Stubby dns over tls using dnsmasq-full for dnssec & caching

Installing and Using OpenWrt Network and Wireless Configuration
51

@Specimen.
I am running dsl_control at S40.
Internet is up by the time S95done / rc.local is run. Stubby is also running (stubby is S50). But no certs are downloaded, and when rc.local runs, stubby restart doesn't download the certs. Which is why I am at a loss to explain the results.

52

Check the logs with logread, maybe set the verbosity when starting stubby to check for any errors.

You can always disable the service and start stubby in rc.local (after dsl_control) via sh /usr/sbin/stubby -g instead.

53

Ok thanks for the suggestion. No luck yet, but I've noticed some strange behaviour. When restarting stubby manually the 3 cert files will download fine, in particular root.key. But after an hour or so the root.key file becomes zero bytes in size. Is that supposed to happen?

54

AFAIK, root.key is generated automatically from the other two files.

55

Ok I have a weird situation going on.
I've disabled dnssec validation in stubby, i.e. I've removed the lines:
dnssec_return_status: GETDNS_EXTENSION_TRUE
appdata_dir: "/certs"

and yet dnssec validation is still working. I know its not stubby doing the dnssec validation because if I delete the certificates directory line only, then dnssec doesn't work i.e. stubby needs a writable directory for certificates and the default directory (/root), is non-writable by stubby.
So what is doing the dnssec validation?
The reason I turned off dnssec validation in stubby was because I was going to try doing dnssec with dnsmasq instead, but in order to do that I had to install dnsmasq-full and add a couple of lines to the dnsmasq section of /etc/config/dhcp.
But before I had done any of that, dnssec validation was working by itself, just by removing the option to enable it in stubby!
Does anyone have any idea what is going on and who or what is performing the dnssec validation? Many thanks!

56

The immediate thing that comes to mind is caches.

57

I thought similar. But it happens even after reboot. Even after re-flashing firmware. Even after restarting pc. Even in multiple browsers. Even with multiple methods of checking dnssec including using dig. I'm completely baffled.

58

Just an update, I figured out that the browsers were unreliable for testing DNSSEC in that they would always pass even if DNSSEC was not set up on router. The only time they would fail would be if stubby was set up to do DNSSEC but wasn't working (e.g. due to being unable to store certificates). If I turned off DNSSEC in stubby and didn't activate it in dnsmasq then all browser tests would still pass DNSSEC testing. I'm not sure if it was the browsers or OS doing that.
The most reliable way to see if DNSSEC is working seems to be to use dig on the router itself. That told me definitively that it wasn't working (when I had turned it off in stubby and hadn't yet set it up in dnsmasq), despite the fact that all browsers in both linux & windows were passing all DNSSEC tests.
I've now switched to doing DNSSEC with dnsmasq as the certificates issue proved too flakey in stubby, where as dnsmasq just works out of the box.
My setup is pretty much along the lines of here:
https://candrews.integralblue.com/2018/08/dnssec-on-openwrt-18-06/
https://candrews.integralblue.com/2018/08/dns-over-tls-on-openwrt-18-06/

59

In the version 18 and later builds of OpenWRT step 9A should be modified as follows to keep from having two IPv6 DHCP servers running:

A - opkg install dnsmasq-full --download-only && opkg remove odhcpd-ipv6only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk

60

Dear Jbrossard,
Hello and I hope that you are well. I changed the step 9A as you informed everyone. Thanks for the heads up.
Peace

directnupe

61

@All
@ directnupe Thank you for your time&effort to write this comprehensive tutorial.

