Skip to main content
Topic: Probable bug with stubby-openrc (Read 590 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Probable bug with stubby-openrc

<Boring back story>
Recent firmwares of the generally wonderful Asuswrt-Merlin for Asus routers have a bug where if using DNS over TLS the internet will randomly disconnect. Some users on the relevant forum (https://www.snbforums.com/forums/asuswrt-merlin.42/) say that the routers webui shows 'disconnected', but actually still works. Not in my case, disconnected is disconnected. It seems to vary between models but many seem affected.
  Switching to ISP provided DNS and then back to DoT normally fixes it but not always. And in any case at some random point in the future it will disconnect again.
No way I'm using my ISP's DNS
</Boring back story>

Installed stubby and stubby-openrc, resolv.conf to 127.0.0.1, enabled and started stubby. No DNS.
In the log
Quote
STUBBY: Read config from file /etc/stubby/stubby.yml
error: Could not bind on given addresses: Permission denied

To be sure I reconstructed the command executed from /etc/init.d/stubby and ran as root
Code: [Select]
capsh --inh=cap_net_bind_service --user=stubby -- -c '/usr/bin/stubby -C ${STUBBY_CONFIG_FILE:-/etc/stubby/stubby.yml} -v ${STUBBY_LOGLEVEL:-5}'
Quote
19:27:02.593165] STUBBY: Stubby version: Stubby 0.4.0
[19:27:02.594233] STUBBY: Read config from file /etc/stubby/stubby.yml
error: Could not bind on given addresses: Permission denied

Searched 'stubby' on here and came across this heaven sent thread:
https://forum.artixlinux.org/index.php/topic,3360.0.html

As root
Code: [Select]
setpriv --reuid stubby --regid stubby --clear-groups --ambient-caps +net_bind_service --inh-caps +net_bind_service -- '/usr/bin/stubby'
Quote
19:28:15.641496] STUBBY: Stubby version: Stubby 0.4.0
[19:28:15.642634] STUBBY: Read config from file /etc/stubby/stubby.yml
[19:28:15.642727] STUBBY: DNSSEC Validation is OFF
[19:28:15.642730] STUBBY: Transport list is:
[19:28:15.642735] STUBBY:   - TLS
[19:28:15.642740] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[19:28:15.642744] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[19:28:15.642746] STUBBY: Starting DAEMON....

Maybe it's a quirk of my install ? But maybe as is it just doesn't work ?

I'll try and post an alternative, non hackish, /etc/init.d/stubby using setpriv here when I get round to it. Unless one of you, above my pay grade, gets to it first.

Re: Probable bug with stubby-openrc

Reply #1
It's entirely possible that the init scripts all need to perform a setcap on the stubby binary.
 

Re: Probable bug with stubby-openrc

Reply #2
Just as an update I had a stab at /etc/init.d/stubby using setpriv.
But failed and gave up quick as I solved my actual issue by installing unbound on my router.

I may have another try sometime but it's low on my priority list.