Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Wed May 15, 2019 16:21 Post subject:
10x sadly, unbound is present only on my high grade routers and i can still use DNScrypt instead...
but thank you anyway i ll test it just to see whats on.. im more interested how to set either stubby or anything else, to be able to use DoH or DoT on a lower grade routers like 1043v2 for example.... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Orig I posted this in another thread with the post below which had come up on a search, before noticing it was a Broadcom forum etc. etc. so - this seems better forum/thread to add it to...
mbze430 wrote:
I have been looking at the request threads for DoT and DoH support since mid-last year (also seen some request on the SVN as well). I was wondering if there have been any new development on adding these features into DDWRT (including a GUI)
I believe Stubby is the forefront spear in with DoT. I believe DNSCrypt-Proxy is the forefront of DoH.
I tried both on my ASUS Merlin and pretty simple. Even the latest Merlin has integrated GUI for Stubby.
Just waiting for DDWRT!
This describes me to a T.
Except I gave config'ing stubby a shot today on one of my WNDR4300's and it was super straight-forward and worked great.
High-level:
Setup USB drive on target router
Installed Entware
Installed ca-certificates
Installed stubby (getdns is auto installed dependency)
Added DNSmasq options via GUI (other ways to do that obv -scripting etc., depends on your style..):
no-resolv
server=127.0.0.1#5453
Hard-coded an ntp server IP address
Edited /opt/etc/stubby/stubby.yml to my liking (added Google servers to Cloudflare, deleted ipv6)
Started stubby&
That was pretty much it. Worked right away.
Can netstat the 853 connections and watch it work away happily.
Was all working WAY easier than I thought.
None of the binary patching or any other fussing required.
Seems super fast although I've not done empirical testing.
At first I just tossed the stubby startup in the router startup script but I'm trying to cleanse that and keep everything substantial on /jffs or /opt so then I did it properly and added an init.d script S61stubby as follows
(note a prior version of this post linked to an example with 'nohup' apparently the base busybox doesn't support nohup so it was failing)
Probably there's a better way to handle the ntp situation - i see references to making an exception for ntp.pool.org - but haven't figured it out yet.
Bit surprised this subject isn't more updated - most threads here make this sound like its still not all sorted out by now. I suspect its one of those things that guys who tried found worked so easily that they never bothered to go back and mention it. _________________ Site1: R6400v2 FreshTomato 2019.10.2 | WNDR4300 DD-WRT v3.0-r39800 | WNDR3700v4 Bricked 0.0
Site2: RT-AC3200 Merlin 384.13.0 Site3: R7000 FreshTomato 2019.2
Spares: DD-WRT v.othernumbers
Last edited by vibranto on Sat May 25, 2019 16:55; edited 1 time in total
One note - I'll edit prior post in a second - the Entware stubby startup script I originally linked above does NOT work. So I had yet another round of debbugging overnight reboot fail. _________________ Site1: R6400v2 FreshTomato 2019.10.2 | WNDR4300 DD-WRT v3.0-r39800 | WNDR3700v4 Bricked 0.0
Site2: RT-AC3200 Merlin 384.13.0 Site3: R7000 FreshTomato 2019.2
Spares: DD-WRT v.othernumbers
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Fri May 31, 2019 10:57 Post subject:
is there anyone who is using dnscrypt-proxy2 2.0.23-1 via Entware...
tried to do it last night on an Atheros unit (1043v2), but Im not a Linux geek and was hard to find any configuration guidelines too...
i do have fully working install of Entware + DNSCrypt v2 + stubby tried them both but it seems im missing something any step by step guides...
As well how to edit stubby .yml config file ... im very bad at those ... any ideas ...
Thanks in advance! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I have abandoned stubby in favor of SmartDNS built into GUI Services>Services.
This eliminates HAVING to have entware running on usb.
Although I still use entware for other programs available.
Alozaros wrote:
but it seems im missing something any step by step guides
This worked for me to use Stubby.
Used this startup script:
Code:
#!/bin/sh
logger -t S61stubby "Starting Stubby DNS over TLS $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
(The original script had PREARGS="nohup" @vibranto said busybox did not support that. I think it worked both ways for me.)
Named it S61stubby.sh
Put it in /opt/etc/init.d
Made it executable chmod +x /opt/etc/init.d/S61stubby.sh using CLI.
Start Stubby: Administration > Commands with
is-mounted.sh /opt /opt/etc/init.d/S61stubby.sh start
save as startup
#Optional Save as USB Script = Save USB (works better I think)
# Also beware that yaml is sensitive to the indentation at the start of each
# line so if you encounter errors when parsing the config file then please check
# that. We will add better checking but a useful online tool to check yaml
# format is here (it also converts yaml to json)
# https://yaml-online-parser.appspot.com/
You will need to use IP addy eg:216.239.35.4 (time.google.com) for NTP as there will be no DNS until Stubby is up.
Leaving time server blank may work as well as DD-WRT has hard coded time server, untested by me.
I also saw an issue with having to stop OVPN client, then call the Stubby, then restart OVPN. Not sure what was up with that but I added sleep 6 before the Stubby startup command and havn't had another problem.
I use this command from @egc to see port 853 being used.
As you are already using entware, wireshark can be installed
opkg install wireshark
Run with tshark -i <interface>
tshark -D shows available interfaces
tshark -h help file
Maybe I got it all, hope it works for you.
Last edited by bushant on Wed Dec 14, 2022 18:44; edited 7 times in total
When I had stubby running on the laptop, wireshark would pick up traffic on port 853.
With stubby running on the router, wireshark does not see that traffic. I don't know wireshark usage well.
netstat or netstat -p catches it intermittently.
Code:
netstat -p
tcp 0 0 38.65.xxx.xxx:45978 one.one.one.one:853 ESTABLISHED 1511/stubby
tcp 0 0 38.65.xxx.xxx:35014 145.100.185.15:853 ESTABLISHED 1511/stubby
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Mon Jun 03, 2019 20:46 Post subject:
bushant wrote:
When I had stubby running on the laptop, wireshark would pick up traffic on port 853.
With stubby running on the router, wireshark does not see that traffic. I don't know wireshark usage well.
netstat or netstat -p catches it intermittently.
Code:
netstat -p
tcp 0 0 38.65.xxx.xxx:45978 one.one.one.one:853 ESTABLISHED 1511/stubby
tcp 0 0 38.65.xxx.xxx:35014 145.100.185.15:853 ESTABLISHED 1511/stubby
so far i think i made it to work it comes out on netstat -p as you said intermittently as well i can see on TOP too as well it shows of to : netstat -lnptu |grep stubby
what i did so far step by step is:
"for Atheros based non dual core routers"
than type:
nano /opt/etc/init.d/S61stubby.sh
paste this script:
#!/bin/sh
logger -t S61stubby "Starting Stubby DNS over TLS $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
than press
(ctrl+x)
(click Y)
(click enter)
than type
chmod +x /opt/etc/init.d/S61stubby.sh
than type:
nano /opt/etc/stubby/stubby.yml
(click enter)
edit to your preferences i used this one you can compare and edit your script: IF YOU INTEND TO COPY PASTE TO STUBBY, DO NOTICE ON THIS SCRIPT SPACING IS CORRUPTED FOR BEST RESULTS MANUALLY EDIT THOSE LINES AND KEEP THE DEFAULT SPACING
edited:20.09.2020
on the last version of stubby 0.30+ and getDNS (past 1.6) in order stubby to work, this line is depreciated in OpenSSL 1.1.1g+ and has to be removed..
sleep 10
/opt/etc/init.d/rc.unslung start ---- add this if you have other start up things running as well
/opt/etc/init.d/S61stubby.sh start ---- add this line if you want to start only stubby
or on newer builds after 483xx instead of those rules in Start Up script, save to USB script
sleep 5
/opt/etc/init.d/rc.unslung start
and those lines to advanced DNSmasq
no-resolv
server=127.0.0.1#5453
finally make sure you have a decent NTP time server
selected in the main DDWRT GUI, with correct time zone
in my case i use an IP only format choose one of those and paste the IP in NTP box:
GGL NTP time IP 216.239.35.12 or 216.239.35.8
Cloudflare NTP 162.159.200.123
also make sure you add a path to certificates, otherwise it wont see/use those by default
tls_ca_path: "/opt/etc/ssl/certs"
thanks for the help and guidelines ....
to test Stubby is using those specified DNS's
try this command via CLI (telnet or SSh)...
(you must have tcpdump or you can install it via entware -
opkg install tcpdump)
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Tue Jun 11, 2019 23:03 Post subject:
i cannot state the stubby is fully working or at least prove it...
on wireshark i do not see anything going out via 853 port or coming back to it or the listening port...
i also do have DNS standard hits in wireshark witch leads me to believe that this stubby is not working as intended or im doing it wrong, the only thing that comes out of it is, my DNS is swapped with
1.1.1.1 and i see TLS is used in this https://1.1.1.1/help test and can see stubby from the router side netstat -p and in the router's Active IP Connections..... i can see 1.1.1.1 is connected to 853,
and all the DNS port 53 - router IP are dns UNREPLIED, and have the listening port connected to 127.0.0.1, but the actual results are different...
P.S. it seems there is a great confusion, as i capture the frames in my wi-fi DNS there are not tls encrypted
but it seems those DNS frames on my routers end are tls encrypted, so i guess i was sniffing at the wrong end,
ill try to install wireshark and check the routers end to confirm..., but so far if i have to relay on
the Active IP Connections results & https://1.1.1.1/help test, stubby is working...i guess... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Wed Jun 12, 2019 17:42 Post subject:
ok.. on the router i ended installing tcpdump instead of wireshark...i can confirm i didn't see any hits on port 53 (DNS) in or out of eth0 all goes port 853 as intended, so clearly its working as it is...
tcpdump -i eth0 | grep -Ei 'dns9.quad9.net'
I can see its working as it should _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sun Dec 20, 2020 14:43; edited 1 time in total
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Wed Jun 12, 2019 19:47 Post subject:
bushant wrote:
What might a firewall rule look like to drop/reject traffic to/from port 53?
don't know i tried few with no avail...
tried something like that too
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -I PREROUTING -i br0 -p udp --dport 853 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 853 -j DNAT --to `nvram get lan_ipaddr`
but the first 2 rules remain after restart, it seems there is no way to block it with a simple rules either
iptables -I FORWARD -p tcp --dport 53 -j DROP
iptables -I FORWARD -p udp --dport 53 -j DROP
but noticed if you mess up with port 53 than no NTP on router start and than stubby is not working and no dns at all...
the good thing is with tcpdump -i eth0 i don't see any hits on port 53 at all, all goes via 853
as well you can see in Active IP connections in GUI DNS port 53 are UNREPLIED, and port for stubby is listening...
so far im happy with stubby, it seems to work with the set up above...
was thinking to get dnscrypt instead, but not much info and my previous try's ware not successful...
will see, need to read more about it... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I'm pretty sure that you don't have to specify an NTP server and that an IP is built into the firmware.
For the issue of FQDN for NTP before DNS is working, I ran into this same issue when running DNSCrypt on the router itself and found following line in my DNSmasq options to work:
server=/ntp.org/208.67.222.222
My router is configured to use us.pool.ntp.org for NTP.
How have some of you been able to run dig on your routers?? I installed stubby, and getdns but that didn't seem to work. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy