From ArchWiki

Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver, increasing end user privacy.


Install the stubby package.


To configure stubby, perform the following steps:

Select resolver

Upon installation, Stubby has some default resolvers. They can be found and edited in /etc/stubby/stubby.yml. You can use the defaults, uncomment one of prewritten resolvers or find another resolver from this list.

Example of a valid resolver configuration:


# The Cloudflare server
- address_data:
    tls_port: 853
    tls_auth_name: ""

# The Surfnet/Sinodun servers
 - address_data:
    tls_auth_name: ""
      - digest: "sha256"
        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

When you get warn log complaining wrong tls_pubkey_pinset, the tls_pubkey_pinset value may be wrong and the value of the tls_pubkey_pinset can be generated with:

$ echo | openssl s_client -connect address_data:tls_port 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Note: For further information on configuring Stubby see Configuring Stubby.

Modify resolv.conf

After selecting a resolver, modify the resolv.conf file and replace the current set of resolver addresses with address for localhost:

nameserver ::1
options trust-ad

Other programs may overwrite this setting; see resolv.conf#Overwriting of /etc/resolv.conf for details.

Start systemd service

Finally, start/enable the stubby.service.

Tips and tricks

Local DNS cache configuration

Stubby does not have a built-in DNS cache, therefore every single query is transmitted and resolved, which can slow down connections. Setting up a DNS cache requires installing and configuring a separate DNS cacher.

Change port

In order to forward to a local DNS cache, Stubby should listen on a port different from the default 53, since the DNS cache itself needs to listen on 53 and query Stubby on a different port. Port number 53000 is used as an example in this section. In this example, the port number is larger than 1024 so stubby is not required to be run by root.

Edit the value of listen_addresses as follows:

  -  0::1@53000

Configure dnsmasq as a local DNS cache. The basic configuration to work with Stubby is the following:


Restart dnsmasq.service to apply the changes.

Other DNS cachers

For more DNS cachers, see DNSCrypt#Local DNS cache configuration. The configurations should be similar if not identical.