DNS Privacy
Links
DNS Privacy Project homepage
DPRIVE
getdns
NLnet Labs
Sinodun
'Stubby' is part of the getdns project - this is just a reference
page on how to get up and running with Stubby!
Stubby is the name given to a mode of using getdns which enables it to act as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way!
It is recommended to use the latest release of the 1.1 version of getdns to have the most up to date version of Stubby.
In this mode Stubby (getdns) does several things
In this mode, the only dependency is OpenSSL (version 1.0.2 or later is required for hostname authentication to be supported). If this is installed in a non-standard location on your system use the --with-ssl option to configure below to specify where it is.
It may be necessary to install 1.0.2 from source for most Linux distros.
It is recommended to install OpenSSL using homebrew, in which case use the following in the configure line in step 1.3 below:
--with-ssl=/usr/local/opt/openssl/
Either clone the code:
> git clone https://github.com/getdnsapi/getdns.git > cd getdns > git checkout release/1.1.0-alpha3
or grab a tarball from this page: Latest getdns releases
Note that on Mac OS X you will need the developer tools from Xcode to compile the code. And you may need to use brew to install libtool (and then use glibtoolize below), autoconf and automake.
> git submodule update --init > libtoolize -ci > autoreconf -fi > mkdir build > cd build > ../configure --prefix=<install_location> --without-libidn --enable-stub-only > make > sudo make install
Logging/debugging
Stubby will use the config file at /etc/stubby.conf by default if it exists, or the config file location can be specified on the command line using the '-C' flag. [Note: With no config file stubby will use UDP to the default nameservers for queries).
Changes to the config file require a restart of Stubby.
The config file below is an example that will configure Stubby to:
{ resolution_type: GETDNS_RESOLUTION_STUB , dns_transport_list: [ GETDNS_TRANSPORT_TLS ] , upstream_recursive_servers: [ { address_data: 185.49.141.38 , tls_auth_name: "getdnsapi.net" , tls_pubkey_pinset: [ { digest: "sha256" , value: 0x7e8c59467221f606695a797ecc488a6b4109dab7421aba0c5a6d3681ac5273d4 } ] } ] , tls_authentication: GETDNS_AUTHENTICATION_REQUIRED , tls_query_padding_blocksize: 256 , edns_client_subnet_private : 1 , listen_addresses: [ 127.0.0.1, 0::1 ] , idle_timeout: 10000 }
Additional privacy servers can be specified by adding more entries to the upstream_recursive_servers list above (note a separate entry must be made for the IPv4 and IPv6 addresses of a given server. More DNS Privacy test servers are listed here.
It is recommended to use more than one upstream for increased performance and reliability. This config files uses Strict Privacy to all the current test servers that support this over both IPv4 and IPv6: stubby.conf
Simply invoke Stubby on the command line. By default it runs in the foreground, the '-g' flag runs it in the background. The pid file is /var/run/stubby.pid
> sudo stubby
A quick test can be done by using dig (or your favourite DNS tool) on the loopback address
> dig @127.0.0.1 www.example.com
Once this change is made your DNS queries will be re-directed to Stubby and sent over TLS! (You may need to restart some applications to have them pick up the network settings).
You can monitor the traffic using Wireshark watching on port 853.
For Stubby to re-send outgoing DNS queries over TLS the recursive resolvers configured on your machine must be changed to send all the local queries to the loopback interface on which Stubby is listening. This depends on the operating system being run. It is useful to note your existing default nameservers before making this change!
Linux/Unix systems
Add the following (only add the IPv4 address if you don't have IPv6)
nameserver 127.0.0.1 nameserver ::1
OS X
From the command line you can do the following to set the local DNS servers on, for example, your 'Wi-Fi' interface (first line clears all servers, second line adds localhost):
sudo networksetup -setdnsservers Wi-Fi Empty sudo networksetup -setdnsservers Wi-Fi 127.0.0.1 ::1
If you want to reset, just use:
sudo networksetup -setdnsservers Wi-Fi Empty
which should pick up the default DHCP nameservers. Or use something similar to the first set of instructions if you want to specify particular namerservers.
Or via the GUI:
Notes: