'Stubby' is part of the getdns project - this is just a reference
page on how to get up and running with Stubby!
which enables it to act as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.
Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way!
It is recommended to use the latest release of the 1.1 version of getdns to have the most up to date version of Stubby.
In this mode Stubby (getdns) does several things
- Runs as a daemon
- By default obtains its configuration information from the configuration file at /etc/stubby.conf
- Can be configured to listen on the loopback address and send all outgoing DNS queries received on that address out over TLS to a DNS Privacy server
- Can be configured with authentication information for DNS Privacy servers and instructed to use either a 'Strict' or an 'Opportunistic' Profile as described in Authentication and (D)TLS Profile for DNS-over-(D)TLS
Other ways to run a privacy daemon are:
- Run Unbound as a local forwarder using the ssl_upstream option to encrypt outgoing queries. This is provides a local caching resolver but at the moment Unbound doesn't fully support RFC7766 as a client and so you may not see the same performance as from Stubby (which pipelines queries).
- Work is in progress to enable knot resolver to work in this mode too