Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver, increasing end user privacy.
Install the package.
To configure stubby, perform the following steps:
Upon installation, Stubby has some default resolvers. They can be found and edited in
/etc/stubby/stubby.yml. You can use the defaults, uncomment one of prewritten resolvers or find another resolver from this list.
Example of a valid resolver configuration:
upstream_recursive_servers: # The Cloudflare server - address_data: 18.104.22.168 tls_port: 853 tls_auth_name: "cloudflare-dns.com" # The Surfnet/Sinodun servers - address_data: 22.214.171.124 tls_auth_name: "dnsovertls.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
When you get warn log complaining wrong tls_pubkey_pinset, the tls_pubkey_pinset value may be wrong and the
value of the
tls_pubkey_pinset can be generated with:
$ echo | openssl s_client -connect address_data:tls_port 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
After selecting a resolver, modify the resolv.conf file and replace the current set of resolver addresses with address for localhost:
nameserver ::1 nameserver 127.0.0.1 options trust-ad
Other programs may overwrite this setting; see resolv.conf#Overwriting of /etc/resolv.conf for details.
Start systemd service
Finally, start/enable the
Tips and tricks
Local DNS cache configuration
Stubby does not have a built-in DNS cache, therefore every single query is transmitted and resolved, which can slow down connections. Setting up a DNS cache requires installing and configuring a separate DNS cacher.
In order to forward to a local DNS cache, Stubby should listen on a port different from the default
53, since the DNS cache itself needs to listen on
53 and query Stubby on a different port. Port number
53000 is used as an example in this section. In this example, the port number is larger than 1024 so stubby is not required to be run by root.
Edit the value of
listen_addresses as follows:
listen_addresses: - 127.0.0.1@53000 - 0::1@53000
Configure dnsmasq as a local DNS cache. The basic configuration to work with Stubby is the following:
no-resolv proxy-dnssec server=::1#53000 server=127.0.0.1#53000 listen-address=::1,127.0.0.1
dnsmasq.service to apply the changes.
Other DNS cachers
For more DNS cachers, see DNSCrypt#Local DNS cache configuration. The configurations should be similar if not identical.