I am using OpenWRT 18.06.2 and a logread shows nasty warnings from dnsmasq:

daemon.warn dnsmasq[13761]: possible DNS-rebind attack detected: cmp.faktor.mgr.consensu.org
daemon.warn dnsmasq[13761]: reducing DNS packet size for nameserver 127.0.0.1 to 1280
daemon.warn dnsmasq[13761]: possible DNS-rebind attack detected: cmp.faktor.mgr.consensu.org
daemon.warn dnsmasq[13761]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

I did a netstat -pln on my router:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      13821/stubby
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1250/uhttpd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      13761/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      13761/dnsmasq
tcp        0      0 192.168.8.100:53        0.0.0.0:*               LISTEN      13761/dnsmasq
tcp        0      0 192.168.2.250:53        0.0.0.0:*               LISTEN      13761/dnsmasq
tcp        0      0 0.0.0.0:2008            0.0.0.0:*               LISTEN      678/dropbear
tcp        0      0 :::12865                :::*                    LISTEN      845/netserver
tcp        0      0 ::1:5453                :::*                    LISTEN      13821/stubby
tcp        0      0 :::80                   :::*                    LISTEN      1250/uhttpd
tcp        0      0 ::1:53                  :::*                    LISTEN      13761/dnsmasq
tcp        0      0 fe80::7ad2:94ff:fea8:2829:53 :::*                    LISTEN      13761/dnsmasq
tcp        0      0 fe80::7ad2:94ff:fea8:2828:53 :::*                    LISTEN      13761/dnsmasq
tcp        0      0 fe80::7ad2:94ff:fea8:2828:53 :::*                    LISTEN      13761/dnsmasq
tcp        0      0 fe80::7ad2:94ff:fea8:2829:53 :::*                    LISTEN      13761/dnsmasq
tcp        0      0 fe80::7ad2:94ff:fea8:282b:53 :::*                    LISTEN      13761/dnsmasq
tcp        0      0 fe80::506e:54ff:feb9:66b9:53 :::*                    LISTEN      13761/dnsmasq
tcp        0      0 fe80::7ad2:94ff:fea8:282a:53 :::*                    LISTEN      13761/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           13761/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           13761/dnsmasq
udp        0      0 192.168.8.100:53        0.0.0.0:*                           13761/dnsmasq
udp        0      0 192.168.2.250:53        0.0.0.0:*                           13761/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           13761/dnsmasq
udp        0      0 127.0.0.1:5453          0.0.0.0:*                           13821/stubby
udp        0      0 0.0.0.0:1234            0.0.0.0:*                           -
udp        0      0 :::546                  :::*                                1443/odhcp6c
udp        0      0 ::1:53                  :::*                                13761/dnsmasq

udp        0      0 ::1:5453                :::*                                13821/stubby

It looks like dnsmasq is opening port 53, 67 on my router. Is this expected behaviour?

62

This means your client is looking up a host name that provides a RFC1918 IP as its response.

You fix this by disabling rebind protection:

Screenshot%20from%202019-05-20%2011-49-27

Yes, 53 is the DNS Forwarder, 67 is the DHCP service.

In the future, you may wish to make a new thread for your issue.

63

okay thx. But one more thing I noticed and might be a good fit for this thread.
My static leases stop working after some time.
I tried to delete all host/domain entries in /etc/config/dhcp and repopulate them.
Typing i.e. NAS.lan my browser throws an error. It does not open my NAS-webinterface. But I can reach my NAS-webinterface by typing plain IP address.
Any thoughts?

UPDATE: It is working now, unfortunately I don't know why

64

Hi, I've tried this guide three times from scratch, with no success. After redirecting dnsmasq to stubby, all my DNS queries fail with the following in the logs:

