Stubby-Installer-Asuswrt-Merlin

[L&LD]

Sorry if this is out of right field... I scanned over the merlin beta release notes and noticed 2 things that may shake up the script scene: DOT and NTPD!

I am assuming that if all goes well, when 384.11 rolls out this stubby installer script won't be needed anymore, correct? ...or maybe the webui won't have all the options?

It's OT, but I think I'll also have to remove my little ntpd script since it sounds like the new integrated one may be more accurate. How will the merlin ntpd compare to the fancy kvic version that's currently available through AMTM?

Adamm just wanted to say a big thank you for all your contributions and the support for Stubby and all the other projects you help with too. Looking forward to your future projects now.

OT: With a sincere thank you to RMerlin for including support for something better than stock, and with no disrespect intended, the ntpMerlin, Jack Yaz wrapped, kvic based NTP script is light milli-seconds better in every respect. Not just with more accuracy (runs many more times a day), more details (the graphs!) and the fact that every client on the network is forced to use it (not true of stock and the latest RMerlin implementation today), but also because it blends in with amtm, is unobtrusive unless you want to see the extra details and has been rock solid for many router's I've tested and used in on too since it was first released. Solid!

 

[Poseidon]

Might be a stupid question but does installing Stubby *disable* IPv6 in the router gui settings?

 

[L&LD]

Might be a stupid question but does installing Stubby *disable* IPv6 in the router gui settings?

Hasn't for me yet.

 

[Cubyc]

Guys what results do you get on https://tenta.com/test/#advanceddnstest
I get green pass on https://www.cloudflare.com/ssl/encrypted-sni/ but not on tenta, and was wondering if you get same or my stubby stock install is not working properly .

 

[L&LD]

Guys what results do you get on https://tenta.com/test/#advanceddnstest
I get green pass on https://www.cloudflare.com/ssl/encrypted-sni/ but not on tenta, and was wondering if you get same or my stubby stock install is not working properly .

I thought tenta.com was not a reliable test at all?

 

[Swistheater]

I thought tenta.com was not a reliable test at all?

it isn't-- it is out dated.

 

[Swistheater]

I thought tenta.com was not a reliable test at all?

what would be nice is to see the stubby installer branch into a customize script for the newly built in stubby or a separate project created for it.

 

[Xentrk]

what would be nice is to see the stubby installer branch into a customize script for the newly built in stubby or a separate project created for it.

@Swistheater, Can you please elaborate/clarify? Thanks

Not sure I see the need for future maintenance and support of the Stubby Installer Script since DoT is already included in John's fork and Merlin's FW will include it in 384.11. However, once some new feature becomes available, I would not be able to resist the urge to update the installer script so I can test it! I expect most users will move over to Merlin's firmware implementation of DoT and the installer script will slowly fade away.

Because of the recent firmware implementation of DoT, AMTM has been updated to only display the install Stubby option if the user does not have the firmware DoT feature enabled.

 

[heysoundude]

Just a quick question:
I've installed and am running stubby on my desktop computer, mostly because I'm waiting on Merlin 384.11 to be a full release. When it is, I'll install it and have the whole network protected by DoT, but will I have to remove it from my desktop machine? or will it not matter?

 

[Xentrk]

Just a quick question:
I've installed and am running stubby on my desktop computer, mostly because I'm waiting on Merlin 384.11 to be a full release. When it is, I'll install it and have the whole network protected by DoT, but will I have to remove it from my desktop machine? or will it not matter?

It won't matter, unless you have a rule on the router to block DNS requests from LAN clients, the LAN client will take precedence. Setting DNS Filter Global Filter Mode to Router will block DNS requests from LAN clients:

iptables -nvL PREROUTING -t nat --line
Chain PREROUTING (policy ACCEPT 35 packets, 2396 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
2        3   124 VSERVER    all  --  *      *       0.0.0.0/0            180.183.158.106
3        0     0 VSERVER    all  --  *      *       0.0.0.0/0            169.254.81.53
4        5   338 DNSFILTER  udp  --  *      *       192.168.22.0/24      0.0.0.0/0            udp dpt:53
5        0     0 DNSFILTER  tcp  --  *      *       192.168.22.0/24      0.0.0.0/0            tcp dpt:53

 

[Swistheater]

@Swistheater, Can you please elaborate/clarify? Thanks

Not sure I see the need for future maintenance and support of the Stubby Installer Script since DoT is already included in John's fork and Merlin's FW will include it in 384.11. However, once some new feature becomes available, I would not be able to resist the urge to update the installer script so I can test it! I expect most users will move over to Merlin's firmware implementation of DoT and the installer script will slowly fade away.

