Skip to content
Stubby DNS Privacy Daemon Install Script for Asuswrt-Merlin Firmware
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitattributes
.travis.yml Create .travis.yml Jan 15, 2019
LICENSE Initial commit Sep 25, 2018
README.md Add option to force all dns requests through Stubby Feb 9, 2019
S61stubby export TZ for stubby and haveged Feb 12, 2019
getdns-hnd-latest.ipk getdns 1.5.1 (openssl 1.1.1a) + stubby 0.2.5 Jan 30, 2019
install_stubby.sh
stubby.yml

README.md

Stubby-Installer-Asuswrt-Merlin

Stubby DNS Privacy Daemon Install Script for Asuswrt-Merlin Firmware

Description

Stubby is an application that acts as a local DNS Privacy stub resolver using DNS-over-TLS. Stubby encrypts DNS queries sent from a client machine to a DNS Privacy resolver increasing end user privacy.

The use of Stubby on Asuswrt-Merlin is not endorsed by the firmware developer. You can also use this script to uninstall Stubby and remove the changes made during the installation.

The Stubby installer script install_stubby.sh will

  1. Install the entware packages stubby.
  2. Create /opt/var/cache/stubby and /opt/var/log folders if they do not exist.
  3. Download the Stubby entware start up script S61stubby to /opt/etc/init.d.
  4. Download the Stubby configuration file stubby.yml to /opt/etc/stubby.
  5. Override how the firmware manages DNS
  • Add the entry no-resolv to /jffs/configs/dnsmasq.conf.add if it does not exist in /tmp/dnsmasq.conf.
  • Add the entries server=127.0.0.1#5453 and server=0::1#5453 to /jffs/configs/dnsmasq.conf.add. This instructs dnsmasq to forward DNS requests to Stubby.
  • Set WAN DNS1 to the Router's IP Address and set the WAN DNS2 entry to null.
  • Update /tmp/resolv.conf and /tmp/resolv.dnsmasq to use the Router's IP address.
  • If one or more active OpenVPN Clients are found, create the file /jffs/configs/resolv.dnsmasq and add an entry in /jffs/scripts/openvpn-event to copy /jffs/configs/resolv.dnsmasq to /tmp/resolv.dnsmasq. This is required to prevent OpenVPN up/down events from adding the internal VPN DNS server IP addresses 10.9.0.1 and 10.8.0.1 to /tmp/resolv.dnsmasq.
  1. Default to Cloudflare DNS 1.1.1.1 using DNS over TLS. You can change to other supported DNS over TLS providers by modifying /opt/etc/stubby/stubby.yml.
  2. Provide the option to remove Stubby and the firmware DNS overrides created during the installation. The uninstall option will set the WAN DNS1 to use Cloudflare 1.1.1.1 without DNS over TLS. A reboot is required to finalize the removal of Stubby. You can modify the DNS settings after the reboot has completed.

Requirements

  1. An Asus router with Asuswrt-Merlin firmware installed.
  2. A USB drive with entware installed. Entware can be installed using amtm - the SNBForum Asuswrt-Merlin Terminal Menu

Supported Models

All Asus models that are supported by Asuswrt-Merlin. I have received confirmation that it works on the following models:

  • RT-AC66U_B1
  • RT-AC68U
  • RT-AC87U
  • RT-AC88U
  • RT-AC3100
  • RT-AC3200
  • RT-AC5300
  • RT-AC86U
  • RT-AX88U
  • GT-AC5300

Installation

Copy and paste the command below into an SSH session.

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/install_stubby.sh" -o "/jffs/scripts/install_stubby.sh" && chmod 755 /jffs/scripts/install_stubby.sh && sh /jffs/scripts/install_stubby.sh

You may also install Stubby using amtm - the SNBForum Asuswrt-Merlin Terminal Menu

Stubby Configuration

See the Stubby Configuration Guide for a description of the configuration file options. For information on how I derived at the settings used in this project, see my blog post DNS over TLS with DNSMASQ and Stubby on Asuswrt-Merlin.

Validating that Stubby is Working

Run the following commands from an SSH session to verify that stubby is working properly:

ps | grep stubby | grep -v grep

21283 admin    5560 S    stubby -g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log

/opt/etc/init.d/S61stubby check

Checking stubby...              alive.

netstat -lnptu | grep stubby

    tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      21283/stubby
    udp        0      0 127.0.0.1:5453          0.0.0.0:*                           21283/stubby

netstat -lnpt | grep -E '^Active|^Proto|/stubby'

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      24290/stubby

drill github.com (requires entware package drill)

    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41290
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; github.com.  IN      A

    ;; ANSWER SECTION:
    github.com.     42      IN      A       192.30.253.113
    github.com.     42      IN      A       192.30.253.112

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:

