Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Stubby DNS Privacy Daemon Install Script for Asuswrt-Merlin Firmware

Build Status Codacy Badge


Stubby is an application that acts as a local DNS Privacy stub resolver using DNS-over-TLS. Stubby encrypts DNS queries sent from a client machine to a DNS Privacy resolver increasing end user privacy.

The use of Stubby on Asuswrt-Merlin is not endorsed by the firmware developer. You can also use this script to uninstall Stubby and remove the changes made during the installation.

The Stubby installer script will

  1. Install the entware packages stubby.
  2. Create /opt/var/cache/stubby and /opt/var/log folders if they do not exist.
  3. Download the Stubby entware start up script S61stubby to /opt/etc/init.d.
  4. Download the Stubby configuration file stubby.yml to /opt/etc/stubby.
  5. Override how the firmware manages DNS
  • Add the entry no-resolv to /jffs/configs/dnsmasq.conf.add if it does not exist in /tmp/dnsmasq.conf.
  • Add the entries server= and server=0::1#5453 to /jffs/configs/dnsmasq.conf.add. This instructs dnsmasq to forward DNS requests to Stubby.
  • Set WAN DNS1 to the Router's IP Address and set the WAN DNS2 entry to null.
  • Update /tmp/resolv.conf and /tmp/resolv.dnsmasq to use the Router's IP address.
  • If one or more active OpenVPN Clients are found, create the file /jffs/configs/resolv.dnsmasq and add an entry in /jffs/scripts/openvpn-event to copy /jffs/configs/resolv.dnsmasq to /tmp/resolv.dnsmasq. This is required to prevent OpenVPN up/down events from adding the internal VPN DNS server IP addresses and to /tmp/resolv.dnsmasq.
  1. Default to Cloudflare DNS using DNS over TLS. You can change to other supported DNS over TLS providers by modifying /opt/etc/stubby/stubby.yml.
  2. Provide the option to remove Stubby and the firmware DNS overrides created during the installation. The uninstall option will set the WAN DNS1 to use Cloudflare without DNS over TLS. A reboot is required to finalize the removal of Stubby. You can modify the DNS settings after the reboot has completed.


  1. An Asus router with Asuswrt-Merlin firmware installed.
  2. A USB drive with entware installed. Entware can be installed using amtm - the SNBForum Asuswrt-Merlin Terminal Menu

Supported Models

All Asus models that are supported by Asuswrt-Merlin. I have received confirmation that it works on the following models:

  • RT-AC66U_B1
  • RT-AC68U
  • RT-AC87U
  • RT-AC88U
  • RT-AC3100
  • RT-AC3200
  • RT-AC5300
  • RT-AC86U
  • RT-AX88U
  • GT-AC5300


Copy and paste the command below into an SSH session.

/usr/sbin/curl --retry 3 "" -o "/jffs/scripts/" && chmod 755 /jffs/scripts/ && sh /jffs/scripts/

You may also install Stubby using amtm - the SNBForum Asuswrt-Merlin Terminal Menu

Stubby Configuration

See the Stubby Configuration Guide for a description of the configuration file options. For information on how I derived at the settings used in this project, see my blog post DNS over TLS with DNSMASQ and Stubby on Asuswrt-Merlin.

Validating that Stubby is Working

Run the following commands from an SSH session to verify that stubby is working properly:

ps | grep stubby | grep -v grep

21283 admin    5560 S    stubby -g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log

/opt/etc/init.d/S61stubby check

Checking stubby...              alive.

netstat -lnptu | grep stubby

    tcp        0      0*               LISTEN      21283/stubby
    udp        0      0*                           21283/stubby

netstat -lnpt | grep -E '^Active|^Proto|/stubby'

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0*               LISTEN      24290/stubby

drill (requires entware package drill)

    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41290
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    ;;  IN      A

    ;; ANSWER SECTION:     42      IN      A     42      IN      A



    ;; Query time: 82 msec
    ;; EDNS: version 0; flags: ; udp: 1452
    ;; SERVER:
    ;; WHEN: Wed Oct 10 10:23:23 2018
    ;; MSG SIZE  rcvd: 91