Because of the recent firmware implementation of DoT, AMTM has been updated to only display the install Stubby option if the user does not have the firmware DoT feature enabled.

What I am referring to is a script with a menu that would make customization of the built in stubby easier to manage for novice end users that are not to familiar with how to use custom scripts like .postconf .add. It was just an idea.

 

[EmeraldDeer]

It won't matter, unless you have a rule on the router to block DNS requests from LAN clients, the LAN client will take precedence. Setting DNS Filter Global Filter Mode to Router will block DNS requests from LAN clients:

iptables -nvL PREROUTING -t nat --line
Chain PREROUTING (policy ACCEPT 35 packets, 2396 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
2        3   124 VSERVER    all  --  *      *       0.0.0.0/0            180.183.158.106
3        0     0 VSERVER    all  --  *      *       0.0.0.0/0            169.254.81.53
4        5   338 DNSFILTER  udp  --  *      *       192.168.22.0/24      0.0.0.0/0            udp dpt:53
5        0     0 DNSFILTER  tcp  --  *      *       192.168.22.0/24      0.0.0.0/0            tcp dpt:53

I should be seeing DNSFILTER rules in addition to DNSFILTER_DOT, right?

I have even disabled DNSFILTER Global Router mode.

# iptables -S | egrep -i "53|dns"
-N DNSFILTER_DOT

And re-enabled.

# iptables -S | egrep -i "53|dns"
-N DNSFILTER_DOT
-A FORWARD -i br0 -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A DNSFILTER_DOT ! -d 192.168.50.1/32 -j REJECT --reject-with icmp-port-unreachable
-A YazFiINPUT -i wl0.1 -p udp -m udp --dport 53 -j ACCEPT
-A YazFiINPUT -i wl0.1 -p tcp -m tcp --dport 53 -j ACCEPT

EDIT: As @dave14305 points out, it is in the nat table which is not included in "iptables -S"

# iptables -t nat -S | egrep -i "53|dns"
-N DNSFILTER
-N YazFiDNSFILTER
-A PREROUTING -s 192.168.50.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.50.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A PREROUTING -p udp -m udp --dport 53 -j YazFiDNSFILTER
-A PREROUTING -p tcp -m tcp --dport 53 -j YazFiDNSFILTER
-A DNSFILTER -j DNAT --to-destination 192.168.50.1
-A YazFiDNSFILTER -i wl0.1 -j DNAT --to-destination 192.168.66.1

 

[dave14305]

I should be seeing DNSFILTER rules in addition to DNSFILTER_DOT, right?

I have even disabled DNSFILTER Global Router mode.

# iptables -S | egrep -i "53|dns"
-N DNSFILTER_DOT

And re-enabled.

# iptables -S | egrep -i "53|dns"
-N DNSFILTER_DOT
-A FORWARD -i br0 -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A DNSFILTER_DOT ! -d 192.168.50.1/32 -j REJECT --reject-with icmp-port-unreachable
-A YazFiINPUT -i wl0.1 -p udp -m udp --dport 53 -j ACCEPT
-A YazFiINPUT -i wl0.1 -p tcp -m tcp --dport 53 -j ACCEPT

View attachment 17279
EDIT: I will repost this in the 384.11 beta thread

iptables -t nat -S

 

[Xentrk]

I should be seeing DNSFILTER rules in addition to DNSFILTER_DOT, right?

I have even disabled DNSFILTER Global Router mode.

# iptables -S | egrep -i "53|dns"
-N DNSFILTER_DOT

And re-enabled.

