Stubby DNS Privacy Daemon Install Script for Asuswrt-Merlin Firmware
Stubby is an application that acts as a local DNS Privacy stub resolver using DNS-over-TLS. Stubby encrypts DNS queries sent from a client machine to a DNS Privacy resolver increasing end user privacy.
The use of Stubby on Asuswrt-Merlin is not endorsed by the firmware developer. You can also use this script to uninstall Stubby and remove the changes made during the installation.
The Stubby installer script install_stubby.sh will
- Install the entware packages stubby.
- Create /opt/var/cache/stubby and /opt/var/log folders if they do not exist.
- Download the Stubby entware start up script S61stubby to /opt/etc/init.d.
- Download the Stubby configuration file stubby.yml to /opt/etc/stubby.
- Override how the firmware manages DNS
- Add the entry no-resolv to /jffs/configs/dnsmasq.conf.add if it does not exist in /tmp/dnsmasq.conf.
- Add the entries server=127.0.0.1#5453 and server=0::1#5453 to /jffs/configs/dnsmasq.conf.add. This instructs dnsmasq to forward DNS requests to Stubby.
- Set WAN DNS1 to the Router's IP Address and set the WAN DNS2 entry to null.
- Update /tmp/resolv.conf and /tmp/resolv.dnsmasq to use the Router's IP address.
- If one or more active OpenVPN Clients are found, create the file /jffs/configs/resolv.dnsmasq and add an entry in /jffs/scripts/openvpn-event to copy /jffs/configs/resolv.dnsmasq to /tmp/resolv.dnsmasq. This is required to prevent OpenVPN up/down events from adding the internal VPN DNS server IP addresses 10.9.0.1 and 10.8.0.1 to /tmp/resolv.dnsmasq.
- Default to Cloudflare DNS 220.127.116.11 using DNS over TLS. You can change to other supported DNS over TLS providers by modifying /opt/etc/stubby/stubby.yml.
- Provide the option to remove Stubby and the firmware DNS overrides created during the installation. The uninstall option will set the WAN DNS1 to use Cloudflare 18.104.22.168 without DNS over TLS. A reboot is required to finalize the removal of Stubby. You can modify the DNS settings after the reboot has completed.
- An Asus router with Asuswrt-Merlin firmware installed.
- A USB drive with entware installed. Entware can be installed using amtm - the SNBForum Asuswrt-Merlin Terminal Menu
All Asus models that are supported by Asuswrt-Merlin. I have received confirmation that it works on the following models:
Copy and paste the command below into an SSH session.
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/install_stubby.sh" -o "/jffs/scripts/install_stubby.sh" && chmod 755 /jffs/scripts/install_stubby.sh && sh /jffs/scripts/install_stubby.sh
You may also install Stubby using amtm - the SNBForum Asuswrt-Merlin Terminal Menu
See the Stubby Configuration Guide for a description of the configuration file options. For information on how I derived at the settings used in this project, see my blog post DNS over TLS with DNSMASQ and Stubby on Asuswrt-Merlin.
Validating that Stubby is Working
Run the following commands from an SSH session to verify that stubby is working properly:
ps | grep stubby | grep -v grep
21283 admin 5560 S stubby -g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log
Checking stubby... alive.
netstat -lnptu | grep stubby
tcp 0 0 127.0.0.1:5453 0.0.0.0:* LISTEN 21283/stubby udp 0 0 127.0.0.1:5453 0.0.0.0:* 21283/stubby
netstat -lnpt | grep -E '^Active|^Proto|/stubby'
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:5453 0.0.0.0:* LISTEN 24290/stubby
drill github.com (requires entware package drill)
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41290 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; github.com. IN A ;; ANSWER SECTION: github.com. 42 IN A 22.214.171.124 github.com. 42 IN A 126.96.36.199 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 82 msec ;; EDNS: version 0; flags: ; udp: 1452 ;; SERVER: 127.0.0.1 ;; WHEN: Wed Oct 10 10:23:23 2018 ;; MSG SIZE rcvd: 91
Server: 127.0.0.1 Address 1: 127.0.0.1 localhost.localdomain Name: github.com Address 1: 188.8.131.52 lb-192-30-253-113-iad.github.com Address 2: 184.108.40.206 lb-192-30-253-112-iad.github.com
getdns_query -s @127.0.0.1 github.com
<snip> "status": GETDNS_RESPSTATUS_GOOD }
[10:13:13.838111] STUBBY: Read config from file /opt/etc/stubby/stubby.yml [10:13:13.844362] STUBBY: DNSSEC Validation is OFF [10:13:13.844413] STUBBY: Transport list is: [10:13:13.844426] STUBBY: - TLS [10:13:13.844439] STUBBY: Privacy Usage Profile is Strict (Authentication required) [10:13:13.844450] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!) [10:13:13.844461] STUBBY: Starting DAEMON.... [10:13:33.075865] STUBBY: 220.127.116.11 : Conn opened: TLS - Strict Profile [10:13:33.144900] STUBBY: 18.104.22.168 : Verify passed : TLS [10:13:35.163106] STUBBY: 22.214.171.124 : Conn closed: TLS - Resps= 1, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 2000 [10:13:35.163158] STUBBY: 126.96.36.199 : Upstream : TLS - Resps= 1, Timeouts = 0, Best_auth =Success [10:13:35.163173] STUBBY: 188.8.131.52 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 0, Backoffs = 0 Press **Ctrl-C** to return to the command prompt.
