmeraldDeer]

I unchecked both and I invited no additional difficulties. However, the Advertise DNS to clients, still doesn't work. When I check no on that item, I am able to connect to the VPN with my phone off-site, but receive ads. When I select yes on that, my internet connection goes down for off-site devices.

Sent from my Nokia 7.1 using Tapatalk

This probably does not help, but my setup is working as you would want it to.
- LAN>DHCP Server>Advertise router IP for DNS is enabled
- LAN>DNSFilter>Enabled with Global Filter Mode set to Router
- VPN is IPSec (native, fast and rock solid on Apple iOS)
- If I VPN in from my phone network to my router, run Diversion - follow dnsmasq.log on a router command line session, browse websites on phone's Safari, I can see Diversion blocking ads