stubby: Switch to Quad9 as default DoT resolver #20254
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 4 commits
January 10, 2023 04:47
Upstream's template stubby.yml configuration file contains helpful comments and a handy list of optional DoT recursive resolvers for the user to choose from. Additionally, certain changes have been made to the configuration file both to align more closely with stubby's current OpenWrt-specific configuration and to offer a slightly more robust user experience: * `appdata_dir` continues to be `/var/lib/stubby` instead of upstream's `/var/cache/stubby`. * `listen_addresses` has been edited to add port 5453 to the entries. * `tls_min_version` has been set to TLS 1.3 to prevent downgrade attacks. * `tls_ciphersuites` has been edited to prioritize `TLS_CHACHA20_POLY1305_SHA256` because most embedded systems do not have AES-NI hardware acceleration. * Quad9's DoT recursive resolvers are now the default DoT resolvers. * Quad9 is based in Switzerland, is governed by Swiss privacy laws, and offers a privacy policy arguably superior to that of Cloudflare's. * Cloudflare's DoT resolvers have a habit of not playing nice with stubby. See, for example, getdnsapi/stubby#183 and getdnsapi/stubby#331. * I opted to not default to the getdnsapi.net servers both to offer more robustness with a solid anycast service and to help prevent overwhelming upstream's limited resources. * `round_robin_upstreams` has been set to `0` because it doesn't make sense to concurrently send multiple queries to multiple addresses of an anycast service. Signed-off-by: Aquila Cooper <[email protected]>
Switch from Cloudflare to Quad9 as stubby's default DoT resolvers. * Quad9 is based in Switzerland, is governed by Swiss privacy laws, and offers a privacy policy arguably superior to that of Cloudflare's. * Cloudflare's DoT resolvers have a habit of not playing nice with stubby. See, for example, getdnsapi/stubby#183 and getdnsapi/stubby#331. Additionally, make the following changes to improve stubby's robustness and user experience: * set `option round_robin_upstreams` to `0` because it doesn't make much sense to concurrently send multiple queries to multiple addresses of a unicast service. * set `option tls_min_version` to `1.3` to prevent downgrade attacks. * prioritize `TLS_CHACHA20_POLY1305_SHA256` because most embedded systems do not have AES-NI hardware acceleration. * make the `list spki` option empty because Quad9 does not publish SPKI pins, nor do they recommend the use of SPKI pins with their DoT resolvers (see https://dnsprivacy.org/public_resolvers/). Signed-off-by: Aquila Cooper <[email protected]>
Updates README.md to reflect the switch to Quad9 as the default DoT resolver and other changes to the default configuration. Also updates README.md to correct some punctuation and spelling mistakes and to update certain URLs. Signed-off-by: Aquila Cooper <[email protected]>
Bumps PKG_RELEASE to `2` after switching to Quad9 as stubby's default resolvers and making other changes to stubby's default configuration. Also updates the description and GitHub URLs. Signed-off-by: Aquila Cooper <[email protected]>
ghost
closed this by deleting the head repository
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Switch from Cloudflare to Quad9 as stubby's default DoT resolvers.
Changes were also made to stubby's default configuration to improve stubby's robustness and user experience. See each commit's description for more details.