Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:stubby [2018/09/13 23:16] – created sindastradocs:guide-user:services:dns:stubby [2019/04/20 11:41] – links updated vgaetera
Line 1: Line 1:
-====== Stuby ======+====== Stubby ====== 
 +Stubby is an application that acts as a local DNS stub resolver using [[wp>DNS_over_TLS|DNS over TLS]]. 
 +Stubby encrypts DNS queries sent from a client machine to a DoT-provider increasing end user privacy. 
 +Follow [[?do=showtag&tag=DNSCrypt+DoH+DoT|DNS encryption]] to utilize DoT via Stubby.
  
-'Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.+===== Overview =====
  
-:!: Stubby is in the early stages of development but is suitable for technical/advanced usersA more generally user-friendly version is on the way!+An unprotected setup without Stubby might look like this: 
 + 
 +|**local**|->|**internet**| 
 +|dnsmasq on 53|->|unencrypted dns on 53| 
 + 
 +A setup protected with Stubby will then look like this: 
 + 
 +|**local**|->|**local**|->|**internet**| 
 +|dnsmasq on 53|->|stubby on 5453|->|encrypted dns on 853| 
 + 
 +We'll basically be putting Stubby in between dnsmasq and the internet, leaving most things untouched so that dnsmasq will continue to work in OpenWrt.
  
 ===== Installation ===== ===== Installation =====
  
   opkg update && opkg install stubby   opkg update && opkg install stubby
 +
 +===== Configuration =====
 +
 +Stubby can be configured directly via ''/etc/stubby/stubby.yml'' or via ''/etc/config/stubby'' when using uci. The [[https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md|README]] within the packages repository contains further information.
 +
 +The default listening port for stubby is 5453 (IPv4 and IPv6 on localhost).
 +
 +You can add ''127.0.0.1#5453'' to the list of DNS servers to forward requests to, so that requests will be forwarded to stubby.
 +
 +Make sure your router advertises itself as DNS server through DHCP so that clients will benefit from Stubby.
 +
 +:!: Note that this does not prevent clients in LAN to access unencrypted DNS directly (for example if they ignore the advertised router DNS through DHCP, because of a static DNS setting).
 +
 +To prevent local leaks or delays, make sure stubby is the only server that is being forwarded to, and block TCP and UDP output to port 53 in wan.
 +
 +:!: You might want to add ''/etc/stubby/'' to the list of config files that should be preserved on upgrade / backup!
  
 ===== External Links ===== ===== External Links =====
  • Last modified: 2023/10/14 06:23
  • by vgaetera