    ;; Query time: 82 msec
    ;; EDNS: version 0; flags: ; udp: 1452
    ;; SERVER: 127.0.0.1
    ;; WHEN: Wed Oct 10 10:23:23 2018
    ;; MSG SIZE  rcvd: 91

nslookup github.com

    Server:    127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain

    Name:      github.com
    Address 1: 192.30.253.113 lb-192-30-253-113-iad.github.com
    Address 2: 192.30.253.112 lb-192-30-253-112-iad.github.com

getdns_query -s @127.0.0.1 github.com

    <snip>
    "status": GETDNS_RESPSTATUS_GOOD
    }

stubby -l

    [10:13:13.838111] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
    [10:13:13.844362] STUBBY: DNSSEC Validation is OFF
    [10:13:13.844413] STUBBY: Transport list is:
    [10:13:13.844426] STUBBY:   - TLS
    [10:13:13.844439] STUBBY: Privacy Usage Profile is Strict (Authentication required)
    [10:13:13.844450] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
    [10:13:13.844461] STUBBY: Starting DAEMON....
    [10:13:33.075865] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
    [10:13:33.144900] STUBBY: 1.1.1.1                                  : Verify passed : TLS
    [10:13:35.163106] STUBBY: 1.1.1.1                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  2000
    [10:13:35.163158] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
    [10:13:35.163173] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
Press **Ctrl-C** to return to the command prompt.

echo | openssl s_client -verify on -CAfile /rom/etc/ssl/certs/ca-certificates.crt -connect 1.1.1.1:853

    CONNECTED(00000003)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
    verify return:1
    depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = *.cloudflare-dns.com
    verify return:1
    ---
    Certificate chain
    0 s:/C=US/ST=CA/L=San Francisco/O=Cloudflare, Inc./CN=*.cloudflare-dns.com
    i:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
    1 s:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIID9DCCA3qgAwIBAgIQBWzetBRl/ycHFsBukRYuGTAKBggqhkjOPQQDAjBMMQsw
    CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
    <snip>

Use the Cloudflare Help Page to validate you are connected to 1.1.1.1 and DNS over TLS is working. If working properly, the page will display a Yes as seen in the example below

    Connected to 1.1.1.1         Yes
    Using DNS over HTTPS (DoH)   No
    Using DNS over TLS (DoT)     Yes

Similariliy, the Cloudflare Browsing Experience Security Check page tests whether your DNS queries and answers are encrypted, whether your DNS resolver uses DNSSEC, which version of TLS is used to connect to the page, and whether your browser supports encrypted Server Name Indication (SNI).

Validation with Quad9

Quad9 blocks the website http://isitblocked.org. If Quad9 is working properly, an nslookup isitblocked.org will fail:

    Server:    127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain

    nslookup: can't resolve 'isitblocked.org'

Known Issues

  1. The Cloudflare Help Page test page will not work when the secondary IPv6 2606:4700:4700::1001 is specified in /opt/etc/stubby/stubby.yml.
  2. Stubby logging is currently simplistic or non-existent and simply writes to stdout. The Stubby team is working on making this better!

Starting, Stopping and Killing Stubby

To (start|stop|restart|check|kill|reconfigure) stubby, type the command below where option is one of the options listed in the parenthesis.

    /opt/etc/init.d/S61stubby option

DNS over TLS with OpenVPN

To configure an OpenVPN Client to use Stubby DNS, set Accept DNS Configuration = Disabled on the VPN->VPN Client page. Select the Apply button to save the setting.

DNSSEC

The install_stubby.sh script turns off the DNSSEC setting on the firmware to avoid conflicts with DNSSEC built into Stubby. Stubby uses getdns to manage DNSSEC. getdns uses a form of built-in trust-anchor management modeled on RFC7958, named Zero configuration DNSSEC. If you turn on the firmware DNSSEC, the Cloudflare Help Page test page will not work. Early in my testing, I had root anchor files in the appdata_dir directory /opt/var/cache/stubby. Later in my testing, no root anchor files appeared in the appdata_dir directory. I created an issue with the Stubby support team. However, I did not receive a reply from my updates. Since the DNSSEC test sites worked, I closed the issue.

DNS-over-TLS, DNSSEC, DNS Spoof, DNS Leak and WebRTC Leak Test Web Sites

  1. DNS-over-TLS Test
  1. DNSSEC Test
  1. DNS Nameserver Spoofability Test
  1. DNS Leak Test
  1. WebRTC Leak Test

Collaborators

  • Martineau on snbforums.com provided the Chk_Entware function.
  • John9527 is the developer of the Asuswrt-Merlin Fork. John9527 implemented Stubby in August 2018 and provided the stubby.yml configuration generated by the firmware Asuswrt-Merlin-Fork. The stubby.yml provided by John9527 was used as a benchmark for this project. My goal is to standardize the configurations used in the Asuswrt-Merlin Fork when possible.
  • Thank you to snbforums.com members Jack Yaz, bbunge, skeal and M@rco who volunteered their time performing testing and providing feedback.
  • Jack Yaz forked the original installer to provide support for RT-AC86U routers.
  • Adamm also forked the original installer script and added support for the RT-AX88U and GT-AC5300 HND routers. Adamm performed code improvements and implemented the performance improvements listed below.
  • Odkrys compiled Stubby for HND routers RT-AC86U, RT-AX88U, GT-AC5300 and provided performance improvement suggestions: TLS 1.3 / Cipher List / haveged

All updates made by Jack Yaz and Adamm are now incorporated into the original installer script.

Support

Support for the project is available on snbforums.com

You can’t perform that action at this time.