diff --git a/net/stubby/Makefile b/net/stubby/Makefile index 25af732c62ca2..e51ec14b6ee7e 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=stubby PKG_VERSION:=0.4.3 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/getdnsapi/$(PKG_NAME) @@ -22,7 +22,7 @@ include $(INCLUDE_DIR)/cmake.mk define Package/stubby/Default TITLE:=stubby - URL:=https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby + URL:=https://dnsprivacy.org/dns_privacy_daemon_-_stubby/ endef define Package/stubby @@ -37,7 +37,7 @@ endef define Package/stubby/description This package contains the Stubby daemon (which utilizes the getdns library). - See https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md for more details. + See https://github.com/openwrt/packages/blob/develop/net/stubby/files/README.md for more details. endef define Package/stubby/conffiles diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md index 92021b3bc4fe6..682fbb1bc4ed2 100644 --- a/net/stubby/files/README.md +++ b/net/stubby/files/README.md @@ -1,28 +1,26 @@ - -# Stubby for OpenWRT +# Stubby for OpenWrt ## Stubby Description -[Stubby](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby) is +[Stubby](https://dnsprivacy.org/dns_privacy_daemon_-_stubby/) is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine to a DNS Privacy resolver increasing end user privacy. -Stubby is useful on an OpenWRT device, because it can sit between the usual DNS +Stubby is useful on an OpenWrt device, because it can sit between the usual DNS resolver (dnsmasq by default) and the upstream DNS resolver and be used to -ensure that DNS traffic is encrypted between the OpenWRT device and the +ensure that DNS traffic is encrypted between the OpenWrt device and the resolver. -Stubby is developed by the [getdns](http://getdnsapi.net/) project. - -For more background and FAQ see the [About -Stubby](https://dnsprivacy.org/wiki/display/DP/About+Stubby) page. +Stubby is developed by the [getdns](https://getdnsapi.net) project. +For more background and FAQ, see the [About +Stubby](https://dnsprivacy.org/dns_privacy_daemon_-_stubby/about_stubby/) page. ## Installation Installation of this package can be achieved at the command line using `opkg -install stubby`, or via the LUCI Web Interface. Installing the stubby package +install stubby`, or via the LuCI web interface. Installing the stubby package will also install the required dependency packages, including the `ca-bundle` package. @@ -31,7 +29,7 @@ will also install the required dependency packages, including the The default configuration of the package has been chosen to ensure that stubby should work after installation. -By default, configuration of stubby is integrated with the OpenWRT UCI system +By default, configuration of stubby is integrated with the OpenWrt UCI system using the file `/etc/config/stubby`. The configuration options available are also documented in that file. If for some reason you wish to configure stubby using the `/etc/stubby/stubby.yml` file, then you simply need to set `option @@ -42,7 +40,7 @@ manual '1'` in `/etc/config/stubby` and all other settings in The default configuration ensures that stubby listens on port 5453 on the loopback interfaces for IPv4 and IPv6. As such, by default, stubby will respond -only to lookups from the OpenWRT device itself. +only to lookups from the OpenWrt device itself. By setting the listening ports to non-standard values, this allows users to keep the main name server daemon in place (dnsmasq/unbound/etc.) and have that name @@ -50,34 +48,27 @@ server forward to stubby. ### Upstream resolvers -The default package configuration uses the CloudFlare resolvers, configured for -both IPv4 and IPv6. - -CloudFlare have not published SPKI pinsets, and even though they are available, -they have made no commitment to maintaining them. Using the currently known SPKI -pinsets for CloudFlare brings the risk that in the future they may be changed by -CloudFlare, and DNS would stop working. The default configuration has those SPKI -entries commented out for this reason. +The default package configuration uses [Quad9](https://quad9.net)'s resolvers, configured for +both IPv4 and IPv6. -[CloudFlare's privacy -statement](https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/) +[Quad9's privacy +statement](https://quad9.net/service/privacy) details how they treat data from DNS requests. -More resolvers are available in the [upstream stubby example +More resolver options are available in the [upstream stubby example configuration](https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example) -and the [DNS Privacy -list](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers). +and in a [list](https://dnsprivacy.org/test_servers/) compiled by the DNS Privacy Project. ## Integration of stubby with dnsmasq -The recommended way to use stubby on an OpenWRT device is to integrate it with a -caching resolver. The default caching resolver in OpenWRT is dnsmasq. +The recommended way to use stubby on an OpenWrt device is to integrate it with a +caching resolver. The default caching resolver in OpenWrt is dnsmasq. ### Set dnsmasq to send DNS requests to stubby -Since dnsmasq responds to LAN DNS requests on port 53 of the OpenWRT device by +Since dnsmasq responds to LAN DNS requests on port 53 of the OpenWrt device by default, all that is required is to have dnsmasq forward those requests to -stubby which is listening on port 5453 of the OpenWRT device. To achieve this, +stubby which is listening on port 5453 of the OpenWrt device. To achieve this, we need to set the `server` option in the dnsmasq configuration in the `/etc/config/dhcp` file to `'127.0.0.1#5453'`. We also need to tell dnsmasq not to use resolvers found in `/etc/resolv.conf` by setting the dnsmasq option @@ -89,22 +80,22 @@ command line: uci set dhcp.@dnsmasq[-1].noresolv=1 uci commit && reload_config -The same outcome can be achieved in the LUCI web interface as follows: +The same outcome can be achieved in the LuCI web interface as follows: 1. Select the Network->DHCP and DNS menu entry. 2. In the "General Settings" tab, enter the address `127.0.0.1#5453` as the only entry in the "DNS Forwardings" dialogue. -3. In the "Resolv and Host files" tab tick the "Ignore resolve file" checkbox. +3. In the "Resolv and Host files" tab, tick the "Ignore resolve file" checkbox. ### Disable sending DNS requests to ISP provided DNS servers The configuration changes in the previous section ensure that DNS queries are sent over TLS encrypted connections *once dnsmasq and stubby are started*. When -the OpenWRT device is first brought up, there is a possibility that DNS queries +the OpenWrt device is first brought up, there is a possibility that DNS queries can go to ISP provided DNS servers ahead of dnsmasq and stubby being active. In order to mitigate this leakage, it's necessary to ensure that upstream resolvers aren't available, and the only DNS resolver used by the system is -dnsmasq+stubby. +dnsmasq+stubby. This requires setting the option `peerdns` to `0` and the option `dns` to the loopback address for both the `wan` and `wan6` interfaces in the @@ -117,16 +108,16 @@ loopback address for both the `wan` and `wan6` interfaces in the uci set network.wan6.dns='0::1' uci commit && reload_config -The same outcome can also be achieved using the LUCI web interface as follows: +The same outcome can also be achieved using the LuCI web interface as follows: 1. Select the Network->Interfaces menu entry. 2. Click on Edit for the WAN interfaces. 3. Choose the Advanced Settings tab. -4. Unselect the "Use DNS servers advertised by peer" checkbox +4. Unselect the "Use DNS servers advertised by peer" checkbox. 5. Enter `127.0.0.1` in the "Use custom DNS servers" dialogue box. 6. Repeat the above steps for the WAN6 interface, but use the address `0::1` instead of `127.0.0.1`. - + ### Enabling DNSSEC The configuration described above ensures that DNS queries are executed over TLS @@ -144,8 +135,8 @@ DNSSEC: Either option achieves the same outcome, and there appears to be little reason for choosing one over the other other than that the second option is easier to -configure in the LUCI web interface. Both options are detailed below, and both -require that the `dnsmasq` package on the OpenWRT device is replaced with the +configure in the LuCI web interface. Both options are detailed below, and both +require that the `dnsmasq` package on the OpenWrt device is replaced with the `dnsmasq-full` package. That can be achieved by running the following command: opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk @@ -158,10 +149,10 @@ which can be done by editing the file directly or by executing the commands: uci set stubby.global.dnssec_return_status=1 uci commit && reload_config - + With stubby performing DNSSEC validation, dnsmasq needs to be configured to proxy the DNSSEC data to clients. This requires setting the option `proxydnssec` -to 1 in the dnsmasq configuration in `/etc/config/dhcp`. That can be achieved by +to `1` in the dnsmasq configuration in `/etc/config/dhcp`. That can be achieved by the following commands: uci set dhcp.@dnsmasq[-1].proxydnssec=1 @@ -179,7 +170,7 @@ commands: uci set dhcp.@dnsmasq[-1].dnsseccheckunsigned=1 uci commit && reload_config -The same options can be set in the LUCI web interface as follows: +The same options can be set in the LuCI web interface as follows: 1. Select the "Network->DHCP and DNS" menu entry. 2. Select the "Advanced Settings" tab. @@ -188,36 +179,36 @@ The same options can be set in the LUCI web interface as follows: #### Validating DNSSEC operation Having configured DNSSEC validation using one of the two approaches above, it's -important to check it's actually working. The following command can be used: +important to check it's actually working. The following command can be issued +on a system with `dig` installed: + + dig @192.168.1.1 -q dnssectest.sidn.nl +dnssec +multiline - dig dnssectest.sidn.nl +dnssec +multi @192.168.1.1 - This command should return output like the following: - ; <<>> DiG 9.11.4-P1-RedHat-9.11.4-5.P1.fc28 <<>> dnssectest.sidn.nl +dnssec +multi @192.168.1.1 + ; <<>> DiG 9.16.33-Debian <<>> @192.168.1.1 -q dnssectest.sidn.nl +dnssec +multiline + ; (1 server found) ;; global options: +cmd ;; Got answer: - ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26579 + ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13936 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: - ; EDNS: version: 0, flags: do; udp: 512 + ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;dnssectest.sidn.nl. IN A ;; ANSWER SECTION: - dnssectest.sidn.nl. 14399 IN A 213.136.9.12 - dnssectest.sidn.nl. 14399 IN RRSIG A 8 3 14400 ( - 20181104071058 20181005071058 42033 sidn.nl. - YAQl3tef36M9EQUOmCneHKCCkxox3csLpfUOql5i/6ND - zPrQFsNr3g32HPoxOsi+hD2BE5+bEsnARayDSVLyx0qU - 6Hpi2rzQ0zGNZZkCJhCsdp3wnM1BWlMgPrCD0iIsJDok - +DH5zu+yYufVUdSLQrMqA3MZDFUIqDUqSZuYDF4= ) - - ;; Query time: 77 msec + dnssectest.sidn.nl. 3600 IN A 212.114.120.64 + dnssectest.sidn.nl. 3600 IN RRSIG A 13 3 3600 ( + 20230124143159 20230109135715 30794 sidn.nl. + HlLJFsN+lgI9MZ/VOnlXnYT7/9D0bP5vCc88Sjl72mB1 + sYx0e5PHHX3DLjVVzveE7bhkytDqqCyUnOfjANthFA== ) + + ;; Query time: 287 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) - ;; WHEN: Sat Oct 06 20:36:25 BST 2018 - ;; MSG SIZE rcvd: 230 + ;; WHEN: Tue Jan 10 06:26:00 UTC 2023 + ;; MSG SIZE rcvd: 166 The key thing to note is the `flags: qr rd ra ad` part - the `ad` flag signifies that DNSSEC validation is working. If that flag is absent DNSSEC validation is @@ -243,16 +234,15 @@ will be managed through UCI. This specifies an interface to trigger stubby start up on; stubby startup will be triggered by a procd signal associated with this interface being ready. If -this interface is restarted, stubby will also be restarted. +this interface is restarted, stubby will also be restarted. This option can also be set to `'timed'`, in which case a time, specified by the option `triggerdelay`, will be waited before starting stubby. - #### `option triggerdelay` If the `trigger` option specifies an interface, this option sets the time that -is waited after the procd signal is received before starting stubby. +is waited after the procd signal is received before starting stubby. If `trigger` is set to `'timed'` then this is the delay before starting stubby. This option is specified in seconds and defaults to the value `'2'`. @@ -261,7 +251,8 @@ This option is specified in seconds and defaults to the value `'2'`. The `dns_transport` list specifies the allowed transports. Allowed values are: `GETDNS_TRANSPORT_UDP`, `GETDNS_TRANSPORT_TCP` and `GETDNS_TRANSPORT_TLS`. The -transports are tried in the order listed. +transports are tried in the order listed. The default entry is +`GETDNS_TRANSPORT_TLS`. #### `option tls_authentication` @@ -276,7 +267,7 @@ authenticated lookups. You probably don't want this though. This option specifies the block size to pad DNS queries to. You shouldn't need to set this to anything but `'128'` (the default), as recommended by -https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03 +https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03. #### `option tls_connection_retries` @@ -294,7 +285,7 @@ from the default value of `'3600'`. This option specifies the timeout on getting a response to an individual request. This is specified in milliseconds. You shouldn't need to change this -from the default value of ` '5000'`. +from the default value of `'5000'`. #### `option dnssec_return_status` @@ -309,10 +300,10 @@ retrieved trust anchor data here. The default value is `'/var/lib/stubby'`. #### `option trust_anchors_backoff_time` -When Zero configuration DNSSEC failed, because of network unavailability or +When zero-configuration DNSSEC fails, because of network unavailability or failure to write to the appdata directory, stubby will backoff trying to refetch -the DNSSEC trust-anchor for a specified amount of time expressed in milliseconds -(which defaults to two and a half seconds). +the DNSSEC trust-anchor for a specified amount of time expressed in milliseconds. +The default value is `2500`. #### `option dnssec_trust_anchors` @@ -340,11 +331,11 @@ See [here](https://tools.ietf.org/html/rfc7828) for more details. #### `option round_robin_upstreams` This option specifies how stubby will use the upstream DNS resolvers. Set to -`'1'` (the default) to instruct stubby to distribute queries across all -available name servers - this will use multiple simultaneous connections which -can give better performance in most (but not all) cases. Set to `'0'` to treat -the upstream resolvers as an ordered list and use a single upstream resolver -until it becomes unavailable, then use the next one. +`'1'` to instruct stubby to distribute queries across all available name servers. +This will use multiple simultaneous connections which can give better performance in +most (but not all) cases. Set to `'0'` (the default) to treat the upstream resolvers +as an ordered list and use a single upstream resolver until it becomes unavailable, +then use the next one. #### `list listen_address` @@ -376,21 +367,22 @@ stubby daemon. By default, this is an empty string. #### `option tls_cipher_list` If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL -1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set +1.1.1 this list is for TLS 1.2 and older only. Ciphers for TLS 1.3 should be set with the `tls_ciphersuites` option. This option can also be given per upstream resolver. By default, this option is not set. #### `option tls_ciphersuites` -If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL +If set, this specifies the acceptable cipher for DNS over TLS 1.3. OpenSSL version 1.1.1 or greater is required for this option. This option can also be -given per upstream resolver. By default, this option is not set. +given per upstream resolver. By default, this option is set to +`'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256'`. #### `option tls_min_version` If set, this specifies the minimum acceptable TLS version. Works with OpenSSL 1.1.1 or greater only. This option can also be given per upstream resolver. By -default, this option is not set. +default, this option is set to `1.3`. #### `option tls_max_version` @@ -398,7 +390,6 @@ If set, this specifies the maximum acceptable TLS version. Works with OpenSSL 1.1.1 or greater only. This option can also be given per upstream resolver. By default, this option is not set. - ### `resolver` section options #### `option address` @@ -409,7 +400,7 @@ IPv6 address. #### `option tls_auth_name` This option specifies the upstream domain name used for TLS authentication with -the supplied server certificate +the supplied server certificate. #### `option tls_port` @@ -419,13 +410,13 @@ this defaults to 853. #### `option tls_cipher_list` If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL -1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set +1.1.1 this list is for TLS 1.2 and older only. Ciphers for TLS 1.3 should be set with the `tls_ciphersuites` option. By default, this option is not set. If set, this overrides the global value. #### `option tls_ciphersuites` -If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL +If set, this specifies the acceptable cipher for DNS over TLS 1.3. OpenSSL version 1.1.1 or greater is required for this option. By default, this option is not set. If set, this overrides the global value. @@ -449,6 +440,5 @@ the `digest type` is the hashing algorithm used, and the value is the Base64 encoded hash of the public key. At present, only `sha256` is supported for the digest type. -This should ONLY be used if the upstream resolver has committed to maintaining -the pinset. CloudFlare have made no such commitment, and so we do not specify -the SPKI values in the default configuration, even though they are available. +This should be specified ONLY if the upstream resolver has committed to maintaining +the pinset. diff --git a/net/stubby/files/stubby.conf b/net/stubby/files/stubby.conf index f722a43046ae6..85534949f343e 100644 --- a/net/stubby/files/stubby.conf +++ b/net/stubby/files/stubby.conf @@ -14,53 +14,53 @@ config stubby 'global' # option dnssec_trust_anchors '/var/lib/stubby/getdns-root.key' option edns_client_subnet_private '1' option idle_timeout '10000' - option round_robin_upstreams '1' + option round_robin_upstreams '0' list listen_address '127.0.0.1@5453' list listen_address '0::1@5453' # option log_level '7' # option command_line_arguments '' - # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' - # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' - # option tls_min_version '1.2' + # option tls_cipher_list 'EECDH+CHACHA20:EECDH+AESGCM' + option tls_ciphersuites 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256' + option tls_min_version '1.3' # option tls_max_version '1.3' # Upstream resolvers are specified using 'resolver' sections. config resolver - option address '2606:4700:4700::1111' - option tls_auth_name 'cloudflare-dns.com' + option address '2620:fe::fe' + option tls_auth_name 'dns.quad9.net' # option tls_port 853 - # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' - # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' - # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # list spki '' + # option tls_cipher_list 'EECDH+CHACHA20:EECDH+AESGCM' + # option tls_ciphersuites 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256' # option tls_min_version '1.2' # option tls_max_version '1.3' config resolver - option address '2606:4700:4700::1001' - option tls_auth_name 'cloudflare-dns.com' + option address '2620:fe::9' + option tls_auth_name 'dns.quad9.net' # option tls_port 853 - # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' - # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' - # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # list spki '' + # option tls_cipher_list 'EECDH+CHACHA20:EECDH+AESGCM' + # option tls_ciphersuites 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256' # option tls_min_version '1.2' # option tls_max_version '1.3' config resolver - option address '1.1.1.1' - option tls_auth_name 'cloudflare-dns.com' + option address '9.9.9.9' + option tls_auth_name 'dns.quad9.net' # option tls_port 853 - # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' - # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' - # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # list spki '' + # option tls_cipher_list 'EECDH+CHACHA20:EECDH+AESGCM' + # option tls_ciphersuites 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256' # option tls_min_version '1.2' # option tls_max_version '1.3' config resolver - option address '1.0.0.1' - option tls_auth_name 'cloudflare-dns.com' + option address '149.112.112.112' + option tls_auth_name 'dns.quad9.net' # option tls_port 853 - # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' - # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' - # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # list spki '' + # option tls_cipher_list 'EECDH+CHACHA20:EECDH+AESGCM' + # option tls_ciphersuites 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256' # option tls_min_version '1.2' # option tls_max_version '1.3' diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml index b935f3169fc7b..c52569a0ab86c 100644 --- a/net/stubby/files/stubby.yml +++ b/net/stubby/files/stubby.yml @@ -1,25 +1,476 @@ -# Note: by default on OpenWRT stubby configuration is handled via +# Note: By default, OpenWrt's stubby configuration is handled by # the UCI system and the file /etc/config/stubby. If you want to # use this file to configure stubby, then set "option manual '1'" # in /etc/config/stubby. + +################################################################################ +######################## STUBBY YAML CONFIG FILE ############################### +################################################################################ +# This is a yaml version of the stubby configuration file (it replaces the +# json based stubby.conf file used in earlier versions of getdns/stubby). +# +# For more information see +# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby +# +# This format does not fully support all yaml features - the restrictions are: +# - the outer-most data structure must be a yaml mapping +# - mapping keys must be yaml scalars +# - plain scalars will be converted to json unchanged +# - non-plain scalars (quoted, double-quoted, wrapped) will be interpreted +# as json strings, i.e. double quoted. +# - yaml tags are not supported +# - IPv6 addresses ending in :: are not yet supported (use ::0) +# +# Also beware that yaml is sensitive to the indentation at the start of each +# line so if you encounter errors when parsing the config file then please check +# that. We will add better checking but a useful online tool to check yaml +# format is here (it also converts yaml to json) +# https://yaml-online-parser.appspot.com/ +# +# Note that we plan to introduce a more compact format for defining upstreams +# in future: https://github.com/getdnsapi/stubby/issues/79 + +################################### LOGGING #################################### +# Define at which level messages will be logged to stdout. Can be one of: +# GETDNS_LOG_EMERG, GETDNS_LOG_ALERT, GETDNS_LOG_CRIT, GETDNS_LOG_ERR, +# GETDNS_LOG_WARNING, GETDNS_LOG_NOTICE, GETDNS_LOG_INFO or GETDNS_LOG_DEBUG +# where GETDNS_LOG_EMERG is the least and GETDNS_LOG_DEBUG the most verbose. +log_level: GETDNS_LOG_NOTICE + + +########################## BASIC & PRIVACY SETTINGS ############################ +# Specifies whether to run as a recursive or stub resolver +# For stubby this MUST be set to GETDNS_RESOLUTION_STUB resolution_type: GETDNS_RESOLUTION_STUB -round_robin_upstreams: 1 -appdata_dir: "/var/lib/stubby" + +# Ordered list composed of one or more transport protocols: +# GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP or GETDNS_TRANSPORT_TLS +# If only one transport value is specified it will be the only transport used. +# Should it not be available basic resolution will fail. +# Fallback transport options are specified by including multiple values in the +# list. Strict mode (see below) should use only GETDNS_TRANSPORT_TLS. +dns_transport_list: + - GETDNS_TRANSPORT_TLS + +# Selects Strict or Opportunistic Usage profile as described in +# https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/ +# ONLY for the case when TLS is the one and only transport specified above. +# Strict mode requires that authentication information for the upstreams is +# specified below. Opportunistic may fallback to clear text DNS if UDP or TCP +# is included in the transport list above. +# For Strict use GETDNS_AUTHENTICATION_REQUIRED +# For Opportunistic use GETDNS_AUTHENTICATION_NONE tls_authentication: GETDNS_AUTHENTICATION_REQUIRED + +# EDNS0 option to pad the size of the DNS query to the given blocksize +# 128 is currently recommended by +# https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03 tls_query_padding_blocksize: 128 -edns_client_subnet_private: 1 + +# EDNS0 option for ECS client privacy as described in Section 7.1.2 of +# https://tools.ietf.org/html/rfc7871 +# If you really want to use a resolver that sends ECS (such as Google or one of +# the Quad9 ones) in order to gain better geo-location of content, then be aware +# that this will expose a portion of your IP address in queries to some +# authoritative servers. You will need to configure that server and also set this +# parameter to 0 to fully enable ECS. +edns_client_subnet_private : 1 + +############################# CONNECTION SETTINGS ############################## +# Set to 1 to instruct stubby to distribute queries across all available name +# servers - this will use multiple simultaneous connections which can give +# better performance in most (but not all) cases. +# Set to 0 to treat the upstreams below as an ordered list and use a single +# upstream until it becomes unavailable, then use the next one. +round_robin_upstreams: 0 + +# EDNS0 option for keepalive idle timeout in milliseconds as specified in +# https://tools.ietf.org/html/rfc7828 +# This keeps idle TLS connections open to avoid the overhead of opening a new +# connection for every query. Note that if a given server doesn't implement +# EDNS0 keepalive and uses an idle timeout shorter than this stubby will backoff +# from using that server because the server is always closing the connection. +# This can degrade performance for certain configurations so reducing the +# idle_timeout to below that of that lowest server value is recommended. idle_timeout: 10000 + +# Control the maximum number of connection failures that will be permitted +# before Stubby backs-off from using an individual upstream (default 2) +# tls_connection_retries: 2 + +# Control the maximum time in seconds Stubby will back-off from using an +# individual upstream after failures under normal circumstances (default 3600) +# tls_backoff_time: 3600 + +# Specify the location for CA certificates used for verification purposes are +# located - this overrides the OS specific default location. +# tls_ca_path: "/etc/ssl/certs/" + +# Limit the total number of outstanding queries permitted on one TCP/TLS +# connection (default is 0, no limit) +# limit_outstanding_queries: 0 + +# Specify the timeout in milliseconds on getting a response to an individual +# request (default 5000) +# timeout: 5000 + +# Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is +# for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the +# tls_ciphersuites option. This option can also be given per upstream. +# (default as shown) +# tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" + +# Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required +# for this option. This option can also be given per upstream. +# (default as shown) +tls_ciphersuites: "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256" + +# Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. +# This option can also be given per upstream. (default is 1.2) +tls_min_version: GETDNS_TLS1_3 + +# Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. +# This option can also be given per upstream. (default is 1.3) +# tls_max_version: GETDNS_TLS1_3 + +################################ LISTEN ADDRESS ################################ +# Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4 +# and IPv6. It will listen on port 53 by default. Use @ to +# specify a different port. (Note that due to restrictions within the config +# file parser, IPv6 address cannot start with `::` ) listen_addresses: - 127.0.0.1@5453 - 0::1@5453 -dns_transport_list: - - GETDNS_TRANSPORT_TLS + +############################### DNSSEC SETTINGS ################################ +# Require DNSSEC validation. This will withhold answers with BOGUS DNSSEC +# status and answers that could not be validated (i.e. with DNSSEC status +# INDETERMINATE). Beware that if no DNSSEC trust-anchor is provided, or if +# stubby is not able to fetch and validate the DNSSEC trust-anchor itself, +# (using Zero configuration DNSSEC) stubby will not return answers at all. +# If DNSSEC validation is required, a trust-anchor is also required. +# (default is no DNSSEC validation) +# dnssec: GETDNS_EXTENSION_TRUE + +# Stubby tries to fetch and validate the DNSSEC root trust anchor on the fly +# when needed (Zero configuration DNSSEC), but only if it can store then +# somewhere. The default location to store these files is the ".getdns" +# subdirectory in the user's home directory on Unixes, and the %appdata%\getdns +# directory on Windows. If there is no home directory, or +# the required subdirectory could not be created (or is not present), Stubby +# will fall back to the current working directory to try to store the +# trust-anchor files. +# +# When stubby runs as a special system-level user without a home directory +# however (such as in setups using systemd), it is recommended that an explicit +# location for storing the trust-anchor files is provided that is writable (and +# readable) by that special system user. +appdata_dir: "/var/lib/stubby" + +# When Zero configuration DNSSEC failed, because of network unavailability or +# failure to write to the appdata directory, stubby will backoff trying to +# refetch the DNSSEC trust-anchor for a specified amount of time expressed +# in milliseconds (which defaults to two and a half seconds). +# trust_anchors_backoff_time: 2500 + +# Specify the location of the installed trust anchor files to override the +# default location (see above) +# dnssec_trust_anchors: +# - "/etc/unbound/getdns-root.key" + + +################################## UPSTREAMS ################################ +# Specify the list of upstream recursive name servers to send queries to +# In Strict mode upstreams need either a tls_auth_name or a tls_pubkey_pinset +# so the upstream can be authenticated. +# The list below includes various public resolvers and some of the available test +# servers but only has the getdns developer operated upstream enabled by default. +############################################################################### +#### Users are recommended to use more than one upstream for robustness ##### +############################################################################### +# You can enable other resolvers by uncommenting the relevant +# section below or adding their information directly. Also see this list for +# other test servers: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers +# If you don't have IPv6 then comment then out those upstreams. +# In Opportunistic mode they only require an IP address in address_data. +# The information for an upstream can include the following: +# - address_data: IPv4 or IPv6 address of the upstream +# port: Port for UDP/TCP (default is 53) +# tls_auth_name: Authentication domain name checked