    Address 1: localhost.localdomain

    Address 1:
    Address 2:

getdns_query -s @


stubby -l

    [10:13:13.838111] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
    [10:13:13.844362] STUBBY: DNSSEC Validation is OFF
    [10:13:13.844413] STUBBY: Transport list is:
    [10:13:13.844426] STUBBY:   - TLS
    [10:13:13.844439] STUBBY: Privacy Usage Profile is Strict (Authentication required)
    [10:13:13.844450] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
    [10:13:13.844461] STUBBY: Starting DAEMON....
    [10:13:33.075865] STUBBY:                                  : Conn opened: TLS - Strict Profile
    [10:13:33.144900] STUBBY:                                  : Verify passed : TLS
    [10:13:35.163106] STUBBY:                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  2000
    [10:13:35.163158] STUBBY:                                  : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
    [10:13:35.163173] STUBBY:                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
Press **Ctrl-C** to return to the command prompt.

echo | openssl s_client -verify on -CAfile /rom/etc/ssl/certs/ca-certificates.crt -connect

    depth=2 C = US, O = DigiCert Inc, OU =, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
    verify return:1
    depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = *
    verify return:1
    Certificate chain
    0 s:/C=US/ST=CA/L=San Francisco/O=Cloudflare, Inc./CN=*
    i:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
    1 s:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
    i:/C=US/O=DigiCert Inc/ Global Root CA
    Server certificate

Use the Cloudflare Help Page to validate you are connected to and DNS over TLS is working. If working properly, the page will display a Yes as seen in the example below

    Connected to         Yes
    Using DNS over HTTPS (DoH)   No
    Using DNS over TLS (DoT)     Yes

Similariliy, the Cloudflare Browsing Experience Security Check page tests whether your DNS queries and answers are encrypted, whether your DNS resolver uses DNSSEC, which version of TLS is used to connect to the page, and whether your browser supports encrypted Server Name Indication (SNI).

Validation with Quad9

Quad9 blocks the website If Quad9 is working properly, an nslookup will fail:

    Address 1: localhost.localdomain

    nslookup: can't resolve ''

Known Issues

  1. The Cloudflare Help Page test page will not work when the secondary IPv6 2606:4700:4700::1001 is specified in /opt/etc/stubby/stubby.yml.
  2. Stubby logging is currently simplistic or non-existent and simply writes to stdout. The Stubby team is working on making this better!

Starting, Stopping and Killing Stubby

To (start|stop|restart|check|kill|reconfigure) stubby, type the command below where option is one of the options listed in the parenthesis.

    /opt/etc/init.d/S61stubby option

DNS over TLS with OpenVPN

To configure an OpenVPN Client to use Stubby DNS, set Accept DNS Configuration = Disabled on the VPN->VPN Client page. Select the Apply button to save the setting.


The script turns off the DNSSEC setting on the firmware to avoid conflicts with DNSSEC built into Stubby. Stubby uses getdns to manage DNSSEC. getdns uses a form of built-in trust-anchor management modeled on RFC7958, named Zero configuration DNSSEC. If you turn on the firmware DNSSEC, the Cloudflare Help Page test page will not work. Early in my testing, I had root anchor files in the appdata_dir directory /opt/var/cache/stubby. Later in my testing, no root anchor files appeared in the appdata_dir directory. I created an issue with the Stubby support team. However, I did not receive a reply from my updates. Since the DNSSEC test sites worked, I closed the issue.

DNS-over-TLS, DNSSEC, DNS Spoof, DNS Leak and WebRTC Leak Test Web Sites

  1. DNS-over-TLS Test
  1. DNSSEC Test
  1. DNS Nameserver Spoofability Test
  1. DNS Leak Test
  1. WebRTC Leak Test


  • Martineau on provided the Chk_Entware function.
  • John9527 is the developer of the Asuswrt-Merlin Fork. John9527 implemented Stubby in August 2018 and provided the stubby.yml configuration generated by the firmware Asuswrt-Merlin-Fork. The stubby.yml provided by John9527 was used as a benchmark for this project. My goal is to standardize the configurations used in the Asuswrt-Merlin Fork when possible.
  • Thank you to members Jack Yaz, bbunge, skeal and M@rco who volunteered their time performing testing and providing feedback.
  • Jack Yaz forked the original installer to provide support for RT-AC86U routers.
  • Adamm also forked the original installer script and added support for the RT-AX88U and GT-AC5300 HND routers. Adamm performed code improvements and implemented the performance improvements listed below.
  • Odkrys compiled Stubby for HND routers RT-AC86U, RT-AX88U, GT-AC5300 and provided performance improvement suggestions: TLS 1.3 / Cipher List / haveged

All updates made by Jack Yaz and Adamm are now incorporated into the original installer script.


Support for the project is available on


Stubby DNS Privacy Daemon Install Script for Asuswrt-Merlin Firmware







No releases published


No packages published