Stubby
Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.
Installation
Configuration
To configure stubby, perform the following steps:
Select resolver
Upon installation, Stubby has some default resolvers. They can be found and edited in /etc/stubby/stubby.yml
. You can use the defaults, uncomment one of prewritten resolvers or find another resolver from this list.
Example of a valid resolver configuration:
upstream_recursive_servers: # The Surfnet/Sinodun servers - address_data: 145.100.185.15 tls_auth_name: "dnsovertls.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= # The Cloudflare server - address_data: 1.1.1.1 tls_port: 853 tls_auth_name: "cloudflare-dns.com"
When you get warn log complaining wrong tls_pubkey_pinset, the tls_pubkey_pinset value may be wrong and the value
of the tls_pubkey_pinset
can be generated with:
$ echo | openssl s_client -connect address_data:tls_port 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Modify resolv.conf
After selecting a resolver, modify the resolv.conf file and replace the current set of resolver addresses with address for localhost:
/etc/resolv.conf
nameserver ::1 nameserver 127.0.0.1 options trust-ad
Other programs may overwrite this setting; see resolv.conf#Overwriting of /etc/resolv.conf for details.
Start systemd service
Finally, start and enable the stubby.service
.
Tips and tricks
Local DNS cache configuration
Stubby does not have a built-in DNS cache, therefore every single query is transmitted and resolved, which can slow down connections. Setting up a dns cache requires installing and configuring a seperate dns cacher.
Change port
In order to forward to a local DNS cache, Stubby should listen on a port different from the default 53
, since the DNS cache itself needs to listen on 53
and query Stubby on a different port. Port number 53000
is used as an example in this section. In this example, the port number is larger than 1024 so stubby is not required to be run by root.
Edit the value of listen_addresses
in /etc/stubby/stubby.yml
as follows:
listen_addresses: - 127.0.0.1@53000 - 0::1@53000
dnsmasq
Configure dnsmasq as a local DNS cache. The basic configuration to work with Stubby is the following:
/etc/dnsmasq.conf
no-resolv proxy-dnssec server=::1#53000 server=127.0.0.1#53000 listen-address=::1,127.0.0.1
Restart dnsmasq.service
to apply the changes.
Other DNS cachers
For more dns cachers, see DNSCrypt#Local DNS cache configuration. The configurations should be similar if not identical.