Thu Jun 20 10:25:28 2019 daemon.err stubby[12020]: [09:25:28.296857] STUBBY: Read config from file /var/etc/stubby/stubby.yml
Thu Jun 20 10:25:28 2019 daemon.err stubby[12020]: [09:25:28.304487] STUBBY: DNSSEC Validation is OFF
Thu Jun 20 10:25:28 2019 daemon.err stubby[12020]: [09:25:28.304673] STUBBY: Transport list is:
Thu Jun 20 10:25:28 2019 daemon.err stubby[12020]: [09:25:28.304821] STUBBY:   - TLS
Thu Jun 20 10:25:28 2019 daemon.err stubby[12020]: [09:25:28.304965] STUBBY: Privacy Usage Profile is Strict (Authentication required)
Thu Jun 20 10:25:28 2019 daemon.err stubby[12020]: [09:25:28.305115] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
Thu Jun 20 10:25:28 2019 daemon.err stubby[12020]: [09:25:28.305266] STUBBY: Starting DAEMON....
Thu Jun 20 10:25:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:42 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:42 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:42 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:42 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:42 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:42 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:42 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:42 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:42 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:42 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:44 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:44 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:46 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:46 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:46 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:46 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:46 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:46 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:46 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:46 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:46 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:46 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:47 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:47 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:48 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:48 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:48 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:48 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:52 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:52 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:54 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:54 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:54 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:54 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:54 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:54 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:54 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:54 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:55 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:55 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:56 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:56 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:57 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:57 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:58 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:25:58 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:00 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:00 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:02 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:02 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:02 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:04 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:04 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:06 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:06 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:06 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:06 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:08 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:08 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:10 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:12 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:16 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:18 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:18 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:18 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:18 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:22 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:22 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:22 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:22 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:24 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:25 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:25 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:25 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:25 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:27 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:27 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:27 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:27 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:30 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:30 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:30 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:30 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:31 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:31 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:31 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:31 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:33 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:37 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:39 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:40 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:45 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.
Thu Jun 20 10:26:45 2019 daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.

My best guess is this is an openssl library problem? I ran opkg upgrade libopenssl and it upgraded to libopenssl - 1.0.2s-1, however I still got the above errors after redirecting DNS to stubby.

Is a higher version required for Stubby/TLS1.3?

1 Like
65

Well, I changed the option in /etc/stubby/stubby.yml to make min TLS version 1.2 and it still does not work.

What is the exact library dependency for this setup?

66

Ok, my bad. You also have to delete the last line of the config to get it working on TLS1.2.

So some more weirdness, I now get 'rebind attack' warnings for seemingly benign domains:

Thu Jun 20 11:40:53 2019 daemon.warn dnsmasq[27666]: possible DNS-rebind attack detected: onecollector.cloudapp.aria.akadns.net
Thu Jun 20 11:42:41 2019 daemon.warn dnsmasq[27666]: possible DNS-rebind attack detected: metrics.icloud.com
Thu Jun 20 12:18:23 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: pagead46.l.doubleclick.net
Thu Jun 20 12:18:39 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: adservice.google.co.uk
Thu Jun 20 12:18:39 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: clarium.global.ssl.fastly.net
Thu Jun 20 12:18:45 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: s0.2mdn.net
Thu Jun 20 12:18:45 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: googleads4.g.doubleclick.net
Thu Jun 20 12:18:48 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: sync.colossusssp.com
Thu Jun 20 12:18:48 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: ads.yahoo.com
Thu Jun 20 12:18:48 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: a.tribalfusion.com
Thu Jun 20 12:18:50 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: ps.eyeota.net
Thu Jun 20 12:19:41 2019 daemon.warn dnsmasq[31663]: possible DNS-rebind attack detected: stats.g.doubleclick.net

Why does this happen (I understand about it returning an RFC1918 IP, but why would it do that?
Is disabling re-bind protection safe?

Also, this set up is failing the qname minimisation test mentioned in the guide. Reading through it again, there is no step to enable this on dnsmasq (I think some parts of this guide have been copy/pasted from the unbound guide).

Is QNAME minimisation possible with dnsmasq?

67

New thread:

68

Someone updated the wiki it's pretty comprehensive and clean now

https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby

Check it out

69

The truth is that I did not like the guide very much since it is very messy and is not well understood.

70

I checked below Server with https://www.immuniweb.com/ssl/?id=piFCAr0d and the result does not look good.
Why is it recommended?
It is a F btw.

## 12 - The Rubyfish Internet Tech DNS TLS Server A+ ( CHN )
  - address_data: 115.159.131.230
    tls_auth_name: "dns.rubyfish.cn

PS.: Tested a few more Servers from the list provided by directnupe. I am not sure I want to use this list.