"DNS over TLS" or "DNS over HTTPS"

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author Message
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Mon Jan 04, 2021 20:51    Post subject: Reply with quote
Thanks.
I'm re-reading the red link. It still takes me to the your successful post but it refers only to Atheros. Thanks for clarifying.
I'm running /opt on a usb at the moment so I need to read that wiki to before downloading and running these installation scripts for entware.
Thanks again.
Sponsor
FS5oD
DD-WRT Novice


Joined: 05 Jan 2021
Posts: 3

PostPosted: Thu Jan 07, 2021 13:08    Post subject: Reply with quote
Alozaros wrote:
for Stubby DNS over TLS, follow the red link in my signature...
Stubby requires Entware installation. There 3 different Entware instlalations...
Broadcom for Broadcom routers
Atheros for Atheros routers
For dual core ARM routers, as R7000 is...

cd /opt (click enter)
wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh (click enter)
sh generic.sh (click enter)

https://wiki.dd-wrt.com/wiki/index.php/Adding_Software_Packages_using_Entware-3X

once you have Entware installed setting up Stubby is the same for all installations...


if you update to a newer DDWRT build you can also use SmartDNS, as its has the same capabilities..for TLS encryption..and you don't need Entware installation, just USB jfff,
instead...(do keep in mind it requires more reading & understanding) Rolling Eyes

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323896


Greeting. I've managed to get Stubby working on my TPLink C7v4 build 44772 with just one problem. The startup script is fine and the stubby is loaded in memory. However, stubby isn't resolving any DNS. I have to restart the service/daemon manually (using the exact same startup script) to get stubby working.

I have openvpn server enabled. I see somewhere openvpn client posses a problem to the startup and adding 'sleep 10' should fix it nicely. I added 'sleep 10', but it didn't solve the problem. Also tried start, sleep 10, stop and start, no difference.

I wonder if you have come across such before.

Many thanks to take time to read my message.

--- Resolved ----

I found from syslog that stubby was started before the router time was synced. It turned out that 'sleep 10' was not enough for my router.

I calculated the time needed by the router to sync with NTP from the log, it is about 35 seconds from boot. So, I put 'sleep 40' and everything is wonderful again.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Fri Apr 23, 2021 18:45    Post subject: Reply with quote
on the new builds pass 46xxx
you can add this line to start up script instead of sleep xx

is-mounted.sh /opt

it is checking the USB mount first and than executes what ever is there when its up and running..in this way you can avoid using sleep time command and adjusting it


you can give it a path to either /opt /jffs or /mnt..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
hifiboy
DD-WRT Novice


Joined: 18 Nov 2021
Posts: 45

PostPosted: Wed Jan 26, 2022 12:38    Post subject: Reply with quote
I ma trying to install Entaware on usb on 7800 and follwomg the steps from page 3 of this post.
However, I keep getting the following after some downloads:

Info: Basic packages installation...
generic.sh: line 43: /opt/bin/opkg: Permission denied
generic.sh: line 44: /opt/bin/opkg: Permission denied
cp: can't stat '/opt/etc/shells.1': No such file or directory

root@DD-WRT:/opt# opkg update
Segmentation fault
root@DD-WRT:/opt# opkg upgrade
Segmentation fault
root@DD-WRT:/opt# opkg install ca-certificates
Segmentation fault
root@DD-WRT:/opt# opkg install stubby
Segmentation fault
root@DD-WRT:/opt#

is this method not applicable to 7800?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Wed Jan 26, 2022 13:11    Post subject: Reply with quote
hifiboy wrote:
I ma trying to install Entaware on usb on 7800 and follwomg the steps from page 3 of this post.
However, I keep getting the following after some downloads:

Info: Basic packages installation...
generic.sh: line 43: /opt/bin/opkg: Permission denied
generic.sh: line 44: /opt/bin/opkg: Permission denied
cp: can't stat '/opt/etc/shells.1': No such file or directory

root@DD-WRT:/opt# opkg update
Segmentation fault
root@DD-WRT:/opt# opkg upgrade
Segmentation fault
root@DD-WRT:/opt# opkg install ca-certificates
Segmentation fault
root@DD-WRT:/opt# opkg install stubby
Segmentation fault
root@DD-WRT:/opt#

is this method not applicable to 7800?


i've no idea what you are doing, as you didn't post all your actions...following this guide at page 3, post 10 may bring you to a wrong end if you don't read it carefully, as well read the Entware install guide...

https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware

to save your effort:
for different routers there is a different Entware installation and this is vital...R7800 is dual core...
also USB must be ext2, 3 or 4, turned on and mounted to /opt...than you have to follow the guide...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Wed Jan 26, 2022 13:23    Post subject: Reply with quote
https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware

Is this the instruction you followed?
Code:
For dual-core routers, ARMv7 based, this:

cd /opt (click enter)
wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh (click enter)
sh generic.sh (click enter)

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
hifiboy
DD-WRT Novice


Joined: 18 Nov 2021
Posts: 45

PostPosted: Wed Jan 26, 2022 14:07    Post subject: Reply with quote
the abive link worked,
I followed exactly all steps on page three and it works.

How do I change the cloudfare to adguard family protection: On their site the link is as: tls://dns-family.adguard.com

How doi i edit the below to work with adguard do I replace -
GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 9.9.9.9
tls_auth_name: "dns9.quad9.net"
tls_port: 853
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
tls_port: 853
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Wed Jan 26, 2022 15:05    Post subject: Reply with quote
hifiboy wrote:
the abive link worked,
I followed exactly all steps on page three and it works.

How do I change the cloudfare to adguard family protection: On their site the link is as: tls://dns-family.adguard.com

How doi i edit the below to work with adguard do I replace -
GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 9.9.9.9
tls_auth_name: "dns9.quad9.net"
tls_port: 853
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
tls_port: 853


open stubby config file .yml with nano
and replace IP at - address_data:

and the other line should look like

tls_auth_name: "dns-family.adguard.com"

make sure when you edit .yml file to not put an extra spaces/interval or anything else,
try to keep it in the same order .yml its very prone/sensitive to wrong tabs and spaces, it will not work otherwise...

once you finish with editing press ctrl+x to save the file and
type in CLI+enter:

/opt/etc/init.d/rc.unslung restart

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Wed Jan 26, 2022 15:27    Post subject: Reply with quote
In /opt/etc/stubby you will find
stubby.yml.default.

In that document you will find this as pictured.

Uncomment the
-address data and
tls_auth_name lines of course.

As Alozaros stated Line indents and spacing are critical.
I copy and paste to be sure.

You can just comment the ones you don't want such as cloudfare or delete if you prefer.

It's a good idea to read the document.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Wed Jan 26, 2022 17:39    Post subject: Reply with quote
yep read the document, but stick to the settings i posted in the guide, as those are the most optimised and correct one, so far...
There are some lines that are not in the default config, but those are needed in order to function correctly... Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
TedCheeze
DD-WRT User


Joined: 01 Feb 2016
Posts: 53
Location: Oregon, U.S.

PostPosted: Mon Jan 31, 2022 15:21    Post subject: A different STUBBY problem Reply with quote
I am running r48081 on a WRT1900AC v1.

Installed stubby using opkg install stubby.
I was given stubby v0.4.0 and GetDNS v1.7.0.

I followed the guide listed in the red link of your SIG. I have created the S61stubby.sh file and placed it in /opt/etc/init.d with execute permissions.
[Note: I had to remove the period & space '. ' from the last line otherwise rc.unslung kept crashing with "rc.func not found"]

I have successfully created stubby.yml for use with SAFEDNS.COM. I had to remove the 'tls_pubkey_pinset:' section from SAFEDNS config file they provided to make it work.


Here is my problem.
I can use SSH command line to start stubby by typing 'stubby -g' and the sevice starts and runs without error until the router reboots. For some strange reason stubby WILL NOT start from a script such as S61stubby.sh, nor can it be started from the start section of the Administration tab.

I have tried having a SSH session open while the router is starting up then running the 'top' command and
'stubby -g -v 5 -C /opt/etc/stubby/stubby.yml' never shows up in the running processes meaning the S61stubby script failed. The /opt/var/log/stubby.log has yet to be created.

You also cannot start stubby from the command box using
Code:
stubby -g

at the Adminstration tab without getting "sh: eval: line 0: stubby: not found." Not found? Okay???

