Stubby

Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver, increasing end user privacy.

Installation

Install the stubby package.

Configuration

To configure stubby, perform the following steps:

Select resolver

Upon installation, Stubby has some default resolvers. They can be found and edited in /etc/stubby/stubby.yml. You can use the defaults, uncomment one of prewritten resolvers or find another resolver from this list.

Example of a valid resolver configuration:

/etc/stubby/stubby.yml

upstream_recursive_servers:

# The Cloudflare server
- address_data: 1.1.1.1
    tls_port: 853
    tls_auth_name: "cloudflare-dns.com"

# The Surfnet/Sinodun servers
 - address_data: 145.100.185.15
    tls_auth_name: "dnsovertls.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

Note: This example uses Cloudflare's public DNS resolver. Replace it with a DNS resolver you trust. See Domain name resolution#Third-party DNS services.

When you get warn log complaining wrong tls_pubkey_pinset, the tls_pubkey_pinset value may be wrong and the value of the tls_pubkey_pinset can be generated with:

$ echo | openssl s_client -connect address_data:tls_port 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Note: For further information on configuring Stubby see Configuring Stubby.

Modify resolv.conf

After selecting a resolver, modify the resolv.conf file and replace the current set of resolver addresses with address for localhost:

/etc/resolv.conf

nameserver ::1
nameserver 127.0.0.1
options trust-ad

Other programs may overwrite this setting; see resolv.conf#Overwriting of /etc/resolv.conf for details.

Start systemd service

Finally, start/enable the stubby.service.

Tips and tricks

Local DNS cache configuration

Stubby does not have a built-in DNS cache, therefore every single query is transmitted and resolved, which can slow down connections. Setting up a DNS cache requires installing and configuring a separate DNS cacher.

Change port

In order to forward to a local DNS cache, Stubby should listen on a port different from the default 53, since the DNS cache itself needs to listen on 53 and query Stubby on a different port. Port number 54 is used as an example in this section.

Edit the value of listen_addresses as follows:

/etc/stubby/stubby.yml

listen_addresses:
  - 127.0.0.1@54
  -  0::1@54

dnsmasq

Configure dnsmasq as a local DNS cache. The basic configuration to work with Stubby is the following:

/etc/dnsmasq.conf

no-resolv
proxy-dnssec
server=::1#54
server=127.0.0.1#54
listen-address=::1,127.0.0.1

Restart dnsmasq.service to apply the changes.

Other DNS cachers

For more DNS cachers, see DNSCrypt#Local DNS cache configuration. The configurations should be similar if not identical.

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.