echo | openssl s_client -verify on -CAfile /rom/etc/ssl/certs/ca-certificates.crt -connect 184.108.40.206:853
CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA verify return:1 depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = *.cloudflare-dns.com verify return:1 --- Certificate chain 0 s:/C=US/ST=CA/L=San Francisco/O=Cloudflare, Inc./CN=*.cloudflare-dns.com i:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA 1 s:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIID9DCCA3qgAwIBAgIQBWzetBRl/ycHFsBukRYuGTAKBggqhkjOPQQDAjBMMQsw CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp <snip>
Cloudflare Help Page to validate you are connected to 220.127.116.11 and DNS over TLS is working. If working properly, the page will display a Yes as seen in the example belowUse the
Connected to 18.104.22.168 Yes Using DNS over HTTPS (DoH) No Using DNS over TLS (DoT) Yes
Similariliy, the Cloudflare Browsing Experience Security Check page tests whether your DNS queries and answers are encrypted, whether your DNS resolver uses DNSSEC, which version of TLS is used to connect to the page, and whether your browser supports encrypted Server Name Indication (SNI).
Validation with Quad9
Quad9 blocks the website http://isitblocked.org. If Quad9 is working properly, an nslookup isitblocked.org will fail:
Server: 127.0.0.1 Address 1: 127.0.0.1 localhost.localdomain nslookup: can't resolve 'isitblocked.org'
- The Cloudflare Help Page test page will not work when the secondary IPv6 2606:4700:4700::1001 is specified in /opt/etc/stubby/stubby.yml.
- Stubby logging is currently simplistic or non-existent and simply writes to stdout. The Stubby team is working on making this better!
Starting, Stopping and Killing Stubby
To (start|stop|restart|check|kill|reconfigure) stubby, type the command below where option is one of the options listed in the parenthesis.
DNS over TLS with OpenVPN
To configure an OpenVPN Client to use Stubby DNS, set Accept DNS Configuration = Disabled on the VPN->VPN Client page. Select the Apply button to save the setting.
The install_stubby.sh script turns off the DNSSEC setting on the firmware to avoid conflicts with DNSSEC built into Stubby. Stubby uses getdns to manage DNSSEC. getdns uses a form of built-in trust-anchor management modeled on RFC7958, named Zero configuration DNSSEC. If you turn on the firmware DNSSEC, the Cloudflare Help Page test page will not work. Early in my testing, I had root anchor files in the appdata_dir directory /opt/var/cache/stubby. Later in my testing, no root anchor files appeared in the appdata_dir directory. I created an issue with the Stubby support team. However, I did not receive a reply from my updates. Since the DNSSEC test sites worked, I closed the issue.
DNS-over-TLS, DNSSEC, DNS Spoof, DNS Leak and WebRTC Leak Test Web Sites
- DNS-over-TLS Test
- DNSSEC Test
- DNS Nameserver Spoofability Test
- https://www.grc.com/dns/dns.htm (scroll down and click on "Initiate Standard DNS Spoofability Test")
- DNS Leak Test
- https://www.dnsleaktest.com/ (use Extended test)
- WebRTC Leak Test
- Martineau on snbforums.com provided the Chk_Entware function.
- John9527 is the developer of the Asuswrt-Merlin Fork. John9527 implemented Stubby in August 2018 and provided the stubby.yml configuration generated by the firmware Asuswrt-Merlin-Fork. The stubby.yml provided by John9527 was used as a benchmark for this project. My goal is to standardize the configurations used in the Asuswrt-Merlin Fork when possible.
- Thank you to snbforums.com members Jack Yaz, bbunge, skeal and M@rco who volunteered their time performing testing and providing feedback.
- Jack Yaz forked the original installer to provide support for RT-AC86U routers.
- Adamm also forked the original installer script and added support for the RT-AX88U and GT-AC5300 HND routers. Adamm performed code improvements and implemented the performance improvements listed below.
- Odkrys compiled Stubby for HND routers RT-AC86U, RT-AX88U, GT-AC5300 and provided performance improvement suggestions: TLS 1.3 / Cipher List / haveged
Support for the project is available on snbforums.com