# iptables -S | egrep -i "53|dns"
-N DNSFILTER_DOT
-A FORWARD -i br0 -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A DNSFILTER_DOT ! -d 192.168.50.1/32 -j REJECT --reject-with icmp-port-unreachable
-A YazFiINPUT -i wl0.1 -p udp -m udp --dport 53 -j ACCEPT
-A YazFiINPUT -i wl0.1 -p tcp -m tcp --dport 53 -j ACCEPT

View attachment 17279
EDIT: I will repost this in the 384.11 beta thread

Please note I had uninstalled Stubby for some testing I am doing and have not moved over to 3xx.11 beta. The reason I don't have the port 853 entry.

 

[EeK]

I recently installed Stubby DNS via amtm, along with Diversion and Skynet, on my RT-AC86U router.

I noticed some issues with Steam after installing those scripts, mainly that the application itself was taking too long to download updates (I have a 300 Mbps connection and the download speed was barely hitting 8 Kbps) and the Steam store website (store.steampowered.com) was taking too long to load and also not fully loading (tried with multiple browsers).

After disabling both Diversion and Skynet, the issues persisted. I was then able to pin down the culprit: Stubby DNS. Uninstalling it made the issues go away. Downloads were back to their 37 MB/s average and the store is now loading properly.

Any idea as to why that happened? Will I be forced to keep Stubby DNS uninstalled?

 

[L&LD]

I recently installed Stubby DNS via amtm, along with Diversion and Skynet, on my RT-AC86U router.

I noticed some issues with Steam after installing those scripts, mainly that the application itself was taking too long to download updates (I have a 300 Mbps connection and the download speed was barely hitting 8 Kbps) and the Steam store website (store.steampowered.com) was taking too long to load and also not fully loading (tried with multiple browsers).

After disabling both Diversion and Skynet, the issues persisted. I was then able to pin down the culprit: Stubby DNS. Uninstalling it made the issues go away. Downloads were back to their 37 MB/s average and the store is now loading properly.

Any idea as to why that happened? Will I be forced to keep Stubby DNS uninstalled?

Stubby will be depreciated very quickly once RMerlin's 384.11 firmware passes Beta testing. (Built in to RMerlin firmware and I will guess that Asus will pick it up too very quickly afterward).

 

[dave14305]

Any idea as to why that happened? Will I be forced to keep Stubby DNS uninstalled?

the Stubby script configures Stubby to use Cloudflare DNS. What WAN DNS servers are you using now without Stubby? It could be one of those CDN geo issues Merlin is frequently reminding us about.

 

[bbunge]

I recently installed Stubby DNS via amtm, along with Diversion and Skynet, on my RT-AC86U router.

I noticed some issues with Steam after installing those scripts, mainly that the application itself was taking too long to download updates (I have a 300 Mbps connection and the download speed was barely hitting 8 Kbps) and the Steam store website (store.steampowered.com) was taking too long to load and also not fully loading (tried with multiple browsers).

After disabling both Diversion and Skynet, the issues persisted. I was then able to pin down the culprit: Stubby DNS. Uninstalling it made the issues go away. Downloads were back to their 37 MB/s average and the store is now loading properly.

Any idea as to why that happened? Will I be forced to keep Stubby DNS uninstalled?

Were you using a VPN client on your router?

Sent from my SM-T380 using Tapatalk

 

[EeK]

Stubby will be depreciated very quickly once RMerlin's 384.11 firmware passes Beta testing. (Built in to RMerlin firmware and I will guess that Asus will pick it up too very quickly afterward).

What does that mean, exactly?

the Stubby script configures Stubby to use Cloudflare DNS. What WAN DNS servers are you using now without Stubby? It could be one of those CDN geo issues Merlin is frequently reminding us about.

My router is set to "Connect to DNS Server automatically", so I assume it's my ISP's DNS servers. Same as before installing amtm and any scripts.

Were you using a VPN client on your router?

Nope.

 

[Cam]

What does that mean, exactly?

He meant deprecated, not depreciated.
In any case it means the stubby script you have used to install the entware verions of stubby is being superseded by @RMerlin's latest firmware (currently in beta) which has Stubby built in, and available to configure via webui. A more stable and integrated verion of stubby if you will.