I have a working configuration of Stubby+Dnsmasq (no Unbound), running on an old router (4/32MB), v18.06.0, no Luci, everything configured via console and stubby is installed into RAM upon boot, if anyone's interested. :slight_smile:

1 Like

Tutorial will be really helpful

Here you are : [Tutorial] DNS-over-TLS with dnsmasq and stubby (no need for unbound)


STUBBY needs GETDNS - read here:
Stubby is developed by the getdns team. libgetdns is a dependancy for Stubby, the getdns library provides all the core functionality for DNS resolution done by Stubby so it is important to build against the latest version of getdns. Just stating the facts no ill will intended. So, I do not know how this will work out.

'opkg install stubby' installs getdns as a dependency. You should know this by just looking at the package.
GetDNS does not need to be referenced because you don't need to configure it in anyway, it's a library.

Dear Specimen,
Thanks and yes you are correct. My bad as they say. I should have noticed that and I apologize for my errant observations and comments. I always go -
opkg install stubby getdns / so that is why I never noticed that stubby has getdns as a dependecy.
Still - I apologize By the way RE: ( your comment ) "It's pretty obvious that you haven't actually installed or used stubby." I am the OP who wrote this entire tutorial / guide - so you are just a bit off base there.


1 Like

Thank you for your understanding.
I removed that bit about having not installed stubby. I apologise for my harshness.
I would like to share with you my understanding of stubby, from my experience with it to help understand maybe our different mindsets: Stubby is a DNS resolving proxy (with privacy and security enhancing features) as such you can connect to it a variety of DNS caching and DNS management tools, you can even have clients connect directly to it, so unbound or dnsmasq isn't even a requirement.

And this is the reason why I created the other tutorial, to present a much simpler setup (and less space demanding) for having DNS-over-TLS with minimal modifications to default OpenWRT configuration (dnsmasq already comes baked in).

1 Like

Dear Specimen,
Thanks for that bit of information and knowledge. When I first sit this up I was following the advice and guidance of David Mora aka iamperson347 the developer and maintainer of GETDNS and STUBBY package for OpenWRT / LEDE. With that being said; good folks like you have been kind enough to educate me concerning the various permutations available when using GetDns and Stubby.
I need to be more open-minded and I do appreciate your work in this area and taking time to advance the development and implementation of DNS OVER TLS for OpenWrt/ LEDE.



I have read through the instructions but cannot make out what I need to follow to accomplish the above. Can someone please help direct/guide me to what I need to do?

I have OpenWRT running on my TP-Link Archer C7 v2.

OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)

This worked for me:

1 Like

Oh this is great. Thank you so much!

Note that there have been quite a lot of changes to the stubby package, and the documentation has been updated:

Yes but stubby does not support (l)uci.

It does now in the latest package, which will make its way to 18.06 sometime.

which will make its way to 18.06 sometime.

Does not look like it.

stubby uci support is in master, maybe it will find its way into 19.x

Hello, directnupe. I've got an issue with this part of stubby.yml file. Subby can not establish connection with such parameters, while I use openwrt 18.06.4.
The logs are like this:

daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.

Dear vanyaindigo,
Hello and I hope that you are well. The answer to your dilemma is a straightforward and simple one - please note this in all of the settings for tls and ciphers - Works with OpenSSL >= 1.1.1 only and /or
OpenSSL >= 1.1.1 is required # for this option
I suspect that this is why you get the error in your logs - I told folks at the beginning of this tutorial that :

By the way I run Davidc502 LEDE Snapshots -
 Moderately Customized LEDE Development Builds 
for Linksys 1900ac v.1 and 1900ac v.2, 1900acs v.1 v.2, 3200acm, WRT32X and 1200ac v.1 v.2 series routers. 
These builds keep up to date package repositories

So I am running OpenSSL 1.1.1 or greater - I do not run standard OpenWRT Builds . My guess is that 18.06.4 uses OpenSSL 1.0' still - so you need to omit the end of stubby.yml file starting with
# Set the minimum acceptable TLS version
You can check / verify your OpenSSL Version by going to this reference page :https://www.a2hosting.com/kb/security/ssl/determining-the-openssl-version and enter in SSH shell the following command :

# openssl version


Hi, directnupe and thanks for the answer. Yes, my version of OpenSSL is 1.0.2s-1. How can I upgrade it?

Dear vanyaindigo,
Hello and I hope that you are well. There is no way to upgrade OpenSSL as it is fully integrated into virtually every aspect of any OpenWRT Build. You could try running OpenWRT 19.07-SNAPSHOTS - found here: https://downloads.openwrt.org/releases/19.07-SNAPSHOT/targets/ and see if they have OpenSSL >= 1.1.1 - or you can build your own OpenWRT Image if you have the skill set. I do not - so I can not begin to help you there.
However, if I were you - I would invest in a router that Davidc502 supports - these are as follows:

Current images built and distributed.

WRT1200ac Version 1 and 2
WRT1900ac Version 1 and 2
WRT1900acs Version 1 and 2
WRT3200acm Version 1
WRT32X Version 1

Personally, I would get the WRT32X - see here : https://www.ebay.com/itm/Linksys-WRT32X-Gaming-Wifi-Router-w-Killer-Prioritization-Certified-Refurb-/292672857686 - they are affordable and you will be always able to ensure that you will be availed of the latest " stable " snapshot repositories as Davidc502 hosts his own Builds on his personal servers. Dave puts out new Builds every two weeks - so you can see the benefit of being able to " keep up " with the latest Kernels, OpenSSL, packages and so on.
Here is Dave's Community Thread : Davidc502- wrt1200ac wrt1900acx wrt3200acm wrt32x builds and his website : https://dc502wrt.org/
For a hundred bucks $100 - you will never be left behind again plus there is great advice and support on the Community Thread and you can even request new packages and features.
Anyway - that is my advice
Dave's Community Thread in addition is frequented by OpenWRT experts and mavens - so that is another distinct benefit of investing in this great piece of hardware that Dave supports.

1 Like

@directnupe yes, I installed the last snapshot and all works well with openssl 1.1.1d