'Stubby' is the name given to a mode of using getdns which enables it to act as a local DNS Privacy stub resolver (using DNS-over-TLS
). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy
In this mode, the only dependancy is OpenSSL. If this is installed in a non-standard location on your system use the --with-ssl option to configure below to specify where it is.
Download the getdns source
The 1.1 branch will be available any day now. Until then please pick the code up directly from a branch in Sara Dickinson's fork of getdns as shown below!
> git clone https://github.com/saradickinson/getdns.git
> cd getdns
> git checkout feature/upstream_handling
Build the code
> git submodule update --init
> libtoolize -ci
> autoreconf -fi
> mkdir build
> cd build
> ../configure --prefix=<install_location> --without-libidn --enable-stub-only
> make getdns_query
If you want to see detailed debug information as messages are processed then add the --enable-debug-stub option to the configure line above
Run the daemon
The command below will run the daemon listening on port 53 of the loopback address and sending queries to the NLnet Labs test DNS Privacy server (at 220.127.116.11 and 2a04:b900:0:100::38)
over TLS. It also specifies an idle timeout on the TLS connection of 10s with the '-e 10000' option. This test server does not support EDNS0 TCP Keepalive yet, so this timeout will always be used.
> sudo src/test/getdns_query -s @18.104.22.168 -l L -z 127.0.0.1@53 -e 1000
IPv4 and IPv6
> sudo src/test/getdns_query -s @22.214.171.124 @2a04:b900:0:100::38 -l L -z 127.0.0.1@53 -z ::1@53 -e 1000
Exit the daemon at any time by hitting CTRL-C.
Modify your upstream resolvers
For getdns to re-send outgoing DNS queries over TLS the recursive resolvers configured on your machine must be changed to send all the queries over the loopback interface. This depends on the operating system being run
- Open System Preferences->Network->Advanced->DNS
- Use the '-' button to remove the existing nameservers
- Use the + button to add '127.0.0.1' and '::1' (only add the IPv4 address if you don't have IPv6)
- Hit 'OK' in the DNS pane and then 'Apply' on the Network pane
Once the change in step 1.6 is made your queries will be re-directed to the getdns daemon and sent over TLS! You can monitor the traffic using Wireshark watching on port 853.
resolver increasing end user privacy.
Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way!
Since Stubby is part of the getdns project - the reference page for how to get up and running with Stubby has moved to the getdns website:
Stubby Reference Guide
As always, bugs or feature requests can be directed to either
Other ways to run a privacy daemon are:
- Run Unbound as a local forwarder using the ssl_upstream option to encrypt outgoing queries. This is provides a local caching resolver but at the moment Unbound doesn't fully support RFC7766 as a client and so you may not see the same performance as from Stubby (which pipelines queries).
- Work is in progress to enable knot resolver to work in this mode too