against the server +# certificate +# tls_pubkey_pinset: An SPKI pinset verified against the keys in the server +# certificate +# - digest: Only "sha256" is currently supported +# value: Base64 encoded value of the sha256 fingerprint of the public +# key +# tls_port: Port for TLS (default is 853) + +# To always use the DHCP resolvers provided by the local network in Opportunistic +# mode then +# 1) In the dns_transport_list after TLS add UDP then TCP +# 2) Change to tls_authentication: GETDNS_AUTHENTICATION_NONE +# 3) Remove all the upstream_recursive_servers listed below + upstream_recursive_servers: - - address_data: 2606:4700:4700::1111 - tls_auth_name: "cloudflare-dns.com" - - address_data: 2606:4700:4700::1001 - tls_auth_name: "cloudflare-dns.com" - - address_data: 1.1.1.1 - tls_auth_name: "cloudflare-dns.com" - - address_data: 1.0.0.1 - tls_auth_name: "cloudflare-dns.com" +############################ DEFAULT UPSTREAM ################################ +####### IPv4 addresses ###### +### Test servers ### +# The getdnsapi.net server +# - address_data: 185.49.141.37 +# tls_auth_name: "getdnsapi.net" +# tls_pubkey_pinset: +# - digest: "sha256" +# value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= +####### IPv6 addresses ###### +### Test servers ### +# The getdnsapi.net server +# - address_data: 2a04:b900:0:100::38 +# tls_auth_name: "getdnsapi.net" +# tls_pubkey_pinset: +# - digest: "sha256" +# value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= + + +############################ OPTIONAL UPSTREAMS ############################### +####### IPv6 addresses ####### +### Anycast services ### +## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS + - address_data: 2620:fe::fe + tls_auth_name: "dns.quad9.net" + - address_data: 2620:fe::9 + tls_auth_name: "dns.quad9.net" +## Quad 9 'secure w/ECS' service - Filters, does DNSSEC, DOES send ECS +## See the entry for `edns_client_subnet_private` for more details on ECS +# - address_data: 2620:fe::11 +# tls_auth_name: "dns11.quad9.net" +# - address_data: 2620:fe::fe:11 +# tls_auth_name: "dns11.quad9.net" +## Quad 9 'insecure' service - No filtering, does DNSSEC, doesn't send ECS +# - address_data: 2620:fe::10 +# tls_auth_name: "dns10.quad9.net" +# - address_data: 2620:fe::fe:10 +# tls_auth_name: "dns10.quad9.net" +## Cloudflare servers +## (NOTE: recommend reducing idle_timeout to 9000 if using Cloudflare) +# - address_data: 2606:4700:4700::1111 +# tls_auth_name: "cloudflare-dns.com" +# - address_data: 2606:4700:4700::1001 +# tls_auth_name: "cloudflare-dns.com" +## The Uncensored DNS servers +# - address_data: 2001:67c:28a4::0 +# tls_auth_name: "anycast.censurfridns.dk" +# tls_pubkey_pinset: +####### pin for "deic-ore.anycast.censurfridns.dk RSA" +# - digest: "sha256" +# value: 2JjZgBZkfjSjs117vX+AnyKeYzJNM38zwsaxHwStWsg= +####### pin for "deic-ore.anycast.censurfridns.dk ECDSA" +# - digest: "sha256" +# value: UXs8xWXai9ZXBAjDKYDiYl/jbIYtyV/bY2w3F1FFTDs= +####### pin for "deic-lgb.anycast.censurfridns.dk RSA" +# - digest: "sha256" +# value: oDxJrI/lG1Jhl1J7LvapMlYwlHMphZUODvCDBm0nof8= +####### pin for "deic-lgb.anycast.censurfridns.dk ECDSA" +# - digest: "sha256" +# value: iYkCUwXdH7sT8qh26zt+r5dbTySL43wgJtLCTHaSH9M= +####### pin for "kracon.anycast.censurfridns.dk RSA" +# - digest: "sha256" +# value: Clii3HzZr48onFoog7I0ma5QmMPSpOBpCykXqgA0Wn0= +####### pin for "kracon.anycast.censurfridns.dk ECDSA" +# - digest: "sha256" +# value: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY= +####### pin for "rgnet-iad.anycast.censurfridns.dk RSA" +# - digest: "sha256" +# value: sp2Low3+oTsQljNzs3gkYgLRYo7o91t3XGka+pwX//4= +####### pin for "rgnet-iad.anycast.censurfridns.dk ECDSA" +# - digest: "sha256" +# value: /NPc7sIUzKLAQbsvRRhK6Ul3jip6Gi49bxutfrzpsQM= +## Google +# - address_data: 2001:4860:4860::8888 +# tls_auth_name: "dns.google" +# - address_data: 2001:4860:4860::8844 +# tls_auth_name: "dns.google" +## Adguard Default servers +# - address_data: 2a00:5a60::ad1:0ff +# tls_auth_name: "dns.adguard.com" +# - address_data: 2a00:5a60::ad2:0ff +# tls_auth_name: "dns.adguard.com" +## Adguard Family Protection servers +# - address_data: 2a00:5a60::bad1:0ff +# tls_auth_name: "dns-family.adguard.com" +# - address_data: 2a00:5a60::bad2:0ff +# tls_auth_name: "dns-family.adguard.com" +## Comcast +# - address_data: 2001:558:fe21:6b:96:113:151:145 +# tls_auth_name: "dot.xfinity.com" +### A few unicast test servers ### +## The Uncensored DNS server +# - address_data: 2a01:3a0:53:53::0 +# tls_auth_name: "unicast.censurfridns.dk" +# tls_pubkey_pinset: +####### pin for "unicast.censurfridns.dk RSA" +# - digest: "sha256" +# value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= +####### pin for "unicast.censurfridns.dk ECDSA" +# - digest: "sha256" +# value: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs= +## Fondation RESTENA (NREN for Luxembourg) +# - address_data: 2001:a18:1::29 +# tls_auth_name: "kaitain.restena.lu" +# tls_pubkey_pinset: +# - digest: "sha256" +# value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4= +## dns.neutopia.org +# - address_data: 2a00:5884:8209::2 +# tls_auth_name: "dns.neutopia.org" +# tls_pubkey_pinset: +# - digest: "sha256" +# value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= +## NIC Chile +# - address_data: 2001:1398:1:0:200:1:123:46 +# tls_pubkey_pinset: +# - digest: "sha256" +# value: sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc= +## Foundation for Applied Privacy +# - address_data: 2a02:1b8:10:234::2 +# tls_auth_name: "dot1.applied-privacy.net" + +####### IPv4 addresses ###### +### Anycast services ### +## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS + - address_data: 9.9.9.9 + tls_auth_name: "dns.quad9.net" + - address_data: 149.112.112.112 + tls_auth_name: "dns.quad9.net" +## Quad 9 'secure w/ECS' service - Filters, does DNSSEC, DOES send ECS +## See the entry for `edns_client_subnet_private` for more details on ECS +# - address_data: 9.9.9.11 +# tls_auth_name: "dns11.quad9.net" +# - address_data: 149.112.112.11 +# tls_auth_name: "dns11.quad9.net" +## Quad 9 'insecure' service - No filtering, no DNSSEC, doesn't send ECS +# - address_data: 9.9.9.10 +# tls_auth_name: "dns10.quad9.net" +# - address_data: 149.112.112.10 +# tls_auth_name: "dns10.quad9.net" +## Cloudflare 1.1.1.1 and 1.0.0.1 +## (NOTE: recommend reducing idle_timeout to 9000 if using Cloudflare) +# - address_data: 1.1.1.1 +# tls_auth_name: "cloudflare-dns.com" +# - address_data: 1.0.0.1 +# tls_auth_name: "cloudflare-dns.com" +## The Uncensored DNS servers +# - address_data: 91.239.100.100 +# tls_auth_name: "anycast.censurfridns.dk" +# tls_pubkey_pinset: +####### pin for "deic-ore.anycast.censurfridns.dk RSA" +# - digest: "sha256" +# value: 2JjZgBZkfjSjs117vX+AnyKeYzJNM38zwsaxHwStWsg= +####### pin for "deic-ore.anycast.censurfridns.dk ECDSA" +# - digest: "sha256" +# value: UXs8xWXai9ZXBAjDKYDiYl/jbIYtyV/bY2w3F1FFTDs= +####### pin for "deic-lgb.anycast.censurfridns.dk RSA" +# - digest: "sha256" +# value: oDxJrI/lG1Jhl1J7LvapMlYwlHMphZUODvCDBm0nof8= +####### pin for "deic-lgb.anycast.censurfridns.dk ECDSA" +# - digest: "sha256" +# value: iYkCUwXdH7sT8qh26zt+r5dbTySL43wgJtLCTHaSH9M= +####### pin for "kracon.anycast.censurfridns.dk RSA" +# - digest: "sha256" +# value: Clii3HzZr48onFoog7I0ma5QmMPSpOBpCykXqgA0Wn0= +####### pin for "kracon.anycast.censurfridns.dk ECDSA" +# - digest: "sha256" +# value: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY= +####### pin for "rgnet-iad.anycast.censurfridns.dk RSA" +# - digest: "sha256" +# value: sp2Low3+oTsQljNzs3gkYgLRYo7o91t3XGka+pwX//4= +####### pin for "rgnet-iad.anycast.censurfridns.dk ECDSA" +# - digest: "sha256" +# value: /NPc7sIUzKLAQbsvRRhK6Ul3jip6Gi49bxutfrzpsQM= +## Google +# - address_data: 8.8.8.8 +# tls_auth_name: "dns.google" +# - address_data: 8.8.4.4 +# tls_auth_name: "dns.google" +## Adguard Default servers +# - address_data: 176.103.130.130 +# tls_auth_name: "dns.adguard.com" +# - address_data: 176.103.130.131 +# tls_auth_name: "dns.adguard.com" +## Adguard Family Protection servers +# - address_data: 176.103.130.132 +# tls_auth_name: "dns-family.adguard.com" +# - address_data: 176.103.130.134 +# tls_auth_name: "dns-family.adguard.com" +## Comcast +# - address_data: 96.113.151.145 +# tls_auth_name: "dot.xfinity.com" +### A few unicast test servers ### +## The Uncensored DNS servers +# - address_data: 89.233.43.71 +# tls_auth_name: "unicast.censurfridns.dk" +# tls_pubkey_pinset: +####### pin for "unicast.censurfridns.dk RSA" +# - digest: "sha256" +# value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= +####### pin for "unicast.censurfridns.dk ECDSA" +# - digest: "sha256" +# value: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs= +## dns.neutopia.org +# - address_data: 89.234.186.112 +# tls_auth_name: "dns.neutopia.org" +# tls_pubkey_pinset: +# - digest: "sha256" +# value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= +## Fondation RESTENA (NREN for Luxembourg) +# - address_data: 158.64.1.29 +# tls_auth_name: "kaitain.restena.lu" +# tls_pubkey_pinset: +# - digest: "sha256" +# value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4= +## NIC Chile +# - address_data: 200.1.123.46 +# tls_pubkey_pinset: +# - digest: "sha256" +# value: sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc= +## Foundation for Applied Privacy +# - address_data: 146.255.56.98 +# tls_auth_name: "dot1.applied-privacy.net" + +####### Servers that listen on port 443 (IPv4 and IPv6) ####### +### Test servers ### +## The getdnsapi.net server +# - address_data: 185.49.141.37 +# tls_port: 443 +# tls_auth_name: "getdnsapi.net" +# tls_pubkey_pinset: +# - digest: "sha256" +# value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= +## The getdnsapi.net server (IPv6 address) +# - address_data: 2a04:b900:0:100::38 +# tls_port: 443 +# tls_auth_name: "getdnsapi.net" +# tls_pubkey_pinset: +# - digest: "sha256" +# value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= +## dns.neutopia.org +# - address_data: 89.234.186.112 +# tls_port: 443 +# tls_auth_name: "dns.neutopia.org" +# tls_pubkey_pinset: +# - digest: "sha256" +# value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= +## dns.neutopia.org +# - address_data: 2a00:5884:8209::2 +# tls_port: 443 +# tls_auth_name: "dns.neutopia.org" +# tls_pubkey_pinset: +# - digest: "sha256" +# value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= +### A few unicast test servers ### +## Foundation for Applied Privacy +# - address_data: 146.255.56.98 +# tls_port: 443 +# tls_auth_name: "dot1.applied-privacy.net" +# - address_data: 2a02:1b8:10:234::2 +# tls_port: 443 +# tls_auth_name: "dot1.applied-privacy.net"