But all you have to do is start an SSH session and type "stubby -g" and everything works just fine. I give up.

Any ideas how to make stubby start during router start up?
Is this a Entware problem? Maybe a missing configuration for stubby?
Having to manually start it each time from SSH kind of defeats the whole purpose of installing it.


Here's a tip: Try using "stubby -h" for help and another great option is -i to validate your config files including stubby.yml. This is where I found the command line arguments and discovered that the tls_pubkey_pinset was not needed.[/code][/img]
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Mon Jan 31, 2022 15:55    Post subject: Reply with quote
@TedCheeze do you also have these lines added to Save Startup?
Code:
is-mounted.sh /opt
/opt/etc/init.d/rc.unslung start


The GUI command box is finicky and not recommended for much besides saving commands.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Mon Jan 31, 2022 16:00    Post subject: Reply with quote
You should not use the Command box to actually run things only very simple commands works.

Run things from the CLI.

Place things you want to run when teh router boots in Command box and then save as Startup or better save as USB in your case (as it must run from USB I assume).

If you use save as Startup then the commands run while the USB is not up so cannot be found.
To mitigate this as first line us:
is-mounted /opt
or
sleep 30

The is-mounted utility loops until /opt is available but not all routers have it, instead use sleep 30 to wait 30 seconds

Saving as USB also should do the waiting trick but I never used it so cannot vouch if that really works.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
TedCheeze
DD-WRT User


Joined: 01 Feb 2016
Posts: 53
Location: Oregon, U.S.

PostPosted: Tue Feb 01, 2022 4:15    Post subject: Thanks for listening....boy was I wrong Reply with quote
Well I have finally figured that I do not have a any sort of a problem with Entware or Stubby.

It would seem the problem lies with something in the the R48081 build for this router.

Later on in the day I discovered my custom SSL certificate for the webUI was not working. That's clue number one.
I started trouble shooting the startup script. I noticed that neither rc.unslung or binds-on-mount.sh scripts were executing. So I added a log message command to the each script, including the startup. None of those messages ever appear in SYSLOG. Clue number two.

Now I'm curious and started testing my firewall rules by trying to connect to prohibited destinations. None of the 15 firewalls rules I have entered in the FIREWALL box work. (Huh?) So now I open an SSH session and display the current running firewall rules. None of the 15 rules listed in the Firewall box are present. Clue number three.

So now I have a fair hunch that absolutely nothing entered on the COMMAND tab of the Administration page is being executed at bootup.
So now I have an evil idea. Twisted Evil
I saved the following into the startup script:
Code:
erase nvram && reboot

Figuring what do I have to lose? Other than resetting the configuration and start over, nothing. I power cycled the router. Nothing happened. I pressed the reset button. Nothing happened. I rebooted the router at least 10 times. The startup script never executed. Hmmm??? Has the erase nvram command been blocked from being run in the startup script? Maybe???
Now I changed the startup script to something far less sinister such as:
Code:
sleep 60
touch /opt/var/log/testlog-0131.log


Rebooted another 10 times. The file testlog-0131.log never appeared in the directory.
So that means I wasted over two hours chasing a problem that just turned out to be a small symptom of a much larger problem.

I'm off to nuke this install and start over. I'll test startup process prior to re-entering my entire config again.
Again this was DD-WRT v3.0-r48081 std (01/11/22) on Linksys WRT1900AC v1 w/ JFFS on USB storage & External HD via e-sata.

Thank you! For your time and replies.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Fri Mar 11, 2022 19:18    Post subject: Reply with quote
TedCheeze

stubby guide works exactly as it should...not long ago, i deployed stubby on a friends router, using the same guide...

do not change any line or symbols...

very often stubby doesn't start due to bad spacing, as yaml config is very prone to spacing errors...

depends from router type you may need a sleep line

this is what i currently have in my start up script

is-mounted.sh /opt
sleep 5
/opt/etc/init.d/rc.unslung start
/opt/etc/init.d/S61stubby.sh start

and in my shutdown script too

sleep 10
/opt/etc/init.d/rc.unslung stop

stubby has a debug option, so you can test iT via CLI...but, first you must be sure its started...

what else is important is, NTP time...and a proper entware installation...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next Display posts from previous:    Page 